Project

General

Profile

Actions

Bug #10591

closed

Installation of custom certs causes httpd failure due to bad paths

Added by Jason Frisvold over 9 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Difficulty:
Triaged:
Yes
Fixed in Releases:
Found in Releases:

Description

After creating a new certificate and signing it with our internal CA, I attempted to load the cert into foreman/katello. This cert is intended for the UI only and not for clients. The ca cert, csr, cert, and key were copied to my home directory on the server and the following command was run :

katello-installer --certs-server-cert katello.example.com.2015.crt --certs-server-cert-req katello.example.com.csr --certs-server-key katello.example.com.key --certs-server-ca-cert ca.crt

The installer spit out an error :

Could not start Service[httpd]: Execution of '/sbin/service httpd start' returned 1: Starting httpd: [FAILED]
/Stage[main]/Apache::Service/Service[httpd]/ensure: change from stopped to running failed: Could not start Service[httpd]: Execution of '/sbin/service httpd start' returned 1: Starting httpd: [FAILED]

And the system was non functional. Checking the httpd config manually revealed the problem :

$ service httpd configtest
[Fri May 22 10:40:20 2015] [warn] module passenger_module is already loaded, skipping
Syntax error on line 39 of /etc/httpd/conf.d/03-crane.conf:
SSLCertificateChainFile: file '/etc/httpd/ca.crt' does not exist or is empty

When full paths are specified, the error is slightly different :

$ sudo service httpd start
Starting httpd: [Fri May 22 10:18:31 2015] [warn] module passenger_module is already loaded, skipping
Syntax error on line 39 of /etc/httpd/conf.d/03-crane.conf:
SSLCertificateChainFile: file '/home/xenophage/ca.crt' does not exist or is empty

So it would appear that the installer is expecting that the files are already in their final location instead of copying them to a central location. To resolve this I created a new directory, /etc/pki/katello/certs/custom, and placed the files there. Re-running the installer and specifying the full paths resolved the problem.

The installer should either be handling the relocation of these files, or the user needs to be informed that they have to put these files in place prior to running the script. The former would be the preferred solution.

Actions

Also available in: Atom PDF