Bug #10591
closed
Installation of custom certs causes httpd failure due to bad paths
Description
After creating a new certificate and signing it with our internal CA, I attempted to load the cert into foreman/katello. This cert is intended for the UI only and not for clients. The ca cert, csr, cert, and key were copied to my home directory on the server and the following command was run :
katello-installer --certs-server-cert katello.example.com.2015.crt --certs-server-cert-req katello.example.com.csr --certs-server-key katello.example.com.key --certs-server-ca-cert ca.crt
The installer spit out an error :
Could not start Service[httpd]: Execution of '/sbin/service httpd start' returned 1: Starting httpd: [FAILED]
/Stage[main]/Apache::Service/Service[httpd]/ensure: change from stopped to running failed: Could not start Service[httpd]: Execution of '/sbin/service httpd start' returned 1: Starting httpd: [FAILED]
And the system was non functional. Checking the httpd config manually revealed the problem :
$ service httpd configtest
[Fri May 22 10:40:20 2015] [warn] module passenger_module is already loaded, skipping
Syntax error on line 39 of /etc/httpd/conf.d/03-crane.conf:
SSLCertificateChainFile: file '/etc/httpd/ca.crt' does not exist or is empty
When full paths are specified, the error is slightly different :
$ sudo service httpd start
Starting httpd: [Fri May 22 10:18:31 2015] [warn] module passenger_module is already loaded, skipping
Syntax error on line 39 of /etc/httpd/conf.d/03-crane.conf:
SSLCertificateChainFile: file '/home/xenophage/ca.crt' does not exist or is empty
So it would appear that the installer is expecting that the files are already in their final location instead of copying them to a central location. To resolve this I created a new directory, /etc/pki/katello/certs/custom, and placed the files there. Re-running the installer and specifying the full paths resolved the problem.
The installer should either be handling the relocation of these files, or the user needs to be informed that they have to put these files in place prior to running the script. The former would be the preferred solution.
Updated by 
Updated by 
Updated by 
Updated by