Bug #13687
closed
Installer answer file contains wrong path to the 'server_ssl_chain' file.
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1306964
Description of problem:
Customer is trying to use custom certificate authority chain file. Despite of all the changes made in
certificate files, the path to SSL chain file in apache configuration file 05-foreman-ssl.conf is wrong.
Instead of pointing to the katello-default-ca.crt it should pointing to katello-server-ca.crt where
the custom chain file is saved.
Version-Release number of selected component (if applicable):
6.1.6
How reproducible:
Install the satellite and apply custom certificates.
Steps to Reproduce:
1. Install satellite
2. Run katello-installer to modify the certificates
katello-installer --certs-server-cert "/root/$SAT.crt" \
--certs-server-cert-req "/root/$SAT.csr" \
--certs-server-key "/root/$SAT.key" \
--certs-server-ca-cert '/root/new_ca.crt' \
--certs-update-server \
--certs-update-server-ca
3. Check path to the SSL certificate chain file in the '/etc/httpd/conf.d/05-foreman-ssl.conf' file.
Actual results:
The 'SSLCertificateChainFile' option in the '/etc/httpd/conf.d/05-foreman-ssl.conf' files points
to 'katello-default-ca.crt' instead of 'katello-server-ca.crt'
$ grep SSLCertificateChainFile /etc/httpd/conf.d/05-foreman-ssl.conf -A 1 -B 1
SSLCertificateKeyFile "/etc/pki/katello/private/katello-apache.key"
SSLCertificateChainFile "/etc/pki/katello/certs/katello-default-ca.crt"
SSLCACertificatePath "/etc/pki/tls/certs"
Source of this error can be found in the katello-installer answer file:
$ grep server_ssl_chain /etc/katello-installer/answers.katello-installer.yaml -A 1 -B 1
server_ssl_ca: /etc/pki/katello/certs/katello-default-ca.crt
server_ssl_chain: /etc/pki/katello/certs/katello-default-ca.crt
server_ssl_cert: /etc/pki/katello/certs/katello-apache.crt
Expected results:
Modification of the '/etc/katello-installer/answers.katello-installer.yaml' file will lead to correct
path to the SSL certificate chain file in the '/etc/httpd/conf.d/05-foreman-ssl.conf'
$ grep server_ssl_chain /etc/katello-installer/answers.katello-installer.yaml -A 1 -B 1
server_ssl_ca: /etc/pki/katello/certs/katello-default-ca.crt
server_ssl_chain: /etc/pki/katello/certs/katello-server-ca.crt
server_ssl_cert: /etc/pki/katello/certs/katello-apache.crt
$ grep SSLCertificateChainFile /etc/httpd/conf.d/05-foreman-ssl.conf -A 1 -B 1
SSLCertificateKeyFile "/etc/pki/katello/private/katello-apache.key"
SSLCertificateChainFile "/etc/pki/katello/certs/katello-server-ca.crt"
SSLCACertificatePath "/etc/pki/tls/certs"
Additional info: (workaround)
Modify the answer file:
sed -i -e 's/server_ssl_chain: \/etc\/pki\/katello\/certs\/katello-default-ca.crt/server_ssl_chain: \/etc\/pki\/katello\/certs\/katello-server-ca.crt/' /etc/katello-installer/answers.katello-installer.yaml
re-run katello-installer without parameters.
Updated by The Foreman Bot almost 9 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/Katello/katello-installer/pull/296 added
Updated by Eric Helms almost 9 years ago
- Translation missing: en.field_release set to 86
Updated by Eric Helms over 8 years ago
- Translation missing: en.field_release changed from 86 to 144
Updated by Eric Helms over 8 years ago
- Translation missing: en.field_release changed from 144 to 168
Updated by Eric Helms over 8 years ago
- Translation missing: en.field_release changed from 168 to 171
Updated by Eric Helms over 8 years ago
- Translation missing: en.field_release deleted (
171)
Updated by Ivan Necas over 8 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset katello-installer|34a453026623618793bd790254d45df7b8e4cca0.
Updated by Justin Sherrill over 8 years ago
- Translation missing: en.field_release set to 143
- Difficulty set to easy