Project

General

Profile

Bug #13687

Installer answer file contains wrong path to the 'server_ssl_chain' file.

Added by Ivan Necas over 3 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Installer
Target version:
Difficulty:
easy
Triaged:
Yes
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1306964
Description of problem:
Customer is trying to use custom certificate authority chain file. Despite of all the changes made in
certificate files, the path to SSL chain file in apache configuration file 05-foreman-ssl.conf is wrong.
Instead of pointing to the katello-default-ca.crt it should pointing to katello-server-ca.crt where
the custom chain file is saved.

Version-Release number of selected component (if applicable):
6.1.6

How reproducible:
Install the satellite and apply custom certificates.

Steps to Reproduce:
1. Install satellite
2. Run katello-installer to modify the certificates
katello-installer --certs-server-cert "/root/$SAT.crt" \
--certs-server-cert-req "/root/$SAT.csr" \
--certs-server-key "/root/$SAT.key" \
--certs-server-ca-cert '/root/new_ca.crt' \
--certs-update-server \
--certs-update-server-ca
3. Check path to the SSL certificate chain file in the '/etc/httpd/conf.d/05-foreman-ssl.conf' file.

Actual results:
The 'SSLCertificateChainFile' option in the '/etc/httpd/conf.d/05-foreman-ssl.conf' files points
to 'katello-default-ca.crt' instead of 'katello-server-ca.crt'

$ grep SSLCertificateChainFile /etc/httpd/conf.d/05-foreman-ssl.conf -A 1 -B 1
SSLCertificateKeyFile "/etc/pki/katello/private/katello-apache.key"
SSLCertificateChainFile "/etc/pki/katello/certs/katello-default-ca.crt"
SSLCACertificatePath "/etc/pki/tls/certs"

Source of this error can be found in the katello-installer answer file:

$ grep server_ssl_chain /etc/katello-installer/answers.katello-installer.yaml -A 1 -B 1
server_ssl_ca: /etc/pki/katello/certs/katello-default-ca.crt
server_ssl_chain: /etc/pki/katello/certs/katello-default-ca.crt
server_ssl_cert: /etc/pki/katello/certs/katello-apache.crt

Expected results:

Modification of the '/etc/katello-installer/answers.katello-installer.yaml' file will lead to correct
path to the SSL certificate chain file in the '/etc/httpd/conf.d/05-foreman-ssl.conf'

$ grep server_ssl_chain /etc/katello-installer/answers.katello-installer.yaml -A 1 -B 1
server_ssl_ca: /etc/pki/katello/certs/katello-default-ca.crt
server_ssl_chain: /etc/pki/katello/certs/katello-server-ca.crt
server_ssl_cert: /etc/pki/katello/certs/katello-apache.crt

$ grep SSLCertificateChainFile /etc/httpd/conf.d/05-foreman-ssl.conf -A 1 -B 1
SSLCertificateKeyFile "/etc/pki/katello/private/katello-apache.key"
SSLCertificateChainFile "/etc/pki/katello/certs/katello-server-ca.crt"
SSLCACertificatePath "/etc/pki/tls/certs"

Additional info: (workaround)

Modify the answer file:
sed -i -e 's/server_ssl_chain: \/etc\/pki\/katello\/certs\/katello-default-ca.crt/server_ssl_chain: \/etc\/pki\/katello\/certs\/katello-server-ca.crt/' /etc/katello-installer/answers.katello-installer.yaml

re-run katello-installer without parameters.

Associated revisions

Revision 34a45302 (diff)
Added by Ivan Necas about 3 years ago

Fixes #13687 - use the server cert for the chain file (#296)

History

#1 Updated by The Foreman Bot over 3 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/Katello/katello-installer/pull/296 added

#2 Updated by Eric Helms over 3 years ago

  • Legacy Backlogs Release (now unused) set to 86

#3 Updated by Eric Helms over 3 years ago

  • Legacy Backlogs Release (now unused) changed from 86 to 144

#4 Updated by Eric Helms about 3 years ago

  • Legacy Backlogs Release (now unused) changed from 144 to 168

#5 Updated by Eric Helms about 3 years ago

  • Legacy Backlogs Release (now unused) changed from 168 to 171

#6 Updated by Eric Helms about 3 years ago

  • Legacy Backlogs Release (now unused) deleted (171)

#7 Updated by Ivan Necas about 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#8 Updated by Justin Sherrill about 3 years ago

  • Legacy Backlogs Release (now unused) set to 143
  • Difficulty set to easy

Also available in: Atom PDF