Project

General

Profile

Bug #15507

Katello 3.0.1 installation fails - Crane: Failed to configure CA certificate chain!

Added by Edgars Mazurs almost 6 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Installer
Target version:
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Hi

I am trying to install Katello. I am using my own certificates, so I do like this:

sudo foreman-installer --scenario katello \
--certs-server-cert="/etc/pki/tls/certs/katello.local.crt" \
--certs-server-cert-req="/etc/pki/tls/csr/katello.local.csr" \
--certs-server-key="/etc/pki/tls/private/katello.local.key" \
--certs-server-ca-cert="/etc/pki/tls/certs/CompanyInternalCA.crt"
...

Bu installation fails with:

[ERROR 2016-06-23 13:13:36 verbose] /Stage[main]/Apache::Service/Service[httpd]/ensure: change from stopped to running failed: Could not start Service[httpd]: Execution of '/usr/share/katello-installer-base/modules/service_wait/bin/service-wait start httpd' returned 1: Redirecting to /bin/systemctl start httpd.service

sudo cat /var/log/httpd/error_log
[Thu Jun 23 13:15:54.289451 2016] [ssl:emerg] [pid 10568] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/httpd/crane_error_ssl.log for more information

sudo cat /var/log/httpd/crane_error_ssl.log
[Thu Jun 23 13:13:36.150962 2016] [ssl:emerg] [pid 10139] AH01903: Failed to configure CA certificate chain!
[Thu Jun 23 13:15:54.289440 2016] [ssl:emerg] [pid 10568] AH01903: Failed to configure CA certificate chain!

In Apache crone config file I see that it is configured with default SSL certs, not my custom
@sudo cat /etc/httpd/conf.d/03-crane.conf
  1. ****************************
  2. Vhost template in module puppetlabs-apache
  3. Managed by Puppet
  4. ****************************

<VirtualHost *:5000>
ServerName katello.local

  1. Vhost docroot
    DocumentRoot "/usr/share/crane/"
  1. Directories, there should at least be a declaration for /usr/share/crane/
&lt;Directory "/usr/share/crane/"&gt;
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Require all granted
&lt;/Directory&gt;
  1. Logging
    ErrorLog "/var/log/httpd/crane_error_ssl.log"
    ServerSignature Off
    CustomLog "/var/log/httpd/crane_access_ssl.log" combined
  1. SSL directives
    SSLEngine on
    SSLCertificateFile "/etc/pki/katello/certs/katello-apache.crt"
    SSLCertificateKeyFile "/etc/pki/katello/private/katello-apache.key"
    SSLCertificateChainFile "/etc/pki/katello/certs/katello-default-ca.crt"
    SSLCACertificatePath "/etc/pki/tls/certs"
    SSLCACertificateFile "/etc/pki/katello/certs/katello-default-ca.crt"
    SSLVerifyClient optional
    SSLVerifyDepth 3
    SSLOptions +StdEnvVars +ExportCertData +FakeBasicAuth
  1. SSL Proxy directives
    SSLProxyEngine On
    WSGIScriptAlias / "/usr/share/crane/crane.wsgi"
    </VirtualHost>@

I checked with katello-certs-check tool and my certs are ok.


Related issues

Has duplicate Katello - Bug #12265: Installing custom SSL using katello-installer causes system to become unusableDuplicate2015-10-22

History

#1 Updated by Edgars Mazurs almost 6 years ago

This looks like the same issue as http://projects.theforeman.org/issues/12265

#2 Updated by Eric Helms almost 6 years ago

  • Assignee set to Eric Helms
  • Legacy Backlogs Release (now unused) set to 171

#3 Updated by Justin Sherrill almost 6 years ago

  • Has duplicate Bug #12265: Installing custom SSL using katello-installer causes system to become unusable added

#4 Updated by Edgars Mazurs over 5 years ago

I was able to fix it by regenerating SSL certs. Not sure what was the issue with them.

#5 Updated by Justin Sherrill almost 5 years ago

  • Legacy Backlogs Release (now unused) deleted (171)

#6 Updated by Eric Helms almost 5 years ago

  • Status changed from New to Resolved
  • Legacy Backlogs Release (now unused) set to 166

Also available in: Atom PDF