Project

General

Profile

Bug #16906

Capsule does not work with certificate with key of 16384 bits

Added by Stephen Benjamin over 2 years ago. Updated 12 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Installer
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1383996
Description of problem:
Running the installer to update the certifictes fails refreshing the internal proxy features, at least when remote execution is enabled.

[ INFO 2016-10-12 10:28:27 verbose] Class[Foreman_proxy::Register]: Scheduling refresh of Foreman_smartproxy[li-lc-1578.hag.hilti.com]
[ERROR 2016-10-12 10:28:57 verbose] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[li-lc-1578.hag.hilti.com]: Failed to call refresh: Proxy li-lc-1578.hag.hilti.com cannot be registered (500 Internal Server Error): N/A
[ERROR 2016-10-12 10:28:57 verbose] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[li-lc-1578.hag.hilti.com]: Proxy li-lc-1578.hag.hilti.com cannot be registered (500 Internal Server Error): N/A
[ INFO 2016-10-12 10:28:57 verbose] /usr/share/ruby/vendor_ruby/puppet/util/errors.rb:106:in `fail'
[ INFO 2016-10-12 10:28:57 verbose] /usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v2.rb:7:in `raise_error'
[ INFO 2016-10-12 10:28:57 verbose] /usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v2.rb:101:in `rescue in refresh_features!'
[ INFO 2016-10-12 10:28:57 verbose] /usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v2.rb:99:in `refresh_features!'
[ INFO 2016-10-12 10:28:57 verbose] /usr/share/foreman-installer/modules/foreman/lib/puppet/type/foreman_smartproxy.rb:49:in `refresh'
[ INFO 2016-10-12 10:28:57 verbose] /usr/share/ruby/vendor_ruby/puppet/transaction/event_manager.rb:101:in `process_callback'

Command user to update the certificates:

satellite-installer --scenario=satellite --verbose --certs-update-server --certs-update-server-ca --certs-server-cert sat6certA.example.com.cer --certs-server-cert-req sat6certA.example.com.req --certs-server-key sat6certA.example.com.key --certs-server-ca-cert sat6certA.example.com.ca-bundle

Fragement from the production.log that shows that the proxy wants to communciates, but fails because certifictes changed

2016-10-12 10:28:53 [app] [I] Authorized user foreman_api_admin(API Admin)
2016-10-12 10:28:53 [app] [W] Action failed | ProxyAPI::ProxyException: ERF12-9411 [ProxyAPI::ProxyException]: Unable to fetch public key ([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=
SSLv3 read server session ticket A: sslv3 alert il...) for Capsule https://li-lc-1578.hag.hilti.com:9090/ssh | /opt/theforeman/tfm/root/usr/share/gems/gems/foreman_remote_execution-0.3.0.12/app/lib/proxy_api/remote_execution_ssh.rb:11:in `rescue in pubkey' | /opt/theforeman/tfm/root/usr/share/gems/gems/foreman_remote_execution-0.3.0.12/app/lib/proxy_api/remote_execution_ssh.rb:9:in `pubkey' | /opt/theforeman/tfm/root/usr/share/gems/gems/foreman_remote_execution-0.3.0.12/app/models/concerns/foreman_remote_execution/smart_proxy_extensions.rb:15:in
`update_pubkey' | /opt/theforeman/tfm/root/usr/share/gems/gems/foreman_remote_execution-0.3.0.12/app/models/concerns/foreman_remote_execution/smart_proxy_extensions.rb:22:in
`refresh_with_remote_execution'

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Isntall Sat6 without custom certificates, enable remote execution
2. Make sure internal proxy has feature remote execution
3. Update the certificates on the Sat6 server

Actual results:
Failure in installer

Expected results:
Success

Additional info:

History

#1 Updated by Stephen Benjamin over 2 years ago

  • Subject changed from Updating certificates installer fails when internal proxy with remote execution is enabled to Capsule does not work with certificate with key of 16384 bits

#2 Updated by Justin Sherrill over 2 years ago

  • Legacy Backlogs Release (now unused) set to 114

Also available in: Atom PDF