Project

General

Profile

Actions

Bug #17378

closed

candlepin uses ca cert for server cert

Added by Chris Duryee over 7 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Installer
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

When the following options are specified (puppet 3), the installer fails to run (db:seed error):

[root@katello ~]# foreman-installer --scenario katello\

--enable-foreman-plugin-discovery\
--enable-foreman-plugin-hooks\
--enable-foreman-plugin-openscap\
--enable-foreman-plugin-remote-execution\
--enable-foreman-plugin-templates\
--certs-ca-common-name="Example Lifecycle management Root CA"\
--certs-ca-expiration=3650\
--certs-expiration=3650\
--certs-country="FR"\
--certs-city="Toulouse"\
--certs-org="Example Lifecycle management"\
--certs-org-unit="Lyra Network Infrastructures"\
--foreman-admin-email=""\
--foreman-initial-location="France"\
--foreman-initial-organization="Example - FR - Test"\
--katello-enable-ostree=true \
--disable-system-checks

error is:

/Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]: Failed to call refresh: /usr/sbin/foreman-rake db:seed returned 1 instead of one of [0]
/Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]: /usr/sbin/foreman-rake db:seed returned 1 instead of one of [0]

Files

katello.log katello.log 1.55 MB foreman-installer logs Baptiste Agasse, 11/17/2016 09:24 AM
Actions #1

Updated by Baptiste Agasse over 7 years ago

Attached file: /var/log/foreman-installer/katello.log
The error happen around 15:12

Step to reproduce:

  • 100% of times
  • Install CentOS 7 x86_64 minimal
cat >/etc/yum.repos.d/CentOS-Atomic.repo <<EOL
# CentOS-Atomic.repo
#
# Get rpm-ostree deps from this buildlogs repo because CentOS don't provide them on mirrors ATM

[atomic]
name=CentOS-$releasever - Atomic
#mirrorlist=http://mirrorlist.centos.org/?release=\$releasever&arch=\$basearch&repo=os&infra=$infra
baseurl=http://buildlogs.centos.org/centos/\$releasever/atomic/\$basearch/Packages/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-\$releasever
EOL

yum update -y
yum -y localinstall http://fedorapeople.org/groups/katello/releases/yum/3.2/katello/el7/x86_64/katello-repos-latest.rpm
yum -y localinstall http://yum.theforeman.org/releases/1.13/el7/x86_64/foreman-release.rpm
yum -y localinstall http://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
yum -y localinstall http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install foreman-release-scl
yum -y install katello

foreman-installer --scenario katello\
  --enable-foreman-plugin-discovery\
  --enable-foreman-plugin-hooks\
  --enable-foreman-plugin-openscap\
  --enable-foreman-plugin-remote-execution\
  --enable-foreman-plugin-templates\
  --certs-ca-common-name="Example Lifecycle management Root CA"\
  --certs-ca-expiration=3650\
  --certs-expiration=3650\
  --certs-country="FR"\
  --certs-city="Toulouse"\
  --certs-org="Example Lifecycle management"\
  --certs-org-unit="Example Infrastructures"\
  --foreman-admin-email="foobar@example.com"\
  --foreman-admin-first-name="Foo"\
  --foreman-admin-last-name="Bar"\
  --foreman-initial-location="France"\
  --foreman-initial-organization="Example - FR - Test"\
  --katello-enable-ostree=true \
  --disable-system-checks
Actions #2

Updated by Baptiste Agasse over 7 years ago

I forgot to say that removing --certs-ca-common-name="Example Lifecycle management Root CA" options make the install finish successfully

Actions #3

Updated by Eric Helms over 7 years ago

  • translation missing: en.field_release set to 188
Actions #4

Updated by Justin Sherrill about 7 years ago

  • translation missing: en.field_release changed from 188 to 114
Actions #5

Updated by Justin Sherrill about 7 years ago

  • Subject changed from unable to run installer with certs options to unable to run installer with certs options (Candlepin uses CA cert as server cert)
  • translation missing: en.field_release changed from 114 to 211

The reason this is failing is that candlepin is using the CA certs as its server certs. and since using the ca-name option the common name in the cert does not match the FQDN, communication with it will fail.

Actions #6

Updated by Justin Sherrill about 7 years ago

  • Subject changed from unable to run installer with certs options (Candlepin uses CA cert as server cert) to unable to run installer with ca-common-name certs options (Candlepin uses CA cert as server cert)
Actions #7

Updated by Justin Sherrill about 7 years ago

  • Subject changed from unable to run installer with ca-common-name certs options (Candlepin uses CA cert as server cert) to candlepin uses ca cert for server cert
Actions #8

Updated by Justin Sherrill about 7 years ago

  • Assignee set to Andrew Kofink
  • Target version set to 178
Actions #9

Updated by Timo Goebel about 7 years ago

  • Pull request https://github.com/Katello/puppet-certs/pull/128 added

This would be my suggestion to fix this:
https://github.com/Katello/puppet-certs/pull/128

Actions #10

Updated by Eric Helms almost 7 years ago

  • Status changed from New to Ready For Testing
Actions #11

Updated by Timo Goebel almost 7 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF