Bug #17378
closed
candlepin uses ca cert for server cert
Description
When the following options are specified (puppet 3), the installer fails to run (db:seed error):
[root@katello ~]# foreman-installer --scenario katello\
--enable-foreman-plugin-discovery\
--enable-foreman-plugin-hooks\
--enable-foreman-plugin-openscap\
--enable-foreman-plugin-remote-execution\
--enable-foreman-plugin-templates\
--certs-ca-common-name="Example Lifecycle management Root CA"\
--certs-ca-expiration=3650\
--certs-expiration=3650\
--certs-country="FR"\
--certs-city="Toulouse"\
--certs-org="Example Lifecycle management"\
--certs-org-unit="Lyra Network Infrastructures"\
--foreman-admin-email="foobar@example.com"\
--foreman-initial-location="France"\
--foreman-initial-organization="Example - FR - Test"\
--katello-enable-ostree=true \
--disable-system-checks
error is:
/Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]: Failed to call refresh: /usr/sbin/foreman-rake db:seed returned 1 instead of one of [0]
/Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]: /usr/sbin/foreman-rake db:seed returned 1 instead of one of [0]Files
Updated by Baptiste Agasse about 8 years ago
- File katello.log katello.log added
Attached file: /var/log/foreman-installer/katello.log
The error happen around 15:12
Step to reproduce:
- 100% of times
- Install CentOS 7 x86_64 minimal
cat >/etc/yum.repos.d/CentOS-Atomic.repo <<EOL # CentOS-Atomic.repo # # Get rpm-ostree deps from this buildlogs repo because CentOS don't provide them on mirrors ATM [atomic] name=CentOS-$releasever - Atomic #mirrorlist=http://mirrorlist.centos.org/?release=\$releasever&arch=\$basearch&repo=os&infra=$infra baseurl=http://buildlogs.centos.org/centos/\$releasever/atomic/\$basearch/Packages/ gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-\$releasever EOL yum update -y yum -y localinstall http://fedorapeople.org/groups/katello/releases/yum/3.2/katello/el7/x86_64/katello-repos-latest.rpm yum -y localinstall http://yum.theforeman.org/releases/1.13/el7/x86_64/foreman-release.rpm yum -y localinstall http://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm yum -y localinstall http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm yum -y install foreman-release-scl yum -y install katello foreman-installer --scenario katello\ --enable-foreman-plugin-discovery\ --enable-foreman-plugin-hooks\ --enable-foreman-plugin-openscap\ --enable-foreman-plugin-remote-execution\ --enable-foreman-plugin-templates\ --certs-ca-common-name="Example Lifecycle management Root CA"\ --certs-ca-expiration=3650\ --certs-expiration=3650\ --certs-country="FR"\ --certs-city="Toulouse"\ --certs-org="Example Lifecycle management"\ --certs-org-unit="Example Infrastructures"\ --foreman-admin-email="foobar@example.com"\ --foreman-admin-first-name="Foo"\ --foreman-admin-last-name="Bar"\ --foreman-initial-location="France"\ --foreman-initial-organization="Example - FR - Test"\ --katello-enable-ostree=true \ --disable-system-checks
Updated by Baptiste Agasse about 8 years ago
I forgot to say that removing --certs-ca-common-name="Example Lifecycle management Root CA" options make the install finish successfully
Updated by Eric Helms about 8 years ago
- Translation missing: en.field_release set to 188
Updated by Justin Sherrill almost 8 years ago
- Translation missing: en.field_release changed from 188 to 114
Updated by Justin Sherrill almost 8 years ago
- Subject changed from unable to run installer with certs options to unable to run installer with certs options (Candlepin uses CA cert as server cert)
- Translation missing: en.field_release changed from 114 to 211
The reason this is failing is that candlepin is using the CA certs as its server certs. and since using the ca-name option the common name in the cert does not match the FQDN, communication with it will fail.
Updated by Justin Sherrill almost 8 years ago
- Subject changed from unable to run installer with certs options (Candlepin uses CA cert as server cert) to unable to run installer with ca-common-name certs options (Candlepin uses CA cert as server cert)
Updated by Justin Sherrill almost 8 years ago
- Subject changed from unable to run installer with ca-common-name certs options (Candlepin uses CA cert as server cert) to candlepin uses ca cert for server cert
Updated by Justin Sherrill almost 8 years ago
- Assignee set to Andrew Kofink
- Target version set to 178
Updated by Timo Goebel almost 8 years ago
- Pull request https://github.com/Katello/puppet-certs/pull/128 added
This would be my suggestion to fix this:
https://github.com/Katello/puppet-certs/pull/128
Updated by Eric Helms almost 8 years ago
- Status changed from New to Ready For Testing
Updated by Timo Goebel over 7 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset puppet-certs|b0c60e735106f1052af81315f3b14afeafe7c141.