Project

General

Profile

Bug #17378

candlepin uses ca cert for server cert

Added by Chris Duryee over 2 years ago. Updated 11 months ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Installer
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

When the following options are specified (puppet 3), the installer fails to run (db:seed error):

[root@katello ~]# foreman-installer --scenario katello\

--enable-foreman-plugin-discovery\
--enable-foreman-plugin-hooks\
--enable-foreman-plugin-openscap\
--enable-foreman-plugin-remote-execution\
--enable-foreman-plugin-templates\
--certs-ca-common-name="Example Lifecycle management Root CA"\
--certs-ca-expiration=3650\
--certs-expiration=3650\
--certs-country="FR"\
--certs-city="Toulouse"\
--certs-org="Example Lifecycle management"\
--certs-org-unit="Lyra Network Infrastructures"\
--foreman-admin-email=""\
--foreman-initial-location="France"\
--foreman-initial-organization="Example - FR - Test"\
--katello-enable-ostree=true \
--disable-system-checks

error is:

/Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]: Failed to call refresh: /usr/sbin/foreman-rake db:seed returned 1 instead of one of [0]
/Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]: /usr/sbin/foreman-rake db:seed returned 1 instead of one of [0]
katello.log katello.log 1.55 MB foreman-installer logs Baptiste Agasse, 11/17/2016 09:24 AM

Associated revisions

Revision b0c60e73 (diff)
Added by Timo Goebel about 2 years ago

fixes #17378 - tomcat has dedicated certificate

History

#1 Updated by Baptiste Agasse over 2 years ago

Attached file: /var/log/foreman-installer/katello.log
The error happen around 15:12

Step to reproduce:

  • 100% of times
  • Install CentOS 7 x86_64 minimal
cat >/etc/yum.repos.d/CentOS-Atomic.repo <<EOL
# CentOS-Atomic.repo
#
# Get rpm-ostree deps from this buildlogs repo because CentOS don't provide them on mirrors ATM

[atomic]
name=CentOS-$releasever - Atomic
#mirrorlist=http://mirrorlist.centos.org/?release=\$releasever&arch=\$basearch&repo=os&infra=$infra
baseurl=http://buildlogs.centos.org/centos/\$releasever/atomic/\$basearch/Packages/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-\$releasever
EOL

yum update -y
yum -y localinstall http://fedorapeople.org/groups/katello/releases/yum/3.2/katello/el7/x86_64/katello-repos-latest.rpm
yum -y localinstall http://yum.theforeman.org/releases/1.13/el7/x86_64/foreman-release.rpm
yum -y localinstall http://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
yum -y localinstall http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install foreman-release-scl
yum -y install katello

foreman-installer --scenario katello\
  --enable-foreman-plugin-discovery\
  --enable-foreman-plugin-hooks\
  --enable-foreman-plugin-openscap\
  --enable-foreman-plugin-remote-execution\
  --enable-foreman-plugin-templates\
  --certs-ca-common-name="Example Lifecycle management Root CA"\
  --certs-ca-expiration=3650\
  --certs-expiration=3650\
  --certs-country="FR"\
  --certs-city="Toulouse"\
  --certs-org="Example Lifecycle management"\
  --certs-org-unit="Example Infrastructures"\
  --foreman-admin-email="foobar@example.com"\
  --foreman-admin-first-name="Foo"\
  --foreman-admin-last-name="Bar"\
  --foreman-initial-location="France"\
  --foreman-initial-organization="Example - FR - Test"\
  --katello-enable-ostree=true \
  --disable-system-checks

#2 Updated by Baptiste Agasse over 2 years ago

I forgot to say that removing --certs-ca-common-name="Example Lifecycle management Root CA" options make the install finish successfully

#3 Updated by Eric Helms over 2 years ago

  • Legacy Backlogs Release (now unused) set to 188

#4 Updated by Justin Sherrill over 2 years ago

  • Legacy Backlogs Release (now unused) changed from 188 to 114

#5 Updated by Justin Sherrill over 2 years ago

  • Subject changed from unable to run installer with certs options to unable to run installer with certs options (Candlepin uses CA cert as server cert)
  • Legacy Backlogs Release (now unused) changed from 114 to 211

The reason this is failing is that candlepin is using the CA certs as its server certs. and since using the ca-name option the common name in the cert does not match the FQDN, communication with it will fail.

#6 Updated by Justin Sherrill over 2 years ago

  • Subject changed from unable to run installer with certs options (Candlepin uses CA cert as server cert) to unable to run installer with ca-common-name certs options (Candlepin uses CA cert as server cert)

#7 Updated by Justin Sherrill about 2 years ago

  • Subject changed from unable to run installer with ca-common-name certs options (Candlepin uses CA cert as server cert) to candlepin uses ca cert for server cert

#8 Updated by Justin Sherrill about 2 years ago

  • Assignee set to Andrew Kofink
  • Target version set to 178

#9 Updated by Timo Goebel about 2 years ago

  • Pull request https://github.com/Katello/puppet-certs/pull/128 added

This would be my suggestion to fix this:
https://github.com/Katello/puppet-certs/pull/128

#10 Updated by Eric Helms about 2 years ago

  • Status changed from New to Ready For Testing

#11 Updated by Timo Goebel about 2 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF