Bug #17378
closed
candlepin uses ca cert for server cert
Added by Chris Duryee over 8 years ago.
Updated over 6 years ago.
Description
When the following options are specified (puppet 3), the installer fails to run (db:seed error):
[root@katello ~]# foreman-installer --scenario katello\
--enable-foreman-plugin-discovery\
--enable-foreman-plugin-hooks\
--enable-foreman-plugin-openscap\
--enable-foreman-plugin-remote-execution\
--enable-foreman-plugin-templates\
--certs-ca-common-name="Example Lifecycle management Root CA"\
--certs-ca-expiration=3650\
--certs-expiration=3650\
--certs-country="FR"\
--certs-city="Toulouse"\
--certs-org="Example Lifecycle management"\
--certs-org-unit="Lyra Network Infrastructures"\
--foreman-admin-email="foobar@example.com"\
--foreman-initial-location="France"\
--foreman-initial-organization="Example - FR - Test"\
--katello-enable-ostree=true \
--disable-system-checks
error is:
/Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]: Failed to call refresh: /usr/sbin/foreman-rake db:seed returned 1 instead of one of [0]
/Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]: /usr/sbin/foreman-rake db:seed returned 1 instead of one of [0]
Files
Attached file: /var/log/foreman-installer/katello.log
The error happen around 15:12
Step to reproduce:
- 100% of times
- Install CentOS 7 x86_64 minimal
cat >/etc/yum.repos.d/CentOS-Atomic.repo <<EOL
# CentOS-Atomic.repo
#
# Get rpm-ostree deps from this buildlogs repo because CentOS don't provide them on mirrors ATM
[atomic]
name=CentOS-$releasever - Atomic
#mirrorlist=http://mirrorlist.centos.org/?release=\$releasever&arch=\$basearch&repo=os&infra=$infra
baseurl=http://buildlogs.centos.org/centos/\$releasever/atomic/\$basearch/Packages/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-\$releasever
EOL
yum update -y
yum -y localinstall http://fedorapeople.org/groups/katello/releases/yum/3.2/katello/el7/x86_64/katello-repos-latest.rpm
yum -y localinstall http://yum.theforeman.org/releases/1.13/el7/x86_64/foreman-release.rpm
yum -y localinstall http://yum.puppetlabs.com/puppetlabs-release-el-7.noarch.rpm
yum -y localinstall http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install foreman-release-scl
yum -y install katello
foreman-installer --scenario katello\
--enable-foreman-plugin-discovery\
--enable-foreman-plugin-hooks\
--enable-foreman-plugin-openscap\
--enable-foreman-plugin-remote-execution\
--enable-foreman-plugin-templates\
--certs-ca-common-name="Example Lifecycle management Root CA"\
--certs-ca-expiration=3650\
--certs-expiration=3650\
--certs-country="FR"\
--certs-city="Toulouse"\
--certs-org="Example Lifecycle management"\
--certs-org-unit="Example Infrastructures"\
--foreman-admin-email="foobar@example.com"\
--foreman-admin-first-name="Foo"\
--foreman-admin-last-name="Bar"\
--foreman-initial-location="France"\
--foreman-initial-organization="Example - FR - Test"\
--katello-enable-ostree=true \
--disable-system-checks
I forgot to say that removing --certs-ca-common-name="Example Lifecycle management Root CA" options make the install finish successfully
- Translation missing: en.field_release set to 188
- Translation missing: en.field_release changed from 188 to 114
- Subject changed from unable to run installer with certs options to unable to run installer with certs options (Candlepin uses CA cert as server cert)
- Translation missing: en.field_release changed from 114 to 211
The reason this is failing is that candlepin is using the CA certs as its server certs. and since using the ca-name option the common name in the cert does not match the FQDN, communication with it will fail.
- Subject changed from unable to run installer with certs options (Candlepin uses CA cert as server cert) to unable to run installer with ca-common-name certs options (Candlepin uses CA cert as server cert)
- Subject changed from unable to run installer with ca-common-name certs options (Candlepin uses CA cert as server cert) to candlepin uses ca cert for server cert
- Assignee set to Andrew Kofink
- Target version set to 178
- Pull request https://github.com/Katello/puppet-certs/pull/128 added
- Status changed from New to Ready For Testing
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by