Project

General

Profile

Bug #18310

katello-certs-check needs to provide differentiating data for capsule-certs-generate to avoid error

Added by Chris Roberts over 4 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Installer
Target version:
Difficulty:
easy
Triaged:
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

Cloned from BZ:

Description of problem:
When using `katello-certs-check` the `capsule-certs-generate` command that is provided is assuming that we are only updating a capsule certificates, and not generating them for the first time.

If we indeed use this command to generate certs for a fresh capsule, we will encounter an error because the directories for that capsule do not yet exist.
This is in reference to the '--certs-update-server' argument.

This argument is only necessary to update certificates that were already created before.

If we are generating a fresh pair of certs for a fresh capsule, we want to omit this argument to create a fresh directory and certificate set for the capsule without a traceback.

Version-Release number of selected component (if applicable): 6.2.7

How reproducible: 100%

Steps to Reproduce:
1. Run katello-certs-check against cert set
2. Use command provided to generate certs for a non-existent capsule

Actual results:

  1. katello-certs-check -c wild_cragcap61.usersys.redhat.com.crt -k wild_cragcap61.usersys.redhat.com.key -r wild_cragcap61.usersys.redhat.com.csr -b CA-crt.pem
    <snip>
    To use them inside a $CAPSULE, run this command INSTEAD:

    capsule-certs-generate --capsule-fqdn ""\
    --certs-tar "~/-certs.tar"\
    --server-cert "newcapsule.crt"\
    --server-cert-req "newcapsule.csr"\
    --server-key "newcapsule.key"\
    --server-ca-cert "CA-crt.pem"\
    --certs-update-server
    </snip>

When running the provided command:

  1. capsule-certs-generate --capsule-fqdn "newcapsule.example.com" --certs-tar "~/newcapsule-certs.tar" --server-cert "newcapsule.crt" --server-cert-req "newcapsule.csr" --server-key "newcapsule.key" --server-ca-cert "CA-crt.pem" --certs-update-server
    Marking certificate /root/ssl-build/newcapsule.example.com/newcapsule.example.com-apache for update
    /usr/share/ruby/fileutils.rb:1145:in `initialize': No such file or directory - /root/ssl-build/newcapsule.example.com/newcapsule.example.com-apache.update (Errno::ENOENT)
    from /usr/share/ruby/fileutils.rb:1145:in `open'
    from /usr/share/ruby/fileutils.rb:1145:in `rescue in block in touch'
    from /usr/share/ruby/fileutils.rb:1141:in `block in touch'
    from /usr/share/ruby/fileutils.rb:1139:in `each'
    from /usr/share/ruby/fileutils.rb:1139:in `touch'
    from /usr/share/katello-installer-base/hooks/pre/20-certs_update.rb:18:in `mark_for_update'
    from /usr/share/katello-installer-base/hooks/pre/20-certs_update.rb:38:in `block (4 levels) in load'
    from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:34:in `instance_eval'
    from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:34:in `block (4 levels) in load'
    from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hook_context.rb:13:in `instance_exec'
    from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hook_context.rb:13:in `execute'
    from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:51:in `block in execute'
    from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:49:in `each'
    from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:49:in `execute'
    from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/kafo_configure.rb:375:in `run_installation'
    from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/kafo_configure.rb:141:in `execute'
    from /usr/share/gems/gems/clamp-0.6.2/lib/clamp/command.rb:67:in `run'
    from /usr/share/gems/gems/clamp-0.6.2/lib/clamp/command.rb:125:in `run'
    from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/kafo_configure.rb:148:in `run'
    from /usr/sbin/capsule-certs-generate:50:in `<main>'

Expected results:

katello-certs-check should give us two options, for the different scenarios.
One for new capsules, and one for updating certs-tars for existing capsules:

  1. katello-certs-check -c wild_cragcap61.usersys.redhat.com.crt -k wild_cragcap61.usersys.redhat.com.key -r wild_cragcap61.usersys.redhat.com.csr -b CA-crt.pem
    <snip>
    To use them inside a NEW $CAPSULE, run this command:

    capsule-certs-generate --capsule-fqdn ""\
    --certs-tar "~/-certs.tar"\
    --server-cert "newcapsule.crt"\
    --server-cert-req "newcapsule.csr"\
    --server-key "newcapsule.key"\
    --server-ca-cert "CA-crt.pem"

To use them inside an EXISTING $CAPSULE, run this command INSTEAD:

capsule-certs-generate --capsule-fqdn ""\
--certs-tar "~/-certs.tar"\
--server-cert "newcapsule.crt"\
--server-cert-req "newcapsule.csr"\
--server-key "newcapsule.key"\
--server-ca-cert "CA-crt.pem"
&lt;/snip&gt;

Additional info:
This came about as a documentation bug that is actually caused by this oversight.
This is being tracked in RHBZ https://bugzilla.redhat.com/show_bug.cgi?id=1417399.

Associated revisions

Revision bc93828c (diff)
Added by Chris Roberts over 4 years ago

Fixes #18310 - Update certs-check for proxy

History

#1 Updated by The Foreman Bot over 4 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/Katello/katello-installer/pull/475 added

#2 Updated by Chris Roberts over 4 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#3 Updated by Justin Sherrill over 4 years ago

  • Legacy Backlogs Release (now unused) set to 188

Also available in: Atom PDF