Bug #18310
closedkatello-certs-check needs to provide differentiating data for capsule-certs-generate to avoid error
Description
Cloned from BZ:
Description of problem:
When using `katello-certs-check` the `capsule-certs-generate` command that is provided is assuming that we are only updating a capsule certificates, and not generating them for the first time.
If we indeed use this command to generate certs for a fresh capsule, we will encounter an error because the directories for that capsule do not yet exist.
This is in reference to the '--certs-update-server' argument.
This argument is only necessary to update certificates that were already created before.
If we are generating a fresh pair of certs for a fresh capsule, we want to omit this argument to create a fresh directory and certificate set for the capsule without a traceback.
Version-Release number of selected component (if applicable): 6.2.7
How reproducible: 100%
Steps to Reproduce:
1. Run katello-certs-check against cert set
2. Use command provided to generate certs for a non-existent capsule
Actual results:
- katello-certs-check -c wild_cragcap61.usersys.redhat.com.crt -k wild_cragcap61.usersys.redhat.com.key -r wild_cragcap61.usersys.redhat.com.csr -b CA-crt.pem
<snip>
To use them inside a $CAPSULE, run this command INSTEAD:capsule-certs-generate --capsule-fqdn ""\
--certs-tar "~/-certs.tar"\
--server-cert "newcapsule.crt"\
--server-cert-req "newcapsule.csr"\
--server-key "newcapsule.key"\
--server-ca-cert "CA-crt.pem"\
--certs-update-server
</snip>
When running the provided command:
- capsule-certs-generate --capsule-fqdn "newcapsule.example.com" --certs-tar "~/newcapsule-certs.tar" --server-cert "newcapsule.crt" --server-cert-req "newcapsule.csr" --server-key "newcapsule.key" --server-ca-cert "CA-crt.pem" --certs-update-server
Marking certificate /root/ssl-build/newcapsule.example.com/newcapsule.example.com-apache for update
/usr/share/ruby/fileutils.rb:1145:in `initialize': No such file or directory - /root/ssl-build/newcapsule.example.com/newcapsule.example.com-apache.update (Errno::ENOENT)
from /usr/share/ruby/fileutils.rb:1145:in `open'
from /usr/share/ruby/fileutils.rb:1145:in `rescue in block in touch'
from /usr/share/ruby/fileutils.rb:1141:in `block in touch'
from /usr/share/ruby/fileutils.rb:1139:in `each'
from /usr/share/ruby/fileutils.rb:1139:in `touch'
from /usr/share/katello-installer-base/hooks/pre/20-certs_update.rb:18:in `mark_for_update'
from /usr/share/katello-installer-base/hooks/pre/20-certs_update.rb:38:in `block (4 levels) in load'
from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:34:in `instance_eval'
from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:34:in `block (4 levels) in load'
from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hook_context.rb:13:in `instance_exec'
from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hook_context.rb:13:in `execute'
from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:51:in `block in execute'
from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:49:in `each'
from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/hooking.rb:49:in `execute'
from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/kafo_configure.rb:375:in `run_installation'
from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/kafo_configure.rb:141:in `execute'
from /usr/share/gems/gems/clamp-0.6.2/lib/clamp/command.rb:67:in `run'
from /usr/share/gems/gems/clamp-0.6.2/lib/clamp/command.rb:125:in `run'
from /usr/share/gems/gems/kafo-0.7.6.1/lib/kafo/kafo_configure.rb:148:in `run'
from /usr/sbin/capsule-certs-generate:50:in `<main>'
Expected results:
katello-certs-check should give us two options, for the different scenarios.
One for new capsules, and one for updating certs-tars for existing capsules:
- katello-certs-check -c wild_cragcap61.usersys.redhat.com.crt -k wild_cragcap61.usersys.redhat.com.key -r wild_cragcap61.usersys.redhat.com.csr -b CA-crt.pem
<snip>
To use them inside a NEW $CAPSULE, run this command:capsule-certs-generate --capsule-fqdn ""\
--certs-tar "~/-certs.tar"\
--server-cert "newcapsule.crt"\
--server-cert-req "newcapsule.csr"\
--server-key "newcapsule.key"\
--server-ca-cert "CA-crt.pem"
To use them inside an EXISTING $CAPSULE, run this command INSTEAD:
capsule-certs-generate --capsule-fqdn ""\
--certs-tar "~/-certs.tar"\
--server-cert "newcapsule.crt"\
--server-cert-req "newcapsule.csr"\
--server-key "newcapsule.key"\
--server-ca-cert "CA-crt.pem"
</snip>
Additional info:
This came about as a documentation bug that is actually caused by this oversight.
This is being tracked in RHBZ https://bugzilla.redhat.com/show_bug.cgi?id=1417399.
Updated by The Foreman Bot almost 8 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/Katello/katello-installer/pull/475 added
Updated by Chris Roberts almost 8 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset katello-installer|bc93828cccc516686e9f2f96265e1e1b6bd23fef.
Updated by Justin Sherrill almost 8 years ago
- Translation missing: en.field_release set to 188