Project

General

Profile

Bug #18987

--certs-regenerate-ca should also regenerate ueber certificates

Added by John Mitsch about 2 years ago. Updated 10 months ago.

Status:
Closed
Priority:
Normal
Assignee:
John Mitsch
Category:
Installer
Target version:
Katello 3.4.0
Difficulty:
Triaged:
Yes
Bugzilla link:
1434948
Pull request:
https://github.com/Katello/katello/pull/6947, https://github.com/Katello/katello/pull/6728
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1434948

Description of problem:

When regenerating the CA certificates on Katello the ueber certificates should also be regenerated. Otherwise, downstream Proxies will run into issues with synchronizing content.

How reproducible:

Always.

Steps to Reproduce:

1. Delete contents of /root/ssl-build and /root/ssl-build/<KAT_FQDN>
2. # katello-installer --certs-update-all --certs-regenerate-ca --certs-regenerate
3. Generate and install new certificate bundle for Proxies
4. Observe that Proxy content synchronization fails

nectar.downloaders.threaded:ERROR: Skipping requests to <KAT_FQDN> due to repeated connection failures: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:579)

Actual results:

- ueber certificate is still based off of old CA
- Proxy content synchronization fails

Expected results:

- ueber certificate has been refreshed against the new CA
- Proxy content synchronization is successful

Additional info:

Can be worked around by manually deleting the old ueber certificates in Candlepin.

Perhaps the installer can run this rake task in upstream that regenerates the ueber certificates:

http://projects.theforeman.org/issues/18403

Associated revisions

Revision a0541934 (diff)
Added by John Mitsch about 2 years ago

Fixes #18987 - Check ueber certs on each proxy sync

Revision fbf9a67b (diff)
Added by Sebastian Gräßl over 1 year ago

Refs #18987 - Do not stub over Settings[]

This test will fail when Settings[] is called
with unexpected keys.

History

#1 Updated by John Mitsch about 2 years ago

  • Subject changed from --certs-regenerate-ca should also regenerate ueber certificates to --certs-regenerate-ca should also regenerate ueber certificates
  • Description updated (diff)

#2 Updated by John Mitsch about 2 years ago

  • Target version set to 178

#3 Updated by Brad Buckingham about 2 years ago

  • Target version changed from 178 to 181

#4 Updated by The Foreman Bot about 2 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/Katello/katello/pull/6728 added

#5 Updated by Walden Raines about 2 years ago

  • Legacy Backlogs Release (now unused) set to 211

#6 Updated by Brad Buckingham about 2 years ago

  • Target version changed from 181 to 187

#7 Updated by John Mitsch about 2 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#8 Updated by The Foreman Bot over 1 year ago

  • Pull request https://github.com/Katello/katello/pull/6947 added

Also available in: Atom PDF