Bug #18987

--certs-regenerate-ca should also regenerate ueber certificates

Added by John Mitsch over 1 year ago. Updated 10 months ago.

Status:Closed
Priority:Normal
Assigned To:John Mitsch
Category:Installer
Target version:Team Brad - Iteration 14
Difficulty: Pull request:https://github.com/Katello/katello/pull/6728, https://github.com/Katello/katello/pull/6947
Bugzilla link:1434948 Found in Katello release:
Story points-
Velocity based estimate-
ReleaseKatello 3.4.0Release relationshipAuto

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1434948

Description of problem:

When regenerating the CA certificates on Katello the ueber certificates should also be regenerated. Otherwise, downstream Proxies will run into issues with synchronizing content.

How reproducible:

Always.

Steps to Reproduce:

1. Delete contents of /root/ssl-build and /root/ssl-build/<KAT_FQDN>
2. # katello-installer --certs-update-all --certs-regenerate-ca --certs-regenerate
3. Generate and install new certificate bundle for Proxies
4. Observe that Proxy content synchronization fails

nectar.downloaders.threaded:ERROR: Skipping requests to <KAT_FQDN> due to repeated connection failures: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:579)

Actual results:

- ueber certificate is still based off of old CA
- Proxy content synchronization fails

Expected results:

- ueber certificate has been refreshed against the new CA
- Proxy content synchronization is successful

Additional info:

Can be worked around by manually deleting the old ueber certificates in Candlepin.

Perhaps the installer can run this rake task in upstream that regenerates the ueber certificates:

http://projects.theforeman.org/issues/18403

Associated revisions

Revision a0541934
Added by John Mitsch about 1 year ago

Fixes #18987 - Check ueber certs on each proxy sync

Revision fbf9a67b
Added by Sebastian Gräßl 10 months ago

Refs #18987 - Do not stub over Settings[]

This test will fail when Settings[] is called
with unexpected keys.

History

#1 Updated by John Mitsch over 1 year ago

  • Subject changed from --certs-regenerate-ca should also regenerate ueber certificates to --certs-regenerate-ca should also regenerate ueber certificates
  • Description updated (diff)

#2 Updated by John Mitsch over 1 year ago

  • Target version set to Team Brad - Iteration 12

#3 Updated by Brad Buckingham about 1 year ago

  • Target version changed from Team Brad - Iteration 12 to Team Brad - Iteration 13

#4 Updated by The Foreman Bot about 1 year ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/Katello/katello/pull/6728 added

#5 Updated by Walden Raines about 1 year ago

  • Release set to Katello 3.4.0

#6 Updated by Brad Buckingham about 1 year ago

  • Target version changed from Team Brad - Iteration 13 to Team Brad - Iteration 14

#7 Updated by John Mitsch about 1 year ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#8 Updated by The Foreman Bot 10 months ago

  • Pull request https://github.com/Katello/katello/pull/6947 added

Also available in: Atom PDF