Project

General

Profile

Bug #22196

Hammer errors out with certificate errors when using CA chain

Added by Stephen Benjamin about 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1501980

Description of problem:
When deploying Satellite 6.3 snap 19 with a custom certificate hammer errors out with every command until :ssl_ca_file: is configured to point to the ca bundle.

Version-Release number of selected component (if applicable):
6.3 snap19

How reproducible:
Easy

Steps to Reproduce:
1. Install Satellite with custom certificates
2. run hammer with out arguments
3.

Actual results:
  1. hammer
    Could not load the API description from the server: SSL certificate verification failed
    Make sure you configured the correct URL and have the server's CA certificate installed on your system.

The following configuration option were used for the SSL connection:
ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt

Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com

Warning: An error occured while loading module hammer_cli_csv
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.

The following configuration option were used for the SSL connection:
ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt

Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com

Warning: An error occured while loading module hammer_cli_foreman
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.

The following configuration option were used for the SSL connection:
ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt

Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com

Warning: An error occured while loading module hammer_cli_foreman_bootdisk
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.

The following configuration option were used for the SSL connection:
ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt

Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com

Warning: An error occured while loading module hammer_cli_foreman_docker
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.

The following configuration option were used for the SSL connection:
ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt

Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com

Warning: An error occured while loading module hammer_cli_foreman_openscap
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.

The following configuration option were used for the SSL connection:
ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt

Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com

Warning: An error occured while loading module hammer_cli_foreman_remote_execution
Warning: An error occured while loading module hammer_cli_foreman_tasks
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.

The following configuration option were used for the SSL connection:
ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt

Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com

Warning: An error occured while loading module hammer_cli_foreman_virt_who_configure
Could not load the API description from the server: SSL certificate verification failed
Make sure you configured the correct URL and have the server's CA certificate installed on your system.

The following configuration option were used for the SSL connection:
ssl_ca_file = /etc/pki/katello/certs/katello-default-ca.crt

Make sure the location contains an unexpired and valid CA certificate for https://sat63-snap19.example.com

Warning: An error occured while loading module hammer_cli_katello

Expected results:
Hammer should work out of the box even when using custom certificates.

Additional info:
This was not needed in 6.2, so I'm not sure if this is something the installer does differently or what's going on but when creating a ~/.hammer/cli_config.yml with the following content it works:

:ssl:
:ssl_ca_file: '/root/ca-chain.pem'

Satellite was installed with the following: satellite-installer --scenario satellite --certs-server-cert "/root/sat63-snap19.example.com.crt" --certs-server-cert-req "/root/fake.csr" --certs-server-key "/root/sat63-snap19.example.com.key" --certs-server-ca-cert "/root/ca-chain.pem" --foreman-admin-password redhat123 --foreman-initial-organization "testday" --foreman-proxy-tftp true

And output of katello-certs-check:
Checking expiration of certificate: [OK]
Checking expiration of CA bundle: [OK]
Validating the certificate subject= /C=SE/ST=Stockholm/O=opuk lab/OU=opuk lab intermediate/CN=sat63-snap19.example.com/emailAddress=
Checking to see if the private key matches the certificate: [OK]
Checking ca bundle against the cert file: [OK]
Checking for non ascii characters[OK]

Associated revisions

Revision a7ba5e8a (diff)
Added by Stephen Benjamin about 3 years ago

fixes #22196 - configure hammer SSL CA certificate bundle

Revision a44162f5 (diff)
Added by Stephen Benjamin about 3 years ago

fixes #22196 - use ssl chain for hammer if available

History

#1 Updated by The Foreman Bot about 3 years ago

  • Assignee set to Stephen Benjamin
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/Katello/katello-installer/pull/574 added

#2 Updated by Stephen Benjamin about 3 years ago

  • % Done changed from 0 to 100
  • Status changed from Ready For Testing to Closed

Applied in changeset commit:katello-installer|a7ba5e8a013c67ac799a4863958fdbb8d038a124.

#3 Updated by Stephen Benjamin about 3 years ago

  • Status changed from Closed to New
  • Category deleted (Installer)
  • Subject changed from Hammer errors out with certificate errors when using custom certs to Hammer errors out with certificate errors when using CA chain
  • Project changed from Katello to Installer

#4 Updated by The Foreman Bot about 3 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/puppet-foreman/pull/615 added

#5 Updated by Stephen Benjamin about 3 years ago

  • Status changed from Ready For Testing to Closed

Also available in: Atom PDF