Bug #24788
closed
The kafo configure is generating incorrect 'foreman-proxy-client-bundle.pem' which is not allowing httpd service to start
Description
Steps to reproduce,
1. Create a external smart proxy certs tarball using foreman-proxy-certs-generate,
- foreman-proxy-certs-generate --foreman-proxy-fqdn "smart-proxy.example.com" --certs-tar "~/smart-proxy.example.com.tar"
2. Use smart-proxy.example.com.tar on external smart proxy for installation and see httpd failing to start up,
/Stage[main]/Apache::Service/Service[httpd]/ensure: change from stopped to running failed: Systemd start for httpd failed!
journalctl log for httpd:
-- Logs begin at Mon 2018-09-03 19:26:11 IST, end at Mon 2018-09-03 20:38:31 IST. --
systemd1: Starting The Apache HTTP Server...
systemd1: httpd.service: main process exited, code=exited, status=1/FAILURE
kill3871: kill: cannot find process ""
httpd logs says,
[Mon Sep 03 20:38:30.999387 2018] [ssl:emerg] [pid 3869] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/httpd/katello-reverse-proxy_error_ssl.log for more information
/var/log/httpd/katello-reverse-proxy_error_ssl.log,
AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?)
AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?)
Additional information -
According to this if I check client-bundle.pem cert then it shows type as below,
- file /etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem
/etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem: ASCII text
and if I see /etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem then it has key field with,
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
If I modify key section of /etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem as below then it works,
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
- file /etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem
/etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem: PEM RSA private key
- systemctl start httpd
[no errors]
Environment,
Server- katello system,
foreman-installer-katello-3.8.0-1.nightly.201807092226git8d83241.el7.noarch
katello-3.8.0-4.nightly.el7.noarch
httpd-2.4.6-80.el7_5.1.x86_64
External smart proxy,
httpd-2.4.6-80.el7.x86_64
foreman-installer-katello-3.9.0-0.201808062246gita2cd105.2.el7.noarch
Both are RHEL 7 systems.
I was under impression that foreman-proxy-certs-generate is creating client-bundle file(smart-proxy.example.com-foreman-proxy-client-bundle.pem) but its being handle by kafo installer, if still I am incorrect then request to move this issue to correct component.
Updated by Amit Upadhye over 5 years ago
- Status changed from New to Duplicate
Marking this as duplicate of https://projects.theforeman.org/issues/24974 . As I am not getting any option to move this to installer project.