Bug #24974
closed
The kafo configure is generating incorrect 'foreman-proxy-client-bundle.pem' which is not allowing httpd service to start
Description
Steps to reproduce,
1. Create a external smart proxy certs tarball using foreman-proxy-certs-generate,
foreman-proxy-certs-generate --foreman-proxy-fqdn "smart-proxy.example.com" --certs-tar "~/smart-proxy.example.com.tar"2. Use smart-proxy.example.com.tar on external smart proxy for installation and see httpd failing to start up,
/Stage[main]/Apache::Service/Service[httpd]/ensure: change from stopped to running failed: Systemd start for httpd failed!
journalctl log for httpd:
-- Logs begin at Mon 2018-09-03 19:26:11 IST, end at Mon 2018-09-03 20:38:31 IST. --
systemd1: Starting The Apache HTTP Server...
systemd1: httpd.service: main process exited, code=exited, status=1/FAILURE
kill3871: kill: cannot find process ""
httpd logs says,
[Mon Sep 03 20:38:30.999387 2018] [ssl:emerg] [pid 3869] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/httpd/katello-reverse-proxy_error_ssl.log for more information
/var/log/httpd/katello-reverse-proxy_error_ssl.log,
AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?)
AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?)
Additional information -
According to this if I check client-bundle.pem cert then it shows type as below,
file /etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem
/etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem: ASCII textand if I see /etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem then it has key field with,
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
If I modify key section of /etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem as below then it works,
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
file /etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem
/etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem: PEM RSA private keysystemctl start httpd
[no errors]Environment,
Server
katello system,
foreman-installer-katello-3.8.0-1.nightly.201807092226git8d83241.el7.noarch
katello-3.8.0-4.nightly.el7.noarch
httpd-2.4.6-80.el7_5.1.x86_64External smart proxy,
httpd-2.4.6-80.el7.x86_64
foreman-installer-katello-3.9.0-0.201808062246gita2cd105.2.el7.noarch
Both are RHEL 7 systems.
I was under impression that foreman-proxy-certs-generate is creating client-bundle file(smart-proxy.example.com-foreman-proxy-client-bundle.pem) but its being handle by kafo installer, if still I am incorrect then request to move this issue to correct component.
Updated by Eric Helms about 5 years ago
- Has duplicate Bug #26088: httpd fails to start after installing capsule in FIPS mode added
Updated by The Foreman Bot about 5 years ago
- Status changed from New to Ready For Testing
- Assignee set to Ivan Necas
- Pull request https://github.com/theforeman/puppet-foreman_proxy_content/pull/194 added
Updated by The Foreman Bot about 5 years ago
- Pull request https://github.com/theforeman/puppet-certs/pull/242 added
Updated by Ivan Necas about 5 years ago
- Related to Feature #3511: As a security person, I would like Foreman to run in FIPS mode added
Updated by Eric Helms about 5 years ago
- Status changed from Ready For Testing to Closed
Updated by Ewoud Kohl van Wijngaarden about 5 years ago
- Status changed from Closed to Duplicate
- Bugzilla link deleted (
1678322) - Pull request deleted (
https://github.com/theforeman/puppet-certs/pull/242, https://github.com/theforeman/puppet-foreman_proxy_content/pull/194)
Updated by Ewoud Kohl van Wijngaarden about 5 years ago
- Has duplicate deleted (Bug #26088: httpd fails to start after installing capsule in FIPS mode)
Updated by Ewoud Kohl van Wijngaarden about 5 years ago
- Is duplicate of Bug #26088: httpd fails to start after installing capsule in FIPS mode added