Project

General

Profile

Bug #24974

The kafo configure is generating incorrect 'foreman-proxy-client-bundle.pem' which is not allowing httpd service to start

Added by Amit Upadhye almost 3 years ago. Updated over 2 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

Steps to reproduce,

1. Create a external smart proxy certs tarball using foreman-proxy-certs-generate,

foreman-proxy-certs-generate --foreman-proxy-fqdn "smart-proxy.example.com" --certs-tar "~/smart-proxy.example.com.tar"

2. Use smart-proxy.example.com.tar on external smart proxy for installation and see httpd failing to start up,

/Stage[main]/Apache::Service/Service[httpd]/ensure: change from stopped to running failed: Systemd start for httpd failed!
journalctl log for httpd:
-- Logs begin at Mon 2018-09-03 19:26:11 IST, end at Mon 2018-09-03 20:38:31 IST. --
systemd1: Starting The Apache HTTP Server...
systemd1: httpd.service: main process exited, code=exited, status=1/FAILURE
kill3871: kill: cannot find process ""

httpd logs says,

[Mon Sep 03 20:38:30.999387 2018] [ssl:emerg] [pid 3869] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/httpd/katello-reverse-proxy_error_ssl.log for more information

/var/log/httpd/katello-reverse-proxy_error_ssl.log,

AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?)
AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?)

Additional information -

According to this if I check client-bundle.pem cert then it shows type as below,

file /etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem
/etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem: ASCII text

and if I see /etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem then it has key field with,

-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

If I modify key section of /etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem as below then it works,

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

file /etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem
/etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem: PEM RSA private key
systemctl start httpd
[no errors]

Environment,
Server

katello system,
foreman-installer-katello-3.8.0-1.nightly.201807092226git8d83241.el7.noarch
katello-3.8.0-4.nightly.el7.noarch
httpd-2.4.6-80.el7_5.1.x86_64

External smart proxy,
httpd-2.4.6-80.el7.x86_64
foreman-installer-katello-3.9.0-0.201808062246gita2cd105.2.el7.noarch

Both are RHEL 7 systems.

I was under impression that foreman-proxy-certs-generate is creating client-bundle file(smart-proxy.example.com-foreman-proxy-client-bundle.pem) but its being handle by kafo installer, if still I am incorrect then request to move this issue to correct component.


Related issues

Related to Foreman - Feature #3511: As a security person, I would like Foreman to run in FIPS modeResolved
Is duplicate of Installer - Bug #26088: httpd fails to start after installing capsule in FIPS modeClosed

History

#1 Updated by Eric Helms over 2 years ago

  • Has duplicate Bug #26088: httpd fails to start after installing capsule in FIPS mode added

#2 Updated by The Foreman Bot over 2 years ago

  • Assignee set to Ivan Necas
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/puppet-foreman_proxy_content/pull/194 added

#3 Updated by Ivan Necas over 2 years ago

  • Bugzilla link set to 1678322

#4 Updated by The Foreman Bot over 2 years ago

  • Pull request https://github.com/theforeman/puppet-certs/pull/242 added

#5 Updated by Ivan Necas over 2 years ago

  • Related to Feature #3511: As a security person, I would like Foreman to run in FIPS mode added

#6 Updated by Eric Helms over 2 years ago

  • Status changed from Ready For Testing to Closed

#7 Updated by Ewoud Kohl van Wijngaarden over 2 years ago

  • Bugzilla link deleted (1678322)
  • Status changed from Closed to Duplicate
  • Pull request deleted (https://github.com/theforeman/puppet-foreman_proxy_content/pull/194, https://github.com/theforeman/puppet-certs/pull/242)

#8 Updated by Ewoud Kohl van Wijngaarden over 2 years ago

  • Has duplicate deleted (Bug #26088: httpd fails to start after installing capsule in FIPS mode)

#9 Updated by Ewoud Kohl van Wijngaarden over 2 years ago

  • Is duplicate of Bug #26088: httpd fails to start after installing capsule in FIPS mode added

Also available in: Atom PDF