Project

General

Profile

Actions
Copy link

Bug #24974

closed

The kafo configure is generating incorrect 'foreman-proxy-client-bundle.pem' which is not allowing httpd service to start

Added by Amit Upadhye over 6 years ago. Updated almost 6 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
Ivan Necas
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Steps to reproduce,

1. Create a external smart proxy certs tarball using foreman-proxy-certs-generate,

foreman-proxy-certs-generate --foreman-proxy-fqdn "smart-proxy.example.com" --certs-tar "~/smart-proxy.example.com.tar"

2. Use smart-proxy.example.com.tar on external smart proxy for installation and see httpd failing to start up,

/Stage[main]/Apache::Service/Service[httpd]/ensure: change from stopped to running failed: Systemd start for httpd failed!
journalctl log for httpd:
-- Logs begin at Mon 2018-09-03 19:26:11 IST, end at Mon 2018-09-03 20:38:31 IST. --
systemd1: Starting The Apache HTTP Server...
systemd1: httpd.service: main process exited, code=exited, status=1/FAILURE
kill3871: kill: cannot find process ""

httpd logs says,

[Mon Sep 03 20:38:30.999387 2018] [ssl:emerg] [pid 3869] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/httpd/katello-reverse-proxy_error_ssl.log for more information

/var/log/httpd/katello-reverse-proxy_error_ssl.log,

AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?)
AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?)

Additional information -

According to this if I check client-bundle.pem cert then it shows type as below,

file /etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem
    /etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem: ASCII text

and if I see /etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem then it has key field with,

-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

If I modify key section of /etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem as below then it works,

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

file /etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem
    /etc/pki/katello/private/smart-proxy.example.com-foreman-proxy-client-bundle.pem: PEM RSA private key
systemctl start httpd
    [no errors]

Environment,
Server

katello system,
    foreman-installer-katello-3.8.0-1.nightly.201807092226git8d83241.el7.noarch
    katello-3.8.0-4.nightly.el7.noarch
    httpd-2.4.6-80.el7_5.1.x86_64

External smart proxy,
httpd-2.4.6-80.el7.x86_64
foreman-installer-katello-3.9.0-0.201808062246gita2cd105.2.el7.noarch

Both are RHEL 7 systems.

I was under impression that foreman-proxy-certs-generate is creating client-bundle file(smart-proxy.example.com-foreman-proxy-client-bundle.pem) but its being handle by kafo installer, if still I am incorrect then request to move this issue to correct component.

Related issues 2 (0 open2 closed)

Related to Foreman - Feature #3511: As a security person, I would like Foreman to run in FIPS modeResolvedActions
Is duplicate of Installer - Bug #26088: httpd fails to start after installing capsule in FIPS modeClosedIvan NecasActions
Actions
Copy link

Also available in: Atom PDF