Bug #26043

service command can't connect to remote mongodb

Added by Martin Bacovsky 6 months ago. Updated 6 months ago.

Target version:
Bugzilla link:
Team Backlog:
Foreman Maintain
Fixed in Releases:
Found in Releases:


Cloned from

Description of problem:
foreman-maintain service can not connect to remote mongodb when pulp configuration contain empty path to a ssl cert.

name: pulpdb
seeds: <host>:27017
username: pulpuser
password: FILTERED
ssl: true
verify_ssl: false
ca_path: /etc/pki/tls/certs/ca-bundle.crt
unsafe_autoretry: false

After 'foreman-maintain service status' /var/log/foreman-maintain/foreman-maintain.log contains:

D, [2019-02-07 23:58:37+0000 #5681] DEBUG -- : Running command scl enable rh-mongodb34 -- mongo u pulpuser -p [FILTERED] --host <host> --port 27017 --ssl --sslCAFile /etc/pki/tls/certs/ca-bundle.crt
--sslPEMKeyFile --eval 'db.version()' pulpdb with stdin nil
D, [2019-02-07 23:58:37+0000 #5681] DEBUG -
: output of the command:
2019-02-07T23:58:37.429+0000 E NETWORK [main] cannot read certificate file: --eval error:02001002:system library:fopen:No such file or directory
Failed global initialization: InvalidSSLConfiguration Can not set up PEM key file.
D, [2019-02-07 23:58:37+0000 #5681] DEBUG -- : Mongo version detection failed, choosing from installed versions

Version-Release number of selected component (if applicable):
foreman_maintain (0.2.11)

How reproducible:

Steps to Reproduce:
1. Configure Satellite to use remote MongoDB
2. Have ssl_certfile: <empty> in /etc/pulp/server.conf
3. Make sure the remote DB is running

Actual results:
$ foreman-maintain service status
rh-mongodb34-mongod is remote and is DOWN.

Expected results:
$ foreman-maintain service status
rh-mongodb34-mongod is remote and is UP.

Additional info:
foreman-maintain also ignores the following parameters that were present in the config:

verify_ssl: false
unsafe_autoretry: false

Associated revisions

Revision aed650fd (diff)
Added by Martin Bacovsky 6 months ago

Fixes #26043 - Remote Mongo SSL connection improvements

This patch fixes improper handling of empty entries in Pulp's
Mongo ssl configuration. Empty ssl_certfile and ca_path are ignored.
verify_ssl = false is now supported.

'service status' is printing the remote service is DOWN when it
can not connect to the remote DB. This is not helpful when the state
is not expected so some hints to look for the cause in logs were added.


#1 Updated by Martin Bacovsky 6 months ago

  • Triaged changed from No to Yes
  • Assignee changed from Anurag Patel to Martin Bacovsky
  • Status changed from New to Assigned
  • Team Backlog Foreman Maintain added

#2 Updated by The Foreman Bot 6 months ago

  • Status changed from Assigned to Ready For Testing
  • Pull request added

#3 Updated by Martin Bacovsky 6 months ago

  • Status changed from Ready For Testing to Closed

Also available in: Atom PDF