Bug #34317
closed
[Custom Certs] - Failed to install the custom certs on Katello 4.3, works on 4.1
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=2036054
Description of problem:
[Custom Certs] - Failed to install the custom certs on the Satellite 7.0.0 works fine in 6.10
Version-Release number of selected component (if applicable):
fails on Satellite 7.0.0
Passes on Satellite 6.10
How reproducible:
Always
Steps to Reproduce:
1. Generate the CA certs bundle and install it as follows
[root@dhcp-3-215 ~]# satellite-installer --scenario satellite \
--certs-server-cert "/root/satellite.redhat.com/satellite.redhat.com.crt" \
--certs-server-key "/root/satellite.redhat.com/satellite.redhat.com.key" \
--certs-server-ca-cert "/root/cacert.crt" \
--certs-update-server --certs-update-server-ca
Actual results:
Satellite Installer is not installing the custom certs in Satellite.
Expected results:
Satellite Installer should install the custom certs on the Satellite.
Additional info:
Updated by Evgeni Golov almost 3 years ago
- Subject changed from [Custom Certs] - Failed to install the custom certs on Katello 4.3, works on 4.1 to [Custom Certs] - Failed to install the custom certs on Katello 4.3, works on 4.1
- Found in Releases 3.1.0 added
The problem is that puppet-certs dropped the "trusted_ca" use in the following commit:
commit 953261ffd2eb52b7176ab365fb0c4e9245435d99
Author: Eric D. Helms <ericdhelms@gmail.com>
Date: Thu Jul 2 15:16:29 2020 -0400
Refs #30316: Drop bootstrap RPM code
And moved it to puppet-foreman_proxy_content:
commit 7bf101dc5507c90936b9e6169b91848ef106fe0f
Author: Eric D. Helms <ericdhelms@gmail.com>
Date: Thu Jul 2 14:09:33 2020 -0400
Fixes #30316: Move bootstrap RPM generation from puppet-certs
but due to ordering, the fpc code is not executed before Foreman::Register/Foreman_host is called, so at that point the CA is still untrusted and everything fails.
Re-running the installer works, as now the CA is trusted.
Updated by Ewoud Kohl van Wijngaarden almost 3 years ago
- Category set to Foreman modules
- Target version set to 3.1.1
I think the problem is that it's using the wrong file:
https://github.com/theforeman/puppet-foreman/blob/589abb8d88b2460acecc6b4b6d05b2e0f9258f92/manifests/register.pp#L13
That should be using the chain, not the CA.
SSLCertificateChainFile is what signed the public key, SSLCACertificateFile is the one that allows client certs.
Updated by Ewoud Kohl van Wijngaarden almost 3 years ago
- Assignee deleted (
Eric Helms)
Updated by The Foreman Bot almost 3 years ago
- Status changed from New to Ready For Testing
- Assignee set to Ewoud Kohl van Wijngaarden
- Pull request https://github.com/theforeman/puppet-foreman/pull/1022 added
Updated by Ewoud Kohl van Wijngaarden almost 3 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset puppet-foreman|4648167da572951f81db118c57ea8cf30fffcd3f.
Updated by Ewoud Kohl van Wijngaarden almost 3 years ago
- Triaged changed from No to Yes
- Fixed in Releases 3.1.1, 3.2.0 added