Project

General

Profile

Bug #18987

Updated by John Mitsch about 7 years ago

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1434948  

 *Description of problem:* 

 When regenerating the CA certificates on Katello 6 the ueber certificates should also be regenerated. Otherwise, downstream Proxies will run into issues with synchronizing content. 

 *How reproducible:* 

 Always. 


 *Steps to Reproduce:* 

 1. Delete contents of /root/ssl-build and /root/ssl-build/<KAT_FQDN> 
 2. # katello-installer --certs-update-all --certs-regenerate-ca --certs-regenerate 
 3. Generate and install new certificate bundle for Proxies 
 4. Observe that Proxy content synchronization fails 

 nectar.downloaders.threaded:ERROR: Skipping requests to <KAT_FQDN> due to repeated connection failures: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:579) 


 *Actual results:* 

 - ueber certificate is still based off of old CA 
 - Proxy content synchronization fails 

 *Expected results:* 

 - ueber certificate has been refreshed against the new CA 
 - Proxy content synchronization is successful 


 *Additional info:* 

 Can be worked around by manually deleting the old ueber certificates in Candlepin. 

 Perhaps the installer can run this rake task in upstream that regenerates the ueber certificates: 

 http://projects.theforeman.org/issues/18403

Back