Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1356955

Summary: When default-ca is updated, it doesn't update the nssdb
Product: Red Hat Satellite 6 Reporter: Ivan Necas <inecas>
Component: InstallerAssignee: Ivan Necas <inecas>
Status: CLOSED ERRATA QA Contact: Lukas Pramuk <lpramuk>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2.0CC: bbuckingham, jcallaha, lpramuk
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-21 16:59:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1218251    
Bug Blocks:    

Description Ivan Necas 2016-07-15 11:15:22 UTC
Description of problem:
When a new default-ca gets generated (which should be pretty rare case)
and can happen for example when the /root/ssl-build directory is removed
without a backup, the installer generates a new ca, but it fails
updating the nssdb with the new ca, which causes issues when connecting
to qpid later.

Version-Release number of selected component (if applicable):

Steps to Reproduce:
1. satellite-installer --scenario=satellite
2. rm -rf /root/ssl-build
3. satellite-installer

Actual results:

qpid-config --ssl-certificate /etc/pki/katello/certs/java-client.crt --ssl-key /etc/pki/katello/private/java-client.key -b 'amqps://' add exchange topic event --durable returned 1 instead of one of [0]
 /Stage[main]/Certs::Candlepin/Exec[create candlepin qpid exchange]/returns: change from notrun to 0 failed: qpid-config --ssl-certificate /etc/pki/katello/certs/java-client.crt --ssl-key /etc/pki/katello/private/java-client.key -b 'amqps://' add exchange topic event --durable returned 1 instead of one of [0]
 /Stage[main]/Certs::Candlepin/Exec[create candlepin qpid exchange]: Failed to call refresh: qpid-config --ssl-certificate /etc/pki/katello/certs/java-client.crt --ssl-key /etc/pki/katello/private/java-client.key -b 'amqps://' add exchange topic event --durable returned 1 instead of one of [0]
 /Stage[main]/Certs::Candlepin/Exec[create candlepin qpid exchange]: qpid-config --ssl-certificate /etc/pki/katello/certs/java-client.crt --ssl-key /etc/pki/katello/private/java-client.key -b 'amqps://' add exchange topic event --durable returned 1 instead of one of [0]

Expected results:

the new ca is deployed successfully

Comment 1 Ivan Necas 2016-07-15 11:22:43 UTC
A workaround is

   rm -rf /etc/pki/katello/nssdb

this makes sure the nssdb is recreated with valid certificates

Comment 2 Ivan Necas 2016-07-15 11:23:36 UTC
Created redmine issue from this bug

Comment 3 Bryan Kearney 2016-07-15 14:16:08 UTC
Upstream bug assigned to

Comment 4 Bryan Kearney 2016-07-15 14:16:10 UTC
Upstream bug assigned to

Comment 6 Bryan Kearney 2016-10-12 20:09:25 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue has been resolved.

Comment 7 Lukas Pramuk 2017-06-23 12:10:12 UTC


by manual reproducer in comment#0

3. # satellite-installer
Installing             Done                                               [100%] [.....................................]
  * Katello is running at https://SATFQDN
  * To install an additional Foreman proxy on separate machine continue by running:

      foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY" --certs-tar "/root/$FOREMAN_PROXY-certs.tar"

  The full log is at /var/log/foreman-installer/satellite.log

>>> after certs storage removal in /root/ssl-build the other certs are generated aswell

Comment 8 Bryan Kearney 2018-02-21 16:59:39 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.