Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1058016 - ssl2jkstrust.py does not get root ca from chain in some cases
Summary: ssl2jkstrust.py does not get root ca from chain in some cases
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-reports
Version: 3.3.0
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: ---
: 3.4.0
Assignee: Alon Bar-Lev
QA Contact: Barak Dagan
URL:
Whiteboard: integration
Depends On:
Blocks: 1064827 rhev3.4beta 1142926
TreeView+ depends on / blocked
 
Reported: 2014-01-26 13:24 UTC by Pablo Iranzo Gómez
Modified: 2018-12-05 17:02 UTC (History)
14 users (show)

Fixed In Version: ovirt-3.4.0-beta3
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1064827 (view as bug list)
Environment:
Last Closed: 2014-06-09 15:27:03 UTC
oVirt Team: ---
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
oVirt gerrit 23734 None None None Never
oVirt gerrit 23735 None None None Never
Red Hat Knowledge Base (Solution) 730823 None None None Never
Red Hat Product Errata RHEA-2014:0602 normal SHIPPED_LIVE rhevm-reports 3.4 bug fix and enhancement update 2014-06-09 19:26:10 UTC

Description Pablo Iranzo Gómez 2014-01-26 13:24:11 UTC
Description of problem:
Hi
After upgrading RHEV environment to 3.3, I was unable to properly start apache (server was upgraded from 3.0 -> 3.1 -> 3.2 -> 3.3 during all its life).

Once apache was working and RHEV-M too, I got one ETL error, so I proceeded to reinstall DWH and Reports, but reports was not installing:

Customizing Server...                                 [ DONE ]
Return Code is not zero
Error encountered while installing rhevm-reports, please consult the log file: /var/log/ovirt-engine/ovirt-engine-reports-setup-2014_01_26_12_31_48.log



The relevant part from that log was:


2014-01-26 12:36:34::DEBUG::common_utils::1018::root:: Executing command --> '/usr/share/ovirt-engine-reports/ssl2jkstrust.py --host=myserver.com --port=443 --keystore=/etc/ovirt-engine/ovirt-engine-reports/trust.jks --storepass=mypass' in working directory '/root'
2014-01-26 12:36:35::DEBUG::common_utils::1073::root:: output = 
2014-01-26 12:36:35::DEBUG::common_utils::1074::root:: stderr = Traceback (most recent call last):
  File "/usr/share/ovirt-engine-reports/ssl2jkstrust.py", line 116, in <module>
    main()
  File "/usr/share/ovirt-engine-reports/ssl2jkstrust.py", line 114, in main
    os.rename(tmp, options.keystore)
OSError: [Errno 2] No such file or directory


So we have two issues:

1- os.rename should check that the file was created before trying to remove it
2- the file wasn't created by ssl2jkstrust.py because it uses:

"for c in getChainFromSSL((options.host, int(options.port)))[1:]:"

Which fails when certificate is provided in return place '0' instead of '1'.

Changing that line to read "0:" instead of "1:" allowed installation to continue without any detectable issue


Version-Release number of selected component (if applicable):
rhevm-reports-3.3.0-28.el6ev.noarch

How reproducible:


Steps to Reproduce:
1. Ensure that certificate provides 'CERTIFICATE' in argument 0, probably because of missing chain
2. Run rhevm-reports-setup
3.

Actual results:

Setup fails because of the "No such file or directory messages"

Expected results:

Setup should have succeeded.

Additional info:

Patching the call to just try to gather certificate from all/any return arguments instead of "1" should have not raised this issue.

As the whole environment is working fine, we could raise instead a warning during setup/upgrade phase.

Comment 2 Alon Bar-Lev 2014-01-26 17:16:18 UTC
Can you please attach /etc/httpd/conf.d/ssl.conf?

Can you please attach the output of:

$ openssl s_client -showcerts -connect localhost:443 < /dev/null

Thanks!

Comment 5 Pablo Iranzo Gómez 2014-01-26 21:18:33 UTC
Alon,
Let me know if any additional file is needed.

Regards,
Pablo

Comment 6 Alon Bar-Lev 2014-01-26 21:43:09 UTC
Thanks!

Can you please try to remove SSLCertificateChainFile?

I have a solution also in this state, just want to confirm.

Comment 7 Pablo Iranzo Gómez 2014-01-27 08:04:23 UTC
Alon,
Removing the SSLCertificateChain from ssl.conf and restarting apache, and using the original ssl2jkstrust.py gives no complain, but also it's not creating the file.

Regards,
Pablo

Comment 8 Yaniv Lavi 2014-01-27 13:01:23 UTC
Do we want z stream on this?


Yaniv

Comment 11 Barak Dagan 2014-02-24 16:00:59 UTC
Is this bug should be verified on upstream, or downstream ?
It is under rhev product, in which it is not implemented yet (av1), therefore not on qa. 
But targeted to ovirt-3.4.0-beta3, which has a different location in products tree.

Please solve it out.

Comment 12 Sandro Bonazzola 2014-02-27 15:03:08 UTC
(In reply to Barak Dagan from comment #11)
> Is this bug should be verified on upstream, or downstream ?
> It is under rhev product, in which it is not implemented yet (av1),
> therefore not on qa. 

ovirt-3.4.0-beta3 has been delivered to QA for testing and referenced patches points to upstream gerrit.
So this BZ should be ON_QA unless it's missing references to downstream gerrit

> But targeted to ovirt-3.4.0-beta3, which has a different location in
> products tree.
> 
> Please solve it out.

Comment 13 Barak Dagan 2014-03-12 13:08:43 UTC
alonbl: 3.4 does not use this method to acquire ceritificate, it is 3.3 only bug.
you must have 3.4 bug to clone it into 3.3.

Comment 14 errata-xmlrpc 2014-06-09 15:27:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-0602.html


Note You need to log in before you can comment on or make changes to this bug.