Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-14042

wrong generation of /etc/tomcat/cert-users.properties

XMLWordPrintable

    • Moderate

      Description of problem:

      Due to different approach between certificate generations and /etc/tomcat/cert-users.properties generation is possible to get authentication errors in candlepin.

      If any empty string is used in certs part of /etc/foreman-installer/scenarios.d/satellite-answers.yaml as below


      certs:
      country: US
      state: '' <<<<<<<<<
      city: Raleigh
      org: Katello
      org_unit: '' <<<<<<<<

      certificate is generated without ST and OU as below

      1. grep Subject /etc/pki/katello/certs/java-client.crt
        Subject: C=US, O=candlepin, CN=localhost

      however /etc/tomcat/cert-users.properties is generate with empty OU and ST as below

      1. cat /etc/tomcat/cert-users.properties
        katelloUser=CN=localhost, OU=, O=candlepin, ST=, C=US

      due to this mismatch authentication errors appear in /var/log/candlepin/error.log as below

      2021-05-24 17:00:54,608 [thread=Thread-16 (activemq-netty-threads)] [=, org=, csid=] WARN org.apache.activemq.artemis.core.server - AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from /127.0.0.1:54708. Username: null; SSL certificate subject DN: CN=localhost, O=candlepin, C=US
      2021-05-24 17:00:54,609 [thread=Thread-16 (activemq-netty-threads)] [=, org=, csid=] WARN org.apache.activemq.artemis.core.protocol.stomp - AMQ332069: Sent ERROR frame to STOMP client /127.0.0.1:54708: Security Error occurred: User name [null] or password is invalid

      and hammer ping

      1. hammer ping
        candlepin_events:
        Status: FAIL
        message: Not running
        Server Response: Duration: 2ms

      Version-Release number of selected component (if applicable):
      At least since satellite-installer-6.8.0.11-1.el7sat.noarch

      How reproducible: Always

      Steps to Reproduce:
      1. Update /etc/foreman-installer/scenarios.d/satellite-answers.yaml
      2. Fill some empty strings in certs category as 'state'
      3. # satellite-installer --certs-regenerate true --certs-update-all --certs-update-server --certs-update-server-ca

      Actual results:
      Auth errors and hammer ping FAIL

      Expected results:
      No errors, correct generation of /etc/tomcat/cert-users.properties

      Additional info:

            ehelms@redhat.com Eric Helms
            jira-bugzilla-migration RH Bugzilla Integration
            Radek Mynar Radek Mynar
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: