-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
6.18.0
-
False
-
sat-rocket
-
None
-
None
-
None
-
None
Description of problem:
I am attempting to install LetsEncrypt certificates to Satellite. This worked in versions prior to 6.17, but is failing in version 6.18.
How reproducible:
Always
Is this issue a regression from an earlier version:
Yes
Steps to Reproduce:
1. Install Satellite normally.
2. Obtain Let's Encrypt certificates for Satellite host. Files created include /etc/letsencrypt/archive/<servername>/{cert1,chain1,fullchain1,privkey1}.pem and symlinks to those files from /etc/letsencrypt/live/<servername>/.
3. Run:
$ wget https://letsencrypt.org/certs/isrgrootx1.pem
$ wget https://letsencrypt.org/certs/isrg-root-x2.pem
$ cat isrgrootx1.pem isrg-root-x2.pem > /root/letsencrypt-root.pem
$ cat /etc/letsencrypt/live/<servername>/fullchain.pem >> /root/letsencrypt-root.pem
$ satellite-installer --certs-server-cert /etc/letsencrypt/live/<servername>/cert.pem --certs-server-key /etc/letsencrypt/live/<servername>/privkey.pem --certs-server-ca-cert /root/letsencrypt-root.pem --certs-update-server --certs-update-server-ca
Actual behavior:
The run of satellite-installer generates four errors:
Error 1: Puppet Private_key resource '/etc/pki/katello/private/katello-apache.key' failed. Logs: /Stage[main]/Certs::Apache/Certs::Keypair[<servername>-apache]/Private_key[/etc/pki/katello/private/katello-apache.key]/before before to File[/etc/pki/katello/private/katello-apache.key] /Stage[main]/Certs::Apache/Certs::Keypair[<servername>-apache]/Private_key[/etc/pki/katello/private/katello-apache.key] Skipping automatic relationship with File[/etc/pki/katello/private/katello-apache.key] Starting to evaluate the resource (626 of 1569) Could not evaluate: No such file or directory @ rb_sysopen - /root/ssl-build/<servername>/<servername>-apache.key Evaluated in 0.00 seconds Error 2: Puppet File resource '/etc/pki/katello/certs/katello-apache.crt' failed. Logs: /Stage[main]/Certs::Apache/Certs::Keypair[<servername>-apache]/File[/etc/pki/katello/certs/katello-apache.crt] Adding autorequire relationship with File[/etc/pki/katello/certs] Adding autorequire relationship with Group[foreman] Starting to evaluate the resource (628 of 1569) Could not evaluate: Could not retrieve information from environment production source(s) file:///root/ssl-build/<servername>/<servername>-apache.crt Evaluated in 0.00 seconds Error 3: Puppet Private_key resource '/etc/foreman-proxy/ssl_key.pem' failed. Logs: /Stage[main]/Certs::Foreman_proxy/Certs::Keypair[<servername>-foreman-proxy]/Private_key[/etc/foreman-proxy/ssl_key.pem]/before before to File[/etc/foreman-proxy/ssl_key.pem] /Stage[main]/Certs::Foreman_proxy/Certs::Keypair[<servername>-foreman-proxy]/Private_key[/etc/foreman-proxy/ssl_key.pem]/notify notify to File[/etc/mosquitto/ssl/ssl_key.pem] /Stage[main]/Certs::Foreman_proxy/Certs::Keypair[<servername>-foreman-proxy]/Private_key[/etc/foreman-proxy/ssl_key.pem] Skipping automatic relationship with File[/etc/foreman-proxy/ssl_key.pem] Starting to evaluate the resource (716 of 1570) Could not evaluate: No such file or directory @ rb_sysopen - /root/ssl-build/<servername>/<servername>-foreman-proxy.key Evaluated in 0.00 seconds Error 4: Puppet File resource '/etc/foreman-proxy/ssl_cert.pem' failed. Logs: /Stage[main]/Certs::Foreman_proxy/Certs::Keypair[<servername>-foreman-proxy]/File[/etc/foreman-proxy/ssl_cert.pem]/notify notify to File[/etc/mosquitto/ssl/ssl_cert.pem] /Stage[main]/Certs::Foreman_proxy/Certs::Keypair[<servername>-foreman-proxy]/File[/etc/foreman-proxy/ssl_cert.pem] Adding autorequire relationship with File[/etc/foreman-proxy] Adding autorequire relationship with Group[foreman-proxy] Starting to evaluate the resource (718 of 1570) Could not evaluate: Could not retrieve information from environment production source(s) file:///root/ssl-build/<servername>/<servername>-foreman-proxy.crt Evaluated in 0.00 seconds
After this failure, an `ls --la` on /root/ssl-build/<servername>/ shows:
/root/ssl-build/<servername>: total 64 -rw-------. 1 root root 1572 Nov 10 15:08 katello-server-openssl.cnf -rw-------. 1 root root 1570 Nov 10 15:08 katello-server-openssl.cnf.1 -rw-------. 1 root root 1565 Nov 10 15:08 katello-server-openssl.cnf.2 -rw-------. 1 root root 1570 Nov 10 15:08 katello-server-openssl.cnf.3 lrwxrwxrwx. 1 root root 41 Nov 26 20:06 <servername>-apache.crt -> ../../archive/<servername>/cert2.pem -rw-------. 1 root root 1821 Nov 10 15:08 <servername>-apache.crt.req lrwxrwxrwx. 1 root root 44 Nov 26 20:06 <servername>-apache.key -> ../../archive/<servername>/privkey2.pem -rw-r--r--. 1 root root 0 Nov 26 20:07 <servername>-apache.update -rw-r--r--. 1 root root 8246 Nov 10 15:08 <servername>-foreman-client.crt -rw-------. 1 root root 1813 Nov 10 15:08 <servername>-foreman-client.crt.req -rw-------. 1 root root 3268 Nov 10 15:08 <servername>-foreman-client.key -rw-r--r--. 1 root root 8261 Nov 10 15:08 <servername>-foreman-proxy-client.crt -rw-------. 1 root root 1825 Nov 10 15:08 <servername>-foreman-proxy-client.crt.req -rw-------. 1 root root 3268 Nov 10 15:08 <servername>-foreman-proxy-client.key lrwxrwxrwx. 1 root root 41 Nov 26 20:06 <servername>-foreman-proxy.crt -> ../../archive/<servername>/cert2.pem -rw-------. 1 root root 1821 Nov 10 15:08 <servername>-foreman-proxy.crt.req lrwxrwxrwx. 1 root root 44 Nov 26 20:06 <servername>-foreman-proxy.key -> ../../archive/<servername>/privkey2.pem -rw-r--r--. 1 root root 0 Nov 26 20:07 <servername>-foreman-proxy.update
It appears the symlinks were copied as symlinks, not copying the actual files that are pointed at. This process worked normally in several versions of Satellite prior to 6.18.
Expected behavior:
Certificates should install normally and web interface be secured.
Business Impact / Additional info:
- relates to
-
SAT-27077 [RFE]: Automation of Satellite Certificate Renewal via certbot/ACME
-
- New
-
