New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refs #8756: Deploy the server_ca to the Capsule directories for RHSM. #44
Conversation
ACK |
@stbenjam I need to push some updates to this change I encountered last night. |
This fixes an issue where for stand alone Capsules that didn't have access to the server_ca (since it was not deployed) the bootstrap RPM would fail to be created. Further, this removes the unused candlepin-local.pem which in reality was just the root CA cert.
Updated. |
ACK |
Refs #8756: Deploy the server_ca to the Capsule directories for RHSM.
@@ -36,10 +37,9 @@ | |||
dir => $katello_www_pub_dir, | |||
summary => $candlepin_consumer_summary, | |||
description => $candlepin_consumer_description, | |||
files => ["${rhsm_ca_dir}/candlepin-local.pem:644=${certs::ssl_build_dir}/${certs::default_ca_name}.crt", | |||
"${rhsm_ca_dir}/katello-server-ca.pem:644 =${certs::ssl_build_dir}/${certs::server_ca_name}.crt"], | |||
files => ["${rhsm_ca_dir}/katello-server-ca.pem:644 =${certs::pki_dir}/certs/${certs::server_ca_name}.crt"], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this change compatible with katello-agent https://github.com/Katello/katello-agent/blob/master/etc/gofer/plugins/katelloplugin.conf. Btw. default_ca != server_ca, it's only coincidence they are the same, when using self-signed generated certs, but are different when using custom certs for ssl.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Discussed w/ @iNecas on IRC and it appears this breaks the agent with custom certs. RHSM would be using the server_ca but qpid-dispatch-router would be using default_ca.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The BZ describing the issue is here https://bugzilla.redhat.com/show_bug.cgi?id=1222912
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok... so lets get a Redmine issue and fix it :)
This fixes an issue where for stand alone Capsules that didn't have
access to the server_ca (since it was not deployed) the bootstrap
RPM would fail to be created. Further, this removes the unused
candlepin-local.pem which in reality was just the root CA cert.