Foreman-installer update changes keys!

iago · December 22, 2020, 2:49pm

Once I run: foreman-installer --scenario katello --upgrade

I get:

/bin/openssl rsa -in /root/ssl-build/katello-default-ca.key -out /root/ssl-build/katello-default-ca.key.tmp -passin file:/etc/pki/katello/private/katello-default-ca.pwd' returned 1: unable to load Private Key
140679155656592:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:592:
140679155656592:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:488:

Katello: 3.8.1; Foreman: 1.19; Centos 7.8.2003

I see there’s a change in the password file:

# ls -ltr /etc/pki/katello/private/katello-default-ca.pwd
-r--------. 1 root root 24 dic 22 09:19 /etc/pki/katello/private/katello-default-ca.pwd

If I use the old password, running the same openssl command from shell works. I’m afraid foreman-installer changes it (?).

Is there any additional argument to pass to foreman-installer --scenario katello --upgrade?

We’re using proper certificates, i.e. no self-signed.

Regards,

Iago

ehelms · December 22, 2020, 3:40pm

For your entire certificate setup or do you mean that you passed in custom server certificates when you installed the instance?

iago · December 22, 2020, 4:00pm

You’re right, custom server certificates.

ehelms · December 22, 2020, 4:04pm

And to help me, what are you upgrading from and to?

iago · December 22, 2020, 4:14pm

I have 3.8, the upgrade can be performed directly to until 3.10.

I’ve followed all the steps indicated in Foreman :: Plugin Manuals, once I run the main step: foreman-installer --scenario katello --upgrade, /var/log/foremain-installer/katello.log shows:

/bin/openssl rsa -in /root/ssl-build/katello-default-ca.key -out /root/ssl-build/katello-default-ca.key.tmp -passin file:/etc/pki/katello/private/katello-default-ca.pwd' returned 1: unable to load Private Key

It seems file /etc/pki/katello/private/katello-default-ca.pwd was changed in the same upgrade, since contents it’s not the same than the older one. If I edit it with the old value, the command runs good, but if I perform foreman-installer --scenario katello --upgrade, file is changed again.

I’ve searched for this errors in many sites but I’ve found nothing, could you give me a hand?

ehelms · December 22, 2020, 6:19pm

On your 3.8, does this file exist? /opt/puppetlabs/puppet/cache/foreman_cache_data/ca_key_password

iago · December 23, 2020, 7:52am

Bingo! I was testing this in a cloned VM, it was delivered with /opt/puppetlabs/puppet/cache/* deleted.

I have another issue with the upgrade ahead, I’ll open another topic.

Thanks!