Katello Restore Doesn't work. CA errors

Support
1

We are trying to run some certification tests with 2.4.1, and The backup /
restore procedure do not work.

We are hitting this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1311313

I'm trying to figure out if there is a sane workaround for this. The
problem is that any katello-installer (–reset or not) will try to regen
the keys. At that point, things go badly and we get:

/Stage[main]/Certs/Privkey[/etc/pki/katello/private/katello-default-ca.key]:
Could not evaluate: Execution of '/usr/bin/openssl rsa -in
/root/ssl-build/katello-default-ca.key -out
/root/ssl-build/katello-default-ca.key.tmp -passin
file:/etc/pki/katello/private/katello-default-ca.pwd' returned 1: unable to
load Private Key
Notice: /Stage[main]/Candlepin::Config/Concat[/etc: 393/789, 49%, 5.9/s,
elapsed: 00:00:14, ETA: 00:01:06
Debug: /Stage[main]/Gutterball::Database/Postgresq: 556/789, 70%, 44.4/s,
elapsed: 00:00:15, ETA: 00:00:05
Notice: /Stage[main]/Candlepin::Database::Postgres: 569/789, 72%, 44.6/s,
elapsed: 00:00:24, ETA: 00:00:04
/Stage[main]/Gutterball::Database/Postgresql::Server::Db[gutterball]/Postgresql::Server::Database[gutterball]/Exec[/usr/bin/createdb
–port='5432' --owner='postgres' --template=template0 --encoding 'utf8'
–locale=en_US.utf8 'gutterball']: Failed to call refresh:
/usr/bin/createdb --port='5432' --owner='postgres' --template=template0
–encoding 'utf8' --locale=en_US.utf8 'gutterball' returned 1 instead of
one of [0]
/Stage[main]/Gutterball::Database/Postgresql::Server::Db[gutterball]/Postgresql::Server::Database[gutterball]/Exec[/usr/bin/createdb
–port='5432' --owner='postgres' --template=template0 --encoding 'utf8'
–locale=en_US.utf8 'gutterball']: /usr/bin/createdb --port='5432'
–owner='postgres' --template=template0 --encoding 'utf8'
–locale=en_US.utf8 'gutterball' returned 1 instead of one of [0]
Notice: /Stage[main]/Gutterball::Database/Exec[mig: 595/789, 75%, 47.1/s,
elapsed: 00:00:26, ETA: 00:00:04
Debug: /File[/etc/httpd/conf.d/proxy.conf]/seltype: 672/789, 85%, 47.1/s,
elapsed: 00:00:27, ETA: 00:00:02
Notice: /Stage[main]/Foreman::Database/Foreman_con: 788/789, 99%, 48.1/s,
elapsed: 00:00:58
Notice: /Stage[main]/Foreman::Database/Foreman::Ra: 788/789, 99%, 48.1/s,
elapsed: 00:01:41
Notice: /Stage[main]/Foreman::Database/Foreman::Ra: 788/789, 99%, 42.2/s,
elapsed: 00:02:21
/Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]:
Failed to call refresh: /usr/sbin/foreman-rake db:seed returned 1 instead
of one of [0]
/Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]:
/usr/sbin/foreman-rake db:seed returned 1 instead of one of [0]

This is from a fresh 2.4.1 backup followed by an immediate restore. (Either
using katello-backup + katello-restore or the 2.4.1 Documentation solution,
which is basically the same thing.)

Looking at the command line, katello-installer replaces
/etc/pki/katello/private/katello-default-ca.pwd'. If we replace this
file with the one from the backup, the openssl command will succeed, and we
can start services normally. Any following katello-installer run still
replaces the .pwd file and fails.

2

> We are trying to run some certification tests with 2.4.1, and The backup /
> restore procedure do not work.
>
> We are hitting this bug:
> https://bugzilla.redhat.com/show_bug.cgi?id=1311313
>
> I'm trying to figure out if there is a sane workaround for this. The
> problem is that any katello-installer (–reset or not) will try to regen
> the keys. At that point, things go badly and we get:
>
> /Stage[main]/Certs/Privkey[/etc/pki/katello/private/katello-default-ca.key]:
> Could not evaluate: Execution of '/usr/bin/openssl rsa -in
> /root/ssl-build/katello-default-ca.key -out
> /root/ssl-build/katello-default-ca.key.tmp -passin
> file:/etc/pki/katello/private/katello-default-ca.pwd' returned 1: unable to
> load Private Key
> Notice: /Stage[main]/Candlepin::Config/Concat[/etc: 393/789, 49%, 5.9/s,
> elapsed: 00:00:14, ETA: 00:01:06
> Debug: /Stage[main]/Gutterball::Database/Postgresq: 556/789, 70%, 44.4/s,
> elapsed: 00:00:15, ETA: 00:00:05
> Notice: /Stage[main]/Candlepin::Database::Postgres: 569/789, 72%, 44.6/s,
> elapsed: 00:00:24, ETA: 00:00:04
> /Stage[main]/Gutterball::Database/Postgresql::Server::Db[gutterball]/Postgresql::Server::Database[gutterball]/Exec[/usr/bin/createdb
> --port='5432' --owner='postgres' --template=template0 --encoding 'utf8'
> --locale=en_US.utf8 'gutterball']: Failed to call refresh:
> /usr/bin/createdb --port='5432' --owner='postgres' --template=template0
> --encoding 'utf8' --locale=en_US.utf8 'gutterball' returned 1 instead of
> one of [0]
> /Stage[main]/Gutterball::Database/Postgresql::Server::Db[gutterball]/Postgresql::Server::Database[gutterball]/Exec[/usr/bin/createdb
> --port='5432' --owner='postgres' --template=template0 --encoding 'utf8'
> --locale=en_US.utf8 'gutterball']: /usr/bin/createdb --port='5432'
> --owner='postgres' --template=template0 --encoding 'utf8'
> --locale=en_US.utf8 'gutterball' returned 1 instead of one of [0]
> Notice: /Stage[main]/Gutterball::Database/Exec[mig: 595/789, 75%, 47.1/s,
> elapsed: 00:00:26, ETA: 00:00:04
> Debug: /File[/etc/httpd/conf.d/proxy.conf]/seltype: 672/789, 85%, 47.1/s,
> elapsed: 00:00:27, ETA: 00:00:02
> Notice: /Stage[main]/Foreman::Database/Foreman_con: 788/789, 99%, 48.1/s,
> elapsed: 00:00:58
> Notice: /Stage[main]/Foreman::Database/Foreman::Ra: 788/789, 99%, 48.1/s,
> elapsed: 00:01:41
> Notice: /Stage[main]/Foreman::Database/Foreman::Ra: 788/789, 99%, 42.2/s,
> elapsed: 00:02:21
> /Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]:
> Failed to call refresh: /usr/sbin/foreman-rake db:seed returned 1 instead
> of one of [0]
> /Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]:
> /usr/sbin/foreman-rake db:seed returned 1 instead of one of [0]
>
> This is from a fresh 2.4.1 backup followed by an immediate restore.
> (Either using katello-backup + katello-restore or the 2.4.1 Documentation
> solution, which is basically the same thing.)
>
>
> Looking at the command line, katello-installer replaces
> /etc/pki/katello/private/katello-default-ca.pwd'. If we replace this
> file with the one from the backup, the openssl command will succeed, and we
> can start services normally. Any following katello-installer run still
> replaces the .pwd file and fails.
>

This is most likely because the correct katello-default-ca.pwd file isn't
being replaced in either /root/ssl-build or
/etc/pki/katello-certs-tools/private or both.

··· On Tue, Apr 5, 2016 at 3:36 PM, Frank Branham wrote:


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Eric D. Helms
Red Hat Engineering
Ph.D. Student - North Carolina State University