Keytool error: java.lang.Exception: The -keyalg option must be specified

Hello,

While attempting to install Foreman 3.12.0 + Katello 4.14.1, I encountered the following error during the foreman-installer --scenario katello execution:

Error Details:

• The keytool utility failed to generate or import keys for the keystore and truststore due to the absence of the -keyalg option.

• Relevant messages include:

• keytool error: java.lang.Exception: The -keyalg option must be specified

• Keystore file exists, but is empty: /etc/candlepin/certs/keystore

This indicates the installer script omitted specifying the key algorithm (-keyalg), which is mandatory for the keytool command.

Solution

  1. Remove the existing keystore and truststore files:

rm -f /etc/candlepin/certs/keystore
rm -f /etc/candlepin/certs/truststore

2.Edit the Ruby script that manages keystore generation:

• Open the file and navigate to line 56 (you can enable line numbers in vi with :set number):

vi /usr/share/foreman-installer/modules/certs/lib/puppet_x/certs/provider/keystore.rb

  1. Add the -keyalg option:

Before:

‘-J-Dcom.redhat.fips=false’

After:

‘-J-Dcom.redhat.fips=false’,
‘-keyalg’, ‘RSA’

Updated Block:

48 begin
49 keytool(
50 ‘-genkey’,
51 ‘-storetype’, ‘pkcs12’,
52 ‘-keystore’, store,
53 ‘-storepass:file’, resource[:password_file],
54 ‘-alias’, temp_alias,
55 ‘-dname’, “CN=#{temp_alias}”,
56 ‘-J-Dcom.redhat.fips=false’,
57 ‘-keyalg’, ‘RSA’
58 )
59 rescue Puppet::ExecutionFailure => e
60 Puppet.err(“Failed to generate new #{type} with temporary entry: #{e}”)
61 return nil
62 end

  1. Re-run the installer:

foreman-installer --scenario katello

This is due to a change in OpenJDK 17, which has become the default in EL 9.5 now that OpenJDK 11 is EOL. Sadly that didn’t go through CentOS Stream so we didn’t see it ahead of time. A patch with the changes you suggested has already been merged:

That needs to make it into releases now.

2 Likes

3.12.1 includes the fix: Foreman 3.12.1 is now available