SSL issues with `rmt-client-setup-res`
nodeg opened this issue · 6 comments
The last changes to the rmc-client-setup-res script with 264ef24
diff --git a/public/tools/rmt-client-setup-res b/public/tools/rmt-client-setup-res
index 00f45e367..5f5517d5f 100755
--- a/public/tools/rmt-client-setup-res
+++ b/public/tools/rmt-client-setup-res
@@ -51,7 +51,7 @@ while true ; do
"") break ;;
-h|--help) usage;;
https://*) RMTNAME=${1:8};
- REGURL="http://${RMTNAME}";;
+ REGURL=$1;;
http://*) REGURL=$1;
RMTNAME=${REGURL:7};;
*) usage "Unknown option $1";;
@@ -123,7 +123,7 @@ if [ ! -x $SUSECONNECT ]; then
$DNF config-manager --set-disabled "${RMTNAME}_repo_SUSE_Updates_${SLL_name}-AS_${SLL_version}_x86_64_update"
fi
-$CURL -s -S $REGURL/tools/rmt-client-setup --output rmt-client-setup
+$CURL --silent --show-error --insecure $REGURL/tools/rmt-client-setup --output rmt-client-setup
echo "Running rmt-client-setup $PARAMS"
sh rmt-client-setup $PARAMS introduced an issue in our test script for SUMA. We already have a fix but it would be good to have this fixed "upstream" as well. I already had a look at
- https://suse.slack.com/archives/C02AYV7UJSD/p1679659451186309 and
- https://jira.suse.com/browse/SLL-180
so I know why the changes were made. As seen above, curl gets invoked with --insecure but the next part when rmt-client-setup-res is finished, there need to be adjustments to the repository files which now use HTTPS, too. Otherwise the following error occurs:
Importing repomd.xml.key
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
error: https://rmt.scc.suse.de/repo/SUSE/Updates/SLL/9/x86_64/update/repodata/repomd.xml.key: import read failed(2).The following are 2 solutions to fix it:
- Solution: Import the correct SSL certificate(s) and GPG keys for the used repositories in
/etc/yum.repos.d/ - Solution: Add
sslverify=0andgpgcheck = 0to the repository files in/etc/yum.repos.d/
We are using the script in clout-init the following way:
https://github.com/uyuni-project/sumaform/blob/master/backend_modules/libvirt/host/user_data.yaml#L579-L581
runcmd:
# Registration with SUSEConnect
- curl http://rmt.scc.suse.de/tools/rmt-client-setup-res --output rmt-client-setup-res
- yes | sh rmt-client-setup-res https://rmt.scc.suse.deI saw that there is another script called rmt-client-setup which takes care of importing the SSL certificates. Are we making any mistake?
So, the issue is that rmc-client-setup-res properly uses --insecure for its own use, but leaves behind repository definitions like
/etc/yum.repos.d/rmt.scc.suse.de_repo_SUSE_Updates_SLL-AS_9_x86_64_update.repo
/etc/yum.repos.d/rmt.scc.suse.de_repo_SUSE_Updates_SLL_9_x86_64_update.repo
which refer to https:// URLs without the sslverify=0 option and without the needed /etc/pki/ca-trust/source/anchors/rmt-server.pem certificate. Those repos are therefore unusable.
FYI: I adjusted my first post. Apparently there the workaround is needing another parameter:
Add sslverify=0 and gpgcheck = 0 to the repository files in /etc/yum.repos.d/
I also tried the fix in the PR you linked above
https://github.com/SUSE/rmt/pull/993/files#diff-f65bab3349c7402ccc41caa70d771f473795ce4472bcae640cfbe72a4aff839fR128-R130
just with the command and by adjusting the script, but I get the same error:
[root@uyuni-bv-master-min-liberty9 ~]# rpm --import https://rmt.scc.suse.de/repo/SUSE/Updates/SLL/9/x86_64/update/repodata/repomd.xml.key
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
error: https://rmt.scc.suse.de/repo/SUSE/Updates/SLL/9/x86_64/update/repodata/repomd.xml.key: import read failed(2).I saw that there is another script called rmt-client-setup which takes care of importing the SSL certificates. Are we making any mistake?
rmt-client-setup-res calls rmt-client-setup internally (https://github.com/SUSE/rmt/blob/master/public/tools/rmt-client-setup-res#L126), which is supposed to import the ssl cert of the rmt server. So something seems to go wrong there.