Skip to content

[2-EL9] Fix update-ca-trust error - p11-kit: couldn't make directory writable#94

Merged
Fryguy merged 1 commit intoManageIQ:2-el9from
bdunne:ca-trust
Apr 1, 2025
Merged

[2-EL9] Fix update-ca-trust error - p11-kit: couldn't make directory writable#94
Fryguy merged 1 commit intoManageIQ:2-el9from
bdunne:ca-trust

Conversation

@bdunne
Copy link
Member

@bdunne bdunne commented Feb 26, 2025
edited
Loading

TODO:

  • Test in an env with SSL between pods
  • Double check ownership and permissions on the /etc/pki directories after the mv

Helpful discussion in https://bugzilla.redhat.com/show_bug.cgi?id=2241240

CP4AIOPS-11300

New startup logs:

$ oc logs -f httpd-84c96f9985-bj6tp
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.254.20.246. Set the 'ServerName' directive globally to suppress this message
[Wed Feb 26 23:20:51.265974 2025] [ssl:warn] [pid 1:tid 1] AH01909: %{REQUEST_HOST}:443:0 server certificate does NOT include an ID which matches the server name
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.254.20.246. Set the 'ServerName' directive globally to suppress this message
[Wed Feb 26 23:20:51.284887 2025] [ssl:warn] [pid 1:tid 1] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Wed Feb 26 23:20:51.285541 2025] [ssl:warn] [pid 1:tid 1] AH01909: %{REQUEST_HOST}:443:0 server certificate does NOT include an ID which matches the server name
[Wed Feb 26 23:20:51.286239 2025] [lbmethod_heartbeat:notice] [pid 1:tid 1] AH02282: No slotmem from mod_heartmonitor
[Wed Feb 26 23:20:51.293035 2025] [mpm_event:notice] [pid 1:tid 1] AH00489: Apache/2.4.62 (Red Hat Enterprise Linux) OpenSSL/3.2.2 configured -- resuming normal operations
[Wed Feb 26 23:20:51.293056 2025] [core:notice] [pid 1:tid 1] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND -E /dev/stderr'

@bdunne bdunne changed the title Fix update-ca-trust error - p11-kit: couldn't make directory writable [wip] Fix update-ca-trust error - p11-kit: couldn't make directory writable Feb 26, 2025
@bdunne bdunne requested review from Fryguy and jrafanie February 26, 2025 23:27
Fryguy
Fryguy reviewed Feb 27, 2025
View reviewed changes
container-assets/cmd
Comment on lines +6 to +7
rm -rf /etc/pki/ca-trust/extracted/*
mv /tmp/extracted/* /etc/pki/ca-trust/extracted/
Copy link
Member

@Fryguy Fryguy Feb 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you need to chmod anything after copying it over?

Copy link
Member Author

@bdunne bdunne Feb 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so. After this, we don't try to write anything in /etc/pki.

Copy link
Member

@Fryguy Fryguy Feb 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was more thinking that whatever serves/uses the cert might need the certs to be a particular way (kind of like how things in ~/.ssh need specific perms set)

Copy link
Member Author

@bdunne bdunne Feb 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I'll double check the ownership, but the script appears to set the correct permissions on the directories. (That's why we're getting the error that prevents us from running it in the first place 😄 )

Copy link
Member Author

@bdunne bdunne Mar 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ownership is our_uid:root, but the file and directory permissions are correct.

@bdunne bdunne changed the title [wip] Fix update-ca-trust error - p11-kit: couldn't make directory writable Fix update-ca-trust error - p11-kit: couldn't make directory writable Mar 4, 2025
@bdunne bdunne removed the wip label Mar 4, 2025
@Fryguy Fryguy self-assigned this Mar 5, 2025
@miq-bot miq-bot changed the title Fix update-ca-trust error - p11-kit: couldn't make directory writable [2-EL9] Fix update-ca-trust error - p11-kit: couldn't make directory writable Mar 5, 2025
@miq-bot
Copy link
Member

miq-bot commented Mar 5, 2025

Checked commit bdunne@e0485ee with ruby 3.1.5, rubocop 1.56.3, haml-lint 0.51.0, and yamllint
0 files checked, 0 offenses detected
Everything looks fine. 🏆

@Fryguy Fryguy merged commit 6ad8242 into ManageIQ:2-el9 Apr 1, 2025
2 checks passed
@bdunne bdunne deleted the ca-trust branch April 4, 2025 02:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Fryguy Fryguy Fryguy approved these changes

@jrafanie jrafanie Awaiting requested review from jrafanie

Assignees

@Fryguy Fryguy

Labels

bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bdunne @miq-bot @Fryguy