Bug 1233431

Summary: [RFE] CSR should not be mandatory when installing Satellite Server or generating Capsule certificate bundle with custom ssl certificates
Product: Red Hat Satellite Reporter: Nathan Kinder <nkinder>
Component: InstallationAssignee: Ewoud Kohl van Wijngaarden <ekohlvan>
Status: CLOSED ERRATA QA Contact: Stephen Wadeley <swadeley>
Severity: medium Docs Contact:
Priority: high    
Version: 6.0.4CC: ahumbe, bkearney, itewksbu, lzap, mcorr, mvanderw, pcreech, rvdwees, spetrosi, stbenjam, swadeley, tbrisker
Target Milestone: 6.5.0Keywords: FieldEngineering, FutureFeature, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-14 12:36:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1692875    

Description Nathan Kinder 2015-06-18 22:33:36 UTC 
I'm running through an install of Satellite 6.0.4 with IdM on RHEL 7.1 to set up external auth.  All of that is working fine, but I also want to use a certificate from IdM for the web UI by passing it in at install time. According to the documentation, I need to use the following options:

  --certs-server-cert ~/path/to/server.crt\
  --certs-server-cert-req ~/path/to/server.crt.req\
  --certs-server-key ~/path/to/server.crt.key\
  --certs-server-ca-cert ~/path/to/cacert.crt

The certificate request should not be needed, as a certificate has already been issued.  If we already have an issued certificate, we should just need the key and server certificate along with the CA certificate for trust purposes.  If I use 'ipa-getcert' to request and retrieve a certificate from IdM, I only get back the key and cert:

  ipa-getcert request -w -k ./satellite.key -f ./satellite.crt

There is no provision to output the raw CSR from any of the certmonger related commands.  I can dig it out of certmonger's request tracking file in /var/lib/certmonger/requests, but that's not very friendly.

I have been able to pass a zero-byte file as the --certs-server-cert-req option as a workaround, and https is set up properly using the passed in cert/key.  I think the request option should be deprecated, or at least made optional if there is really some purpose to giving the request to Satellite.
Comment 1 RHEL Program Management 2015-06-18 22:33:39 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 4 Bryan Kearney 2016-07-26 15:25:24 UTC 
Moving 6.2 bugs out to sat-backlog.
Comment 5 Bryan Kearney 2016-07-26 15:44:11 UTC 
Moving 6.2 bugs out to sat-backlog.
Comment 7 Stephen Benjamin 2016-10-13 15:58:10 UTC 
I believe we need the CSR, as we also sign the certificate with the internal Satellite CA.
Comment 8 Stephen Benjamin 2016-10-13 15:59:40 UTC 
Created redmine issue http://projects.theforeman.org/issues/16911 from this bug
Comment 10 Tomer Brisker 2017-08-28 07:16:44 UTC 
*** Bug 1423504 has been marked as a duplicate of this bug. ***
Comment 12 Satellite Program 2017-10-30 14:20:30 UTC 
Upstream bug assigned to ekohlvan
Comment 13 Satellite Program 2017-10-30 14:20:35 UTC 
Upstream bug assigned to ekohlvan
Comment 14 Satellite Program 2018-05-31 02:18:35 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/16911 has been resolved.
Comment 22 errata-xmlrpc 2019-05-14 12:36:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:1222