Bug 1368260

Summary: 4.5.2. Configuring Capsule Server with a Custom Server Certificate needs correction
Product: Red Hat Satellite Reporter: Rick Dixon <rdixon>
Component: Docs Install GuideAssignee: Russell Dickenson <rdickens>
Status: CLOSED CURRENTRELEASE QA Contact: Brandi Munilla <bmcelvee>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.2.0CC: rdickens, rdixon
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 04:54:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Rick Dixon 2016-08-18 21:02:34 UTC 
Document URL:  

https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html/Installation_Guide/index.html


Section Number and Name: 

4.5.2. Configuring Capsule Server with a Custom Server Certificate


Describe the issue: 

These instructions differentiate the installation of Capsule with custom certs into pre- and post-installer runs, but the second part (Configure Capsule with a Custom Server Certificate After Running the Installer) uses the wrong command to generate the Capsule certificate tarball from the Satellite server. 

It should read:


Configure Capsule with a Custom Server Certificate After Running the Installer

1) On Satellite Server, generate a new certificate based on your custom server certificate. 

~~~
# capsule-certs-generate
--capsule-fqdn "mycapsule.example.com"\
--certs-tar "~/mycapsule.example.com-certs.tar"\
--server-cert /path/to/server.crt\
--server-cert-req /path/to/server-cert.req\
--server-key /path/to/server.key\
--server-ca-cert /path/to/server-ca.crt
~~~

The command provided in the docs is for actually installing the Capsule after the first installer run, rather than generating the certificate tarball from the Satellite server. Running this command on a Satellite installation would likely error out, but could potentially have disastrous results.


Suggestions for improvement: 

Replace the first step with the correct certificate generation command (capsule-certs-generate) rather than the capsule installation command (satellite-installer --scenario capsule)

***Additionally, please make it clearer/bolder/more noticeable in the documents that if a user is going to deploy a Satellite server with custom certificates, each Capsule server *must* have their own custom certificate signed by the same CA.***
Comment 3 Rick Dixon 2016-09-01 00:17:36 UTC 
Hi Russell,

When I look at attachment [2] in the linked comment, under "Configure Capsule with a Custom Server Certificate After Running Foreman Installer," it still looks as though the command issues for generating the certificate bundle from the Satellite server is:


# foreman-installer --scenario capsule\
    --certs-generate \
[...SNIP...]


It should be:


# capsule-certs-generate
--capsule-fqdn "mycapsule.example.com"\
--certs-tar "~/mycapsule.example.com-certs.tar"\
--server-cert /path/to/server.crt\
--server-cert-req /path/to/server-cert.req\
--server-key /path/to/server.key\
--server-ca-cert /path/to/server-ca.crt


Once this bundle is copied to the Capsule, the command to install it and update all of the certificates (which you would want to do if the installer has already been run once) is:


# satellite-installer --scenario capsule\
--certs-update-server\
--capsule-parent-fqdn "satellite.example.com"\
--foreman-proxy-register-in-foreman "true"\
--foreman-proxy-foreman-base-url "https://satellite.example.com"\
--foreman-proxy-trusted-hosts "satellite.example.com"\
--foreman-proxy-trusted-hosts "capsule.example.com"\
--foreman-proxy-oauth-consumer-key "gDv6mMrsfefp5QmimiAspfzfwsvCctBm"\
--foreman-proxy-oauth-consumer-secret "Sh4d7K2v7Dk2VphMPTtZYRviFJ3tY5oY"\
--capsule-pulp-oauth-secret "ABsqCFsFCoxdSHmHTvMq9sfaN5zZcR8n"\
--capsule-certs-tar "~/capsule.example.com-certs.tar" \
Comment 4 Russell Dickenson 2016-09-07 02:34:23 UTC 
Rick,

I apologise for the long delay in replying. I'll look over the latest work in progress on custom certificates and check if what you've mentioned in comment 3 has been fixed.