Bug 1402011

Summary: Custom SSL certificates was not applied correctly
Product: Red Hat Satellite Reporter: Michael Arbet <marbet>
Component: InstallerAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED DUPLICATE QA Contact: Katello QA List <katello-qa-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.2.1CC: ktordeur, ofamera, stbenjam
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-06 16:18:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Michael Arbet 2016-12-06 15:03:18 UTC 
Description of problem:
Issue occured when I tried to apply custom SSL certificates using command 
satellite-installer --scenario satellite -
  -certs-server-cert $PWD/satosix.crt
  --certs-server-cert-req $PWD/satosix.csr
  --certs-server-key $PWD/satosix.key
  --certs-server-ca-cert $PWD/RHCA-chain1.crt
  --certs-update-server
  --certs-update-server-ca

Certificate itself has been applied correctly, however the CA certificate chain hasn't been. Long investigation showed that an old certificate chain remained in use for httpd. The command has been found in official documentation and also in output of 'katelo-certs-check' command.

So...in those two files:
  /etc/httpd/conf.d/03-crane.conf
  /etc/httpd/conf.d/03-foreman-ssl.conf

was found following content (common for both):
  SSLCertificateChainFile "/etc/pki/katello/certs/katello-default-ca.crt"
  SSLCACertificateFile    "/etc/pki/katello/certs/katello-default-ca.crt"

I found that on given path (/etc/pki/katello/certs) wer both files, 'katello-default-ca.crt' and also the one added by command above, now named 'katello-server-ca.crt' When I changed the word 'default' to 'server' in configuration files and restarted apache, the satellite provided all correct information when establising https connection. I believe config files were not altered correctly.

I consider my change just as workaround to the described malfunction in satellite setup process.

Also... I remember that right after very first run of the command for certificates setup everything worked, only later it stopeed (the provided CA chain was replaced by default one). Maybe puppet involved in this... I will observe the behavior and report if anything changes.
Comment 1 Michael Arbet 2016-12-06 15:55:28 UTC 
Another issue found:

regardless web services work over https with correct CA chain, there is also katello certificate .rpm package for download that still provides file 'katello-default-ca.crt' - the old one instead newly applied. Result is: no packages will be applied no updates... nothing from that satelilite server. Thus my previous workaround is not good enough.

I assume rewriting the -default-ca file with new content would work better, however. fixing that bug in satellite is the right solution.

Kind regards
-michael arbet-
Comment 2 Stephen Benjamin 2016-12-06 16:18:00 UTC 
The first issue is a duplicate of BZ1306964.

Please open a separate bug for the RPM issue if it needs one, although if you're on 6.2.1, you could be hitting https://bugzilla.redhat.com/show_bug.cgi?id=1283865.

*** This bug has been marked as a duplicate of bug 1306964 ***