Bug 1417734
Summary: | katello-certs-check needs to provide differentiating data for capsule-certs-generate to avoid error | |||
---|---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Craig Donnelly <cdonnell> | |
Component: | Infrastructure | Assignee: | Chris Roberts <chrobert> | |
Status: | CLOSED ERRATA | QA Contact: | Sanket Jagtap <sjagtap> | |
Severity: | medium | Docs Contact: | ||
Priority: | high | |||
Version: | 6.2.7 | CC: | bkearney, chrobert, ehelms, jcallaha, riehecky, sjagtap, zhunting | |
Target Milestone: | Unspecified | Keywords: | Triaged, UserExperience | |
Target Release: | Unused | |||
Hardware: | All | |||
OS: | Linux | |||
URL: | http://projects.theforeman.org/issues/18310 | |||
Whiteboard: | ||||
Fixed In Version: | katello-installer-base-3.0.0.80-2 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1426416 (view as bug list) | Environment: | ||
Last Closed: | Type: | Bug | ||
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1417399, 1426416 |
Description
Craig Donnelly
2017-01-30 19:37:31 UTC
I made a typo above for how this should look, you'll have to ignore some other typos above for the cert names. Point is driven either way. Here is the revision: Expected results: katello-certs-check should give us two options, for the different scenarios. One for new capsules, and one for updating certs-tars for existing capsules: # katello-certs-check -c newcapsule.crt -k newcapsule.key -r newcapsule.csr -b CA-crt.pem <snip> To use them inside a NEW $CAPSULE, run this command: capsule-certs-generate --capsule-fqdn ""\ --certs-tar "~/-certs.tar"\ --server-cert "newcapsule.crt"\ --server-cert-req "newcapsule.csr"\ --server-key "newcapsule.key"\ --server-ca-cert "CA-crt.pem" To use them inside an EXISTING $CAPSULE, run this command INSTEAD: capsule-certs-generate --capsule-fqdn ""\ --certs-tar "~/-certs.tar"\ --server-cert "newcapsule.crt"\ --server-cert-req "newcapsule.csr"\ --server-key "newcapsule.key"\ --server-ca-cert "CA-crt.pem"\ --certs-update-server </snip> Created Redmine issue: http://projects.theforeman.org/issues/18310 Pull request here: https://github.com/Katello/katello-installer/pull/475 Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/18310 has been resolved. Please add verifications steps for this bug to help QE verify Steps to Reproduce: 1. Run katello-certs-check against cert set 2. Use command provided to generate certs for a non-existent capsule Build : Satellite 6.2.9 snap 2 Version: katello-installer-base-3.0.0.79-1.el7sat.noarch katello-certs-check -c sjagtap.abc.com.crt -k sjagtap.abc.com.key -r sjagtap.abc.com.crt.req -b cacert.crt Validating the certificate subject= /C=US/ST=State or Providence/O=My Company/CN=sjagtap.abc.com Check private key matches the certificate: [OK] Check ca bundle verifies the cert file: [OK] Validation succeeded. To install the Satellite main server with the custom certificates, run: satellite-installer --scenario satellite\ --certs-server-cert "sjagtap.abc.com.crt"\ --certs-server-cert-req "sjagtap.abc.com.crt.req"\ --certs-server-key "sjagtap.abc.com.key"\ --certs-server-ca-cert "cacert.crt" To update the certificates on a currently running Satellite installation, run: satellite-installer --scenario satellite\ --certs-server-cert "sjagtap.abc.com.crt"\ --certs-server-cert-req "sjagtap.abc.com.crt.req"\ --certs-server-key "sjagtap.abc.com.key"\ --certs-server-ca-cert "cacert.crt"\ --certs-update-server --certs-update-server-ca To use them inside a NEW $CAPSULE, run this command: capsule-certs-generate --capsule-fqdn ""\ --certs-tar "~/-certs.tar"\ --server-cert "sjagtap.abc.com.crt"\ --server-cert-req "sjagtap.abc.com.crt.req"\ --server-key "sjagtap.abc.com.key"\ --server-ca-cert "cacert.crt"\ To use them inside an EXISTING $CAPSULE, run this command INSTEAD: capsule-certs-generate --capsule--fqdn ""\ --certs-tar "~/-certs.tar"\ --server-cert "/root/sjagtap.abc.com/sjagtap.abc.com.crt"\ --server-cert-req "/root/sjagtap.abc.com/sjagtap.abc.com.crt.req"\ --server-key "/root/sjagtap.abc.com/sjagtap.abc.com.key"\ --server-ca-cert "/root/sjagtap.abc.com/cacert.crt"\ I see the added option for satellite-installer -certs-update-server for updating the certs , but the option is still missing for EXISTING $CAPSULE as per comment #1 Build: Satellite 6.2.9 snap 3 katello-certs-check -c sjagtap.abc.com.crt -k sjagtap.abc.com.key -r sjagtap.abc.com.crt.req -b cacert.crt Validating the certificate subject= /C=US/ST=State or Providence/O=My Company/CN=sjagtap.abc.com Check private key matches the certificate: [OK] Check ca bundle verifies the cert file: [OK] Validation succeeded. To install the Satellite main server with the custom certificates, run: satellite-installer --scenario satellite\ --certs-server-cert "sjagtap.abc.com.crt"\ --certs-server-cert-req "sjagtap.abc.com.crt.req"\ --certs-server-key "sjagtap.abc.com.key"\ --certs-server-ca-cert "cacert.crt" To update the certificates on a currently running Satellite installation, run: satellite-installer --scenario satellite\ --certs-server-cert "sjagtap.abc.com.crt"\ --certs-server-cert-req "sjagtap.abc.com.crt.req"\ --certs-server-key "sjagtap.abc.com.key"\ --certs-server-ca-cert "cacert.crt"\ --certs-update-server --certs-update-server-ca To use them inside a NEW $CAPSULE, run this command: capsule-certs-generate --capsule-fqdn ""\ --certs-tar "~/-certs.tar"\ --server-cert "sjagtap.abc.com.crt"\ --server-cert-req "sjagtap.abc.com.crt.req"\ --server-key "sjagtap.abc.com.key"\ --server-ca-cert "cacert.crt"\ To use them inside an EXISTING $CAPSULE, run this command INSTEAD: capsule-certs-generate --capsule--fqdn ""\ --certs-tar "~/-certs.tar"\ --server-cert "/root/sjagtap.abc.com/sjagtap.abc.com.crt"\ --server-cert-req "/root/sjagtap.abc.com/sjagtap.abc.com.crt.req"\ --server-key "/root/sjagtap.abc.com/sjagtap.abc.com.key"\ --server-ca-cert "/root/sjagtap.abc.com/cacert.crt"\ --certs-update-server Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1191 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1191 |