Bug 1420975

Summary: The capsule-certs-generate command example mentions the Satellite Server's input files, not those of the Capsule Server
Product: Red Hat Satellite Reporter: Russell Dickenson <rdickens>
Component: Docs Install GuideAssignee: Russell Dickenson <rdickens>
Status: CLOSED CURRENTRELEASE QA Contact: Charles Wood <chwood>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2.7CC: adahms, chrobert, dmoessne
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-21 23:13:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1417399    
Bug Blocks:    

Description Russell Dickenson 2017-02-10 03:25:49 UTC 
Document URL: https://access.redhat.com/documentation/en/red-hat-satellite/6.2/single/installation-guide#create_the_capsule_certificates_archive_file

Section Number and Name: 4.7.5.2. Create the Capsule Server’s Certificates Archive File

Describe the issue: The capsule-certs-generate command example mentions the Satellite Server's input files, not those of the Capsule Server.

Suggestions for improvement:

1. All instances of "satellite_" must be replaced with "capsule_".
2. The values for all parameters except "-server-ca-cert" should use "caps_cert", not "sat_cert" since this operation is for the Capsule Server.
Comment 2 Russell Dickenson 2017-02-10 04:12:09 UTC 
NOTE: Before making the changes proposed in the BZ ticket's description, this must be verified by an SME. It is the "katello-certs-check" command which puts "satellite_" in each parameter. If this is incorrect, then the command's output must be corrected as well as the documentation linked in this BZ ticket.
Comment 3 Russell Dickenson 2017-02-10 04:39:14 UTC 
Chris/Daniel,

I need a sanity check on this BZ ticket. Below is example output of the katello-certs-check command, as per the Installation Guide, section "3.4.6.2. Validate the Satellite Server’s SSL Certificate" [1].

The part that I simply don't understand is after "To use them inside a $CAPSULE, run this command INSTEAD:". From what I can tell, this takes the Satellite Server's certificate and creates the TAR file. When this is then copied to the Capsule Server, and used as input in the "satellite-installer" command, this deploys the Satellite Server's certificate, instead of the Capsule Server's certificate.

Is this correct, or do I misunderstand? I came to the above conclusion because, after walking through the workflow detailed in the Installation Guide, I not find any mention of the Capsule Server's custom certificate being used.


--------------------
Validating the certificate subject= /C=AU/ST=Queensland/L=Brisbane/O=Example/OU=Sales/CN=satellite.example.com/emailAddress=example
Check private key matches the certificate: [OK]
Check ca bundle verifies the cert file: [OK]

Validation succeeded.

To install the Satellite main server with the custom certificates, run:

    satellite-installer --scenario satellite\
                        --certs-server-cert "/root/sat_cert/satellite_cert.pem"\
                        --certs-server-cert-req "/root/sat_cert/satellite_cert_csr.pem"\
                        --certs-server-key "/root/sat_cert/satellite_cert_key.pem"\
                        --certs-server-ca-cert "/root/sat_cert/ca_cert_bundle.pem"

To update the certificates on a currently running Satellite installation, run:

    satellite-installer --scenario satellite\
                        --certs-server-cert "/root/sat_cert/satellite_cert.pem"\
                        --certs-server-cert-req "/root/sat_cert/satellite_cert_csr.pem"\
                        --certs-server-key "/root/sat_cert/satellite_cert_key.pem"\
                        --certs-server-ca-cert "/root/sat_cert/ca_cert_bundle.pem"\
                        --certs-update-server --certs-update-server-ca

To use them inside a $CAPSULE, run this command INSTEAD:

    capsule-certs-generate --capsule-fqdn ""\
                           --certs-tar  "/root/certs.tar"\
                           --server-cert "/root/sat_cert/satellite_cert.pem"\
                           --server-cert-req "/root/sat_cert/satellite_cert_csr.pem"\
                           --server-key "/root/sat_cert/satellite_cert_key.pem"\
                           --server-ca-cert "/root/sat_cert/ca_cert_bundle.pem"\
                           --certs-update-server
--------------------



[1] https://access.redhat.com/documentation/en/red-hat-satellite/6.2/single/installation-guide#configuring_satellite_server_with_custom_server_certificate
Comment 4 Chris Roberts 2017-02-13 19:13:39 UTC 
Hi Russell,

This is correct it would do that if the customer ran that, as of right now there is no option to tell that the cert is used by satellite or capsule so the check gives out all the options. There is currently an open bz for this here:

https://bugzilla.redhat.com/show_bug.cgi?id=1265533

- Chris
Comment 10 Andrew Dahms 2017-02-21 23:13:53 UTC 
This content is live on the Customer Portal.

Closing.