Bug 1479428

Summary: [RFE] Capsule need to trust all 'default CAs' in a Satellite cluster
Product: Red Hat Satellite Reporter: Sean O'Keeffe <sokeeffe>
Component: CertificatesAssignee: Sean O'Keeffe <sokeeffe>
Status: CLOSED WONTFIX QA Contact: Stephen Wadeley <swadeley>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2.9CC: bkearney, jcallaha, swadeley
Target Milestone: UnspecifiedKeywords: FutureFeature
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-22 17:58:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1196002    

Description Sean O'Keeffe 2017-08-08 14:32:21 UTC 
Description of problem:
A Satellite cluster requires capsules trust the 'default ca' on every Satellite server. 


Version-Release number of selected component (if applicable):
6.2.9


How reproducible:
100%

Steps to Reproduce:
1. Build 2 Satellites, /var/lib/pgsql, /var/lib/mongodb, /var/lib/pulp on shared storage
- Start services on node 1, Stop services on node 2
- installer:
  - ensure various oauth_options are the same on both nodes
  - ensure db_passoword options are the same on both nodes
  - provide the same custom certs with multiple dns alt names
  - ensure /etc/foreman/encryption_key.rb is the same on both nodes
4. confirm fail over works
  a. stop services on node 1 
  b. fail over storage
  c. start services on node 2
3. on the active node generate certs with custom certificates and register a capsule (all should be working)
4. fail over again and any communication with the proxy will fail from this node with SSL errors.

Actual results:
SSL errors

Expected results:
Proxy comms to work


Additional info:
I can supply better details to reproduce this if required..
Comment 1 Sean O'Keeffe 2017-08-08 14:48:41 UTC 
I used https://github.com/sean797/ansible-role-foreman_installer#katello-cluster-with-custom-certificates to create my cluster.
Comment 2 Bryan Kearney 2019-11-05 20:41:34 UTC 
Upstream bug assigned to sokeeffe
Comment 3 Bryan Kearney 2019-11-22 17:58:10 UTC 
Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact Red Hat Technical Support. Thank you.