Bug 1625615

Summary: Unable to Install Satellite with custom certificate
Product: Red Hat Satellite Reporter: Sanket Jagtap <sjagtap>
Component: CertificatesAssignee: Chris Roberts <chrobert>
Status: CLOSED WORKSFORME QA Contact: Katello QA List <katello-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: chrobert, nkathole
Target Milestone: UnspecifiedKeywords: Regression
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-07 17:05:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1616228    

Description Sanket Jagtap 2018-09-05 11:18:49 UTC 
Description of problem:
Trying to install Satellite with Custom Certs

Version-Release number of selected component (if applicable):
Build:Satellite 6.4.0 snap 20

How reproducible:
Always

Steps to Reproduce:
1. Have custom Certs created 
2. Run the Installer passing these certs
3.


Actual results:
 /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[qe-sat6-client-arch.domain]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed in get request to: https://qe-sat6-client-arch.domain/api/v2/smart_proxies?search=name=%22qe-sat6-client-arch.domain%22

Expected results:
Installer should install satellite with custom certs

Additional info:
PFA, foreman-debug
Katello certs check passed for the certs:
katello-certs-check -c sat.server.crt -k sat.server.key -b ca.crt 
Checking server certificate's encoding: [OK]
Checking expiration of certificate: [OK]
Checking expiration of CA bundle: [OK]
Checking if server cert has CA:TRUE flag[OK]
Validating the certificate subject= /C=US/ST=California/L=San Francisco/O=Bogus Inc./OU=Operations/CN=qe-sat6-client-arch.usersys.redhat.com
Checking to see if the private key matches the certificate: [OK]
Checking ca bundle against the cert file: [OK]
Checking Subject Alt Name on certificate[OK]
Checking Key Usage extension on certificate for Key Encipherment[OK]

Validation succeeded.

To install the Katello main server with the custom certificates, run:

    foreman-installer --scenario katello\
                      --certs-server-cert "/root/sat.server.crt"\
                      --certs-server-key "/root/sat.server.key"\
                      --certs-server-ca-cert "/root/ca.crt"

To update the certificates on a currently running Katello installation, run:

    foreman-installer --scenario katello\
                      --certs-server-cert "/root/sat.server.crt"\
                      --certs-server-key "/root/sat.server.key"\
                      --certs-server-ca-cert "/root/ca.crt"\
                      --certs-update-server --certs-update-server-ca
Comment 3 Chris Roberts 2018-09-07 17:05:57 UTC 
Tested with a clean install of snap 21 and not seeing the issue:

http://rx-paste.usersys.redhat.com/view/2607b648

Closing as WORKSFORME