Bug 1770394
| Summary: | katello-certs-check output print foreman-installer/ katello/foreman-proxy-certs-generate on sat 6.7 | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Nikhil Kathole <nkathole> |
| Component: | Installation | Assignee: | Chris Roberts <chrobert> |
| Status: | CLOSED ERRATA | QA Contact: | Devendra Singh <desingh> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.7.0 | CC: | chrobert, pcreech |
| Target Milestone: | 6.7.0 | Keywords: | Regression, Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | foreman-installer-1.24.1.4-1 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-14 13:26:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
FailedQA
Version tested:
Satellite 6.7 snap 9
# rpm -qa | grep installer
foreman-installer-1.24.1.3-1.el7sat.noarch
foreman-installer-katello-1.24.1.3-1.el7sat.noarch
satellite-installer-6.7.0.6-1.beta.el7sat.noarch
Causes regression : Even if CN != hostname, command for satellite scenario is printed
[root@sgi-uv20-01 ~]# katello-certs-check -c /root/ownca/test.example.com/test.example.com.crt -k /root/ownca/test.example.com/test.example.com.key -b /root/ownca/cacert.crt
Checking server certificate encoding:
[OK]
Checking expiration of certificate:
[OK]
Checking expiration of CA bundle:
[OK]
Checking if server certificate has CA:TRUE flag
[OK]
Checking for private key passphrase:
[OK]
Checking to see if the private key matches the certificate:
[OK]
Checking CA bundle against the certificate file:
[OK]
Checking Subject Alt Name on certificate
[OK]
Checking Key Usage extension on certificate for Key Encipherment
[OK]
Validation succeeded
To install the Red Hat Satellite Server with the custom certificates, run:
satellite-installer --scenario satellite \
--certs-server-cert "/root/ownca/test.example.com/test.example.com.crt" \
--certs-server-key "/root/ownca/test.example.com/test.example.com.key" \
--certs-server-ca-cert "/root/ownca/cacert.crt"
To update the certificates on a currently running Red Hat Satellite installation, run:
satellite-installer --scenario satellite \
--certs-server-cert "/root/ownca/test.example.com/test.example.com.crt" \
--certs-server-key "/root/ownca/test.example.com/test.example.com.key" \
--certs-server-ca-cert "/root/ownca/cacert.crt" \
--certs-update-server --certs-update-server-ca
Version tested:
Satellite 6.7 snap 10
# rpm -qa | grep installer
foreman-installer-katello-1.24.1.5-1.el7sat.noarch
satellite-installer-6.7.0.6-1.beta.el7sat.noarch
foreman-installer-1.24.1.5-1.el7sat.noarch
When CN==hostname, Command of Satellite pinted
Checking server certificate encoding:
[OK]
Checking expiration of certificate:
[OK]
Checking expiration of CA bundle:
[OK]
Checking if server certificate has CA:TRUE flag
[OK]
Checking for private key passphrase:
[OK]
Checking to see if the private key matches the certificate:
[OK]
Checking CA bundle against the certificate file:
[OK]
Checking Subject Alt Name on certificate
[OK]
Checking Key Usage extension on certificate for Key Encipherment
[OK]
Validation succeeded
To install the Red Hat Satellite Server with the custom certificates, run:
satellite-installer --scenario satellite \
--certs-server-cert "/root/server.valid.crt" \
--certs-server-key "/root/server.key" \
--certs-server-ca-cert "/root/rootCA.pem"
To update the certificates on a currently running Red Hat Satellite installation, run:
satellite-installer --scenario satellite \
--certs-server-cert "/root/server.valid.crt" \
--certs-server-key "/root/server.key" \
--certs-server-ca-cert "/root/rootCA.pem" \
--certs-update-server --certs-update-server-ca
When CN!=hostname, Command of Capsule printed
Checking server certificate encoding:
[OK]
Checking expiration of certificate:
[OK]
Checking expiration of CA bundle:
[OK]
Checking if server certificate has CA:TRUE flag
[OK]
Checking for private key passphrase:
[OK]
Checking to see if the private key matches the certificate:
[OK]
Checking CA bundle against the certificate file:
[OK]
Checking Subject Alt Name on certificate
[OK]
Checking Key Usage extension on certificate for Key Encipherment
[OK]
Validation succeeded
To use them inside a NEW $CAPSULE, run this command:
capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" \
--certs-tar "~/$CAPSULE-certs.tar" \
--server-cert "/root/server.valid.crt" \
--server-key "/root/server.key" \
--server-ca-cert "/root/rootCA.pem" \
To use them inside an EXISTING $CAPSULE, run this command INSTEAD:
capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" \
--certs-tar "~/$CAPSULE-certs.tar" \
--server-cert "/root/server.valid.crt" \
--server-key "/root/server.key" \
--server-ca-cert "/root/rootCA.pem" \
--certs-update-server
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:1454 |
Description of problem: To install the Katello main server with the custom certificates, run: foreman-installer --scenario katello \ --certs-server-cert "/root/server.valid.crt" \ --certs-server-key "/root/server.key" \ --certs-server-ca-cert "/root/rootCA.pem" To update the certificates on a currently running Katello installation, run: foreman-installer --scenario katello \ --certs-server-cert "/root/server.valid.crt" \ --certs-server-key "/root/server.key" \ --certs-server-ca-cert "/root/rootCA.pem" \ --certs-update-server --certs-update-server-ca To use them inside a NEW $FOREMAN_PROXY, rerun this command with -t foreman-proxy Version-Release number of selected component (if applicable): Satellite 6.7 snap 1 How reproducible: always Steps to Reproduce: 1. katello-certs-check -c server.valid.crt -k server.key -b rootCA.pem Actual results: Output has upstream names foreman-proxy-certs-generate/FOREMAN-PROXY/foreman-installer/katello. Expected results: Output should use capsule-certs-generate/CAPSULE/satellite-installer/satellite. Additional info: