Bug 1802302

Summary: Need to remove extra character printed by katello-certs-check
Product: Red Hat Satellite Reporter: Ganesh Payelkar <gpayelka>
Component: BrandingAssignee: Chris Roberts <chrobert>
Status: CLOSED ERRATA QA Contact: Radovan Drazny <rdrazny>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.7.0CC: chrobert, inecas, sshtein
Target Milestone: 6.7.0Keywords: Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: foreman-installer-1.24.1.10-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-14 13:28:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ganesh Payelkar 2020-02-12 20:35:05 UTC 
Description of problem:

When we are using katello-certs-check to check our custom/External SSL certificates for installation and output of command which we need to pass with an installer, 

we have seen extra character at the end of capsule-certs-generate


Version-Release number of selected component (if applicable):
satellite-capsule-6.7.0-5.beta.el7sat.noarch
foreman-installer-katello-1.24.1.5-1.el7sat.noarch

How reproducible:
Installation of SSL certs

Steps to Reproduce:
1. Create CSR and Signed it from CA
2. Use katello-certs-check tool to check certificates and installer commands
3.

Actual results:

# katello-certs-check -c vm123.crt -k vm123_cert_key.pem -b CA-Chain.crt
Checking server certificate encoding:
[OK]
 
Checking expiration of certificate:
[OK]
 
Checking expiration of CA bundle:
[OK]
 
Checking if server certificate has CA:TRUE flag
[OK]
 
Checking for private key passphrase:
[OK]
 
Checking to see if the private key matches the certificate:
[OK]
 
Checking CA bundle against the certificate file:
[OK]
 
Checking Subject Alt Name on certificate
[OK]
 
Checking Key Usage extension on certificate for Key Encipherment
[OK]
 
Validation succeeded
 
 
  To use them inside a NEW $CAPSULE, run this command:
 
      capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" \
                                   --certs-tar  "~/$CAPSULE-certs.tar" \
                                   --server-cert "/root/certs/vm123.crt" \
                                   --server-key "/root/certs/vm123_cert_key.pem" \
                                   --server-ca-cert "/root/certs/CA-Chain.crt" \        <---- we should remove this "\"
 
  To use them inside an EXISTING $CAPSULE, run this command INSTEAD:
 
      capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" \
                                   --certs-tar  "~/$CAPSULE-certs.tar" \
                                   --server-cert "/root/certs/vm123.crt" \
                                   --server-key "/root/certs/vm123_cert_key.pem" \
                                   --server-ca-cert "/root/certs/CA-Chain.crt" \
                                   --certs-update-server


Expected results:

 capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" \
                                   --certs-tar  "~/$CAPSULE-certs.tar" \
                                   --server-cert "/root/certs/vm123.crt" \
                                   --server-key "/root/certs/vm123_cert_key.pem" \
                                   --server-ca-cert "/root/certs/CA-Chain.crt" 
Additional info:
Comment 4 Radovan Drazny 2020-03-11 15:53:05 UTC 
Tested with Sat 6.7 Snap 15 (foreman-installer-1.24.1.14-1.el7sat.noarch)

# katello-certs-check -c dhcp-2-41.vms.sat.rdu2.redhat.com.crt -k dhcp-2-41.vms.sat.rdu2.redhat.com.key -b cacert.asc 
Checking server certificate encoding: 
[OK]

Checking expiration of certificate: 
[OK]

Checking expiration of CA bundle: 
[OK]

Checking if server certificate has CA:TRUE flag 
[OK]

Checking for private key passphrase: 
[OK]

Checking to see if the private key matches the certificate: 
[OK]

Checking CA bundle against the certificate file: 
[OK]

Checking Subject Alt Name on certificate 
[OK]

Checking Key Usage extension on certificate for Key Encipherment 
[OK]

Validation succeeded


To install the Red Hat Satellite Server with the custom certificates, run:

    satellite-installer --scenario satellite \
                      --certs-server-cert "/root/customssl/dhcp-2-41.vms.sat.rdu2.redhat.com.crt" \
                      --certs-server-key "/root/customssl/dhcp-2-41.vms.sat.rdu2.redhat.com.key" \
                      --certs-server-ca-cert "/root/customssl/cacert.asc"

To update the certificates on a currently running Red Hat Satellite installation, run:

    satellite-installer --scenario satellite \
                      --certs-server-cert "/root/customssl/dhcp-2-41.vms.sat.rdu2.redhat.com.crt" \
                      --certs-server-key "/root/customssl/dhcp-2-41.vms.sat.rdu2.redhat.com.key" \
                      --certs-server-ca-cert "/root/customssl/cacert.asc" \
                      --certs-update-server --certs-update-server-ca

The trailing "\" is gone.
Comment 7 errata-xmlrpc 2020-04-14 13:28:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1454