Bug 2182028

Summary: Foreman-maintain health check should be run before configuring Custom SSL certs.
Product: Red Hat Satellite Reporter: Vedashree Deshpande <vdeshpan>
Component: Foreman MaintainAssignee: Vedashree Deshpande <vdeshpan>
Status: NEW --- QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.10.0CC: ehelms, ekohlvan, mjivraja
Target Milestone: UnspecifiedKeywords: Documentation, Triaged
Target Release: UnusedFlags: ehelms: needinfo? (ekohlvan)
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vedashree Deshpande 2023-03-27 10:43:05 UTC
Document URL: 
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.10/html/installing_satellite_server_from_a_connected_network/performing-additional-configuration#configuring-satellite-custom-server-certificate_satellite

same for 6.11 and 6.12

Section Number and Name: 
In section 4.12

Describe the issue: 
Overall health check should be run to ensure hostname and other services etc are all in place before replacing the custom SSL certificates. 

Suggestions for improvement: 
Add a note to run #foreman-maintain health check before renewal of custom SSL certs. 

for 6.11 and 6.12 respectively. 

Additional information: 
If the hostname is not changed and is not uniform across all config files, installer fails and the only option is to rebuild from Scratch.

Comment 2 Ewoud Kohl van Wijngaarden 2023-03-30 15:19:12 UTC
(In reply to Vedashree Deshpande from comment #0)
> Overall health check should be run to ensure hostname and other services etc
> are all in place before replacing the custom SSL certificates. 

This is not something we'll do, because the health check may fail due to expired certificates. The procedure to replace custom SSL certificates is then supposed to resolve that situation.

Since foreman-installer 2.3.0 (IIRC that was Satellite 6.9) we do verify the certificates, regardless of which options were passed so they should always be checked.
 
> Additional information: 
> If the hostname is not changed and is not uniform across all config files,
> installer fails and the only option is to rebuild from Scratch.

I don't understand this. Why is this? It should never be needed to rebuild from scratch because of incorrect configs: the installer is supposed to always write out the desired config, regardless of the current system state.

I was going to close this as WONTFIX, but I'd first like to understand what made you think a rebuild from Scratch would be needed.