Bug 2182028

Summary:	Foreman-maintain health check should be run before configuring Custom SSL certs.
Product:	Red Hat Satellite	Reporter:	Vedashree Deshpande <vdeshpan>
Component:	Foreman Maintain	Assignee:	Vedashree Deshpande <vdeshpan>
Status:	NEW ---	QA Contact:	Satellite QE Team <sat-qe-bz-list>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	6.10.0	CC:	ehelms, ekohlvan, mjivraja
Target Milestone:	Unspecified	Keywords:	Documentation, Triaged
Target Release:	Unused	Flags:	ehelms: needinfo? (ekohlvan)
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Vedashree Deshpande 2023-03-27 10:43:05 UTC

Document URL: 
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.10/html/installing_satellite_server_from_a_connected_network/performing-additional-configuration#configuring-satellite-custom-server-certificate_satellite

same for 6.11 and 6.12

Section Number and Name: 
In section 4.12

Describe the issue: 
Overall health check should be run to ensure hostname and other services etc are all in place before replacing the custom SSL certificates. 

Suggestions for improvement: 
Add a note to run #foreman-maintain health check before renewal of custom SSL certs. 

for 6.11 and 6.12 respectively. 

Additional information: 
If the hostname is not changed and is not uniform across all config files, installer fails and the only option is to rebuild from Scratch.

Comment 2 Ewoud Kohl van Wijngaarden 2023-03-30 15:19:12 UTC

(In reply to Vedashree Deshpande from comment #0)
> Overall health check should be run to ensure hostname and other services etc
> are all in place before replacing the custom SSL certificates. 

This is not something we'll do, because the health check may fail due to expired certificates. The procedure to replace custom SSL certificates is then supposed to resolve that situation.

Since foreman-installer 2.3.0 (IIRC that was Satellite 6.9) we do verify the certificates, regardless of which options were passed so they should always be checked.
 
> Additional information: 
> If the hostname is not changed and is not uniform across all config files,
> installer fails and the only option is to rebuild from Scratch.

I don't understand this. Why is this? It should never be needed to rebuild from scratch because of incorrect configs: the installer is supposed to always write out the desired config, regardless of the current system state.

I was going to close this as WONTFIX, but I'd first like to understand what made you think a rebuild from Scratch would be needed.