Can this be a tool we deliver with satellite that can be run and we document the use of the tool?

Created redmine issue http://projects.theforeman.org/issues/8609 from this bug

Proposed solution at https://bugzilla.redhat.com/show_bug.cgi?id=1169289, the script https://github.com/iNecas/katello-installer/blob/issue/8609/bin/katello-certs-check can be used separately for on-site certs investigation

https://github.com/Katello/katello-installer/pull/146

Ivan can you please provide more information about the steps required to verify this bug?

I'm looking for steps to produce a success and a failure output from katello-certs-check script. This in order to make sure that it is working fine.

Thank you

Created attachment 1012176 [details]
A set of test certificates for testing

To test the functionality one should follow the documentated steps for setting up custom certs https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html/Installation_Guide/sect-Red_Hat_Satellite-Installation_Guide-Configuring_RednbspHat_Satellite_with_a_Custom_Server_Certificate.html

I've attaches a set of certs one can check. In the failed case, the installation should fail pretty
soon, before proceeding to the installation itself (even the progressbar should not be shown).

For the success case, it should proceed to the installation (you might get errors later
as the fqdn in the certs are not matching the hostname, but that's outside of the scope of this
change.

To explain how the example certificates were prepared: the invalid.example.com is a valid set of certificates
but was issued by a different ca, so the ca cert doesn't match it. This matrix checks, that invalid ca, or key
is caught. 

| ca-cert    | cert                    | key                     | req                         | result |
| cacert.crt | katello.example.com.crt | katello.example.com.key | katello.example.com.crt.req | OK     |
| cacert.crt | invalid.example.com.crt | katello.example.com.key | katello.example.com.crt.req | FAIL   |
| cacert.crt | katello.example.com.crt | invalid.example.com.key | katello.example.com.crt.req | FAIL   |
| cacert.crt | invalid.example.com.crt | invalid.example.com.key | katello.example.com.crt.req | FAIL   |

FAILEDQA:
# rpm -qa | grep foreman
foreman-compute-1.7.2.26-1.el6_6sat.noarch
ruby193-rubygem-foreman-redhat_access-0.1.0-1.el6_6sat.noarch
rubygem-hammer_cli_foreman-0.1.4.13-1.el6_6sat.noarch
foreman-vmware-1.7.2.26-1.el6_6sat.noarch
ruby193-rubygem-foreman_bootdisk-4.0.2.13-1.el6_6sat.noarch
ruby193-rubygem-foreman_gutterball-0.0.1.9-1.el6_6sat.noarch
foreman-postgresql-1.7.2.26-1.el6_6sat.noarch
foreman-libvirt-1.7.2.26-1.el6_6sat.noarch
ruby193-rubygem-foreman-tasks-0.6.12.7-1.el6_6sat.noarch
rubygem-hammer_cli_foreman_bootdisk-0.1.2.7-1.el6_6sat.noarch
rubygem-hammer_cli_foreman_docker-0.0.3.6-1.el6_6sat.noarch
foreman-selinux-1.7.2.13-1.el6_6sat.noarch
foreman-debug-1.7.2.26-1.el6_6sat.noarch
foreman-ovirt-1.7.2.26-1.el6_6sat.noarch
foreman-gce-1.7.2.26-1.el6_6sat.noarch
ruby193-rubygem-foreman_discovery-2.0.0.15-1.el6_6sat.noarch
foreman-proxy-1.7.2.5-1.el6_6sat.noarch
rubygem-hammer_cli_foreman_tasks-0.0.3.4-1.el6_6sat.noarch
intel-s3e3432-01.rhts.eng.bos.redhat.com-foreman-proxy-client-1.0-1.noarch
intel-s3e3432-01.rhts.eng.bos.redhat.com-foreman-proxy-1.0-2.noarch
ruby193-rubygem-foreman_docker-1.2.0.14-1.el6_6sat.noarch
intel-s3e3432-01.rhts.eng.bos.redhat.com-foreman-client-1.0-1.noarch
foreman-1.7.2.26-1.el6_6sat.noarch
ruby193-rubygem-foreman_hooks-0.3.7-2.el6_6sat.noarch
rubygem-hammer_cli_foreman_discovery-0.0.1.10-1.el6_6sat.noarch


steps
# katello-installer --certs-server-cert /root/ownca/intel-s3e3432-01.rhts.eng.bos.redhat.com/intel-s3e3432-01.rhts.eng.bos.redhat.com.crt --certs-server-cert-req /root/ownca/intel-s3e3432-01.rhts.eng.bos.redhat.com/intel-s3e3432-01.rhts.eng.bos.redhat.com.crt.req --certs-server-key /root/ownca/intel-s3e3432-01.rhts.eng.bos.redhat.com/intel-s3e3432-01.rhts.eng.bos.redhat.com.key --certs-server-ca-cert /root/ownca/cacert.crt --certs-update-server --certs-update-server-ca
Marking certificate /root/ssl-build/intel-s3e3432-01.rhts.eng.bos.redhat.com/intel-s3e3432-01.rhts.eng.bos.redhat.com-apache for update
Marking certificate /root/ssl-build/intel-s3e3432-01.rhts.eng.bos.redhat.com/intel-s3e3432-01.rhts.eng.bos.redhat.com-foreman-proxy for update
Marking certificate /root/ssl-build/katello-server-ca for update
 /Stage[main]/Apache::Service/Service[httpd]: Failed to call refresh: Could not start Service[httpd]: Execution of '/sbin/service httpd start' returned 1: Starting httpd: [FAILED]
 /Stage[main]/Apache::Service/Service[httpd]: Could not start Service[httpd]: Execution of '/sbin/service httpd start' returned 1: Starting httpd: [FAILED]
 /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[intel-s3e3432-01.rhts.eng.bos.redhat.com]: Could not evaluate: Connection refused - connect(2)
 /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[intel-s3e3432-01.rhts.eng.bos.redhat.com]: Failed to call refresh: Connection refused - connect(2)
 /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[intel-s3e3432-01.rhts.eng.bos.redhat.com]: Connection refused - connect(2)
Installing             Done                                               [100%] [..................................................................]
  Something went wrong! Check the log for ERROR-level output
  The full log is at /var/log/katello-installer/katello-installer.log

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1592

Accidentally closed with 6.1.1 errata

Upstream bug assigned to inecas@redhat.com

The upstream issue is closed since a year, and the code was included as part of Satellite 6.2's installer.