Bug 1233431 - [RFE] CSR should not be mandatory when installing Satellite Server or generating Capsule certificate bundle with custom ssl certificates
Summary: [RFE] CSR should not be mandatory when installing Satellite Server or generat...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installation
Version: 6.0.4
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: 6.5.0
Assignee: Ewoud Kohl van Wijngaarden
QA Contact: Stephen Wadeley
URL:
Whiteboard:
: 1423504 (view as bug list)
Depends On:
Blocks: 1692875
TreeView+ depends on / blocked
 
Reported: 2015-06-18 22:33 UTC by Nathan Kinder
Modified: 2021-03-11 14:21 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-14 12:36:15 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 16911 0 Normal Closed katello-installer certificate options should not require --certs-server-cert-req 2020-10-02 17:47:05 UTC
Red Hat Bugzilla 1616228 0 urgent CLOSED [Sat6.4] satellite-installer does not work for custom ssl certificates, fails with "illegal option -- r" for katello-ce... 2021-12-10 17:00:15 UTC
Red Hat Knowledge Base (Solution) 2050213 0 None None None 2016-04-26 14:55:51 UTC
Red Hat Knowledge Base (Solution) 3165561 0 None None None 2017-08-28 05:14:29 UTC
Red Hat Product Errata RHSA-2019:1222 0 None None None 2019-05-14 12:36:34 UTC

Internal Links: 1616228

Description Nathan Kinder 2015-06-18 22:33:36 UTC 
I'm running through an install of Satellite 6.0.4 with IdM on RHEL 7.1 to set up external auth.  All of that is working fine, but I also want to use a certificate from IdM for the web UI by passing it in at install time. According to the documentation, I need to use the following options:

  --certs-server-cert ~/path/to/server.crt\
  --certs-server-cert-req ~/path/to/server.crt.req\
  --certs-server-key ~/path/to/server.crt.key\
  --certs-server-ca-cert ~/path/to/cacert.crt

The certificate request should not be needed, as a certificate has already been issued.  If we already have an issued certificate, we should just need the key and server certificate along with the CA certificate for trust purposes.  If I use 'ipa-getcert' to request and retrieve a certificate from IdM, I only get back the key and cert:

  ipa-getcert request -w -k ./satellite.key -f ./satellite.crt

There is no provision to output the raw CSR from any of the certmonger related commands.  I can dig it out of certmonger's request tracking file in /var/lib/certmonger/requests, but that's not very friendly.

I have been able to pass a zero-byte file as the --certs-server-cert-req option as a workaround, and https is set up properly using the passed in cert/key.  I think the request option should be deprecated, or at least made optional if there is really some purpose to giving the request to Satellite.
Comment 1 RHEL Program Management 2015-06-18 22:33:39 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 4 Bryan Kearney 2016-07-26 15:25:24 UTC 
Moving 6.2 bugs out to sat-backlog.
Comment 5 Bryan Kearney 2016-07-26 15:44:11 UTC 
Moving 6.2 bugs out to sat-backlog.
Comment 7 Stephen Benjamin 2016-10-13 15:58:10 UTC 
I believe we need the CSR, as we also sign the certificate with the internal Satellite CA.
Comment 8 Stephen Benjamin 2016-10-13 15:59:40 UTC 
Created redmine issue http://projects.theforeman.org/issues/16911 from this bug
Comment 10 Tomer Brisker 2017-08-28 07:16:44 UTC 
*** Bug 1423504 has been marked as a duplicate of this bug. ***
Comment 12 Satellite Program 2017-10-30 14:20:30 UTC 
Upstream bug assigned to ekohlvan
Comment 13 Satellite Program 2017-10-30 14:20:35 UTC 
Upstream bug assigned to ekohlvan
Comment 14 Satellite Program 2018-05-31 02:18:35 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/16911 has been resolved.
Comment 22 errata-xmlrpc 2019-05-14 12:36:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:1222
Note You need to log in before you can comment on or make changes to this bug.