Bug 1233431 - [RFE] CSR should not be mandatory when installing Satellite Server or generating Capsule certificate bundle with custom ssl certificates
Summary: [RFE] CSR should not be mandatory when installing Satellite Server or generat...
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Installer
Version: 6.0.4
Hardware: Unspecified
OS: Unspecified
medium vote
Target Milestone: Released
Assignee: Ewoud Kohl van Wijngaarden
QA Contact: Stephen Wadeley
: 1423504 (view as bug list)
Depends On:
Blocks: 1692875
TreeView+ depends on / blocked
Reported: 2015-06-18 22:33 UTC by Nathan Kinder
Modified: 2019-10-10 09:52 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2019-05-14 12:36:15 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1222 None None None 2019-05-14 12:36:34 UTC
Foreman Issue Tracker 16911 None None None 2016-10-13 15:59:42 UTC
Red Hat Bugzilla 1616228 None CLOSED [Sat6.4] satellite-installer does not work for custom ssl certificates, fails with "illegal option -- r" for katello-ce... 2019-10-07 08:15:56 UTC
Red Hat Knowledge Base (Solution) 2050213 None None None 2016-04-26 14:55:51 UTC
Red Hat Knowledge Base (Solution) 3165561 None None None 2017-08-28 05:14:29 UTC

Internal Links: 1616228

Description Nathan Kinder 2015-06-18 22:33:36 UTC
I'm running through an install of Satellite 6.0.4 with IdM on RHEL 7.1 to set up external auth.  All of that is working fine, but I also want to use a certificate from IdM for the web UI by passing it in at install time. According to the documentation, I need to use the following options:

  --certs-server-cert ~/path/to/server.crt\
  --certs-server-cert-req ~/path/to/server.crt.req\
  --certs-server-key ~/path/to/server.crt.key\
  --certs-server-ca-cert ~/path/to/cacert.crt

The certificate request should not be needed, as a certificate has already been issued.  If we already have an issued certificate, we should just need the key and server certificate along with the CA certificate for trust purposes.  If I use 'ipa-getcert' to request and retrieve a certificate from IdM, I only get back the key and cert:

  ipa-getcert request -w -k ./satellite.key -f ./satellite.crt

There is no provision to output the raw CSR from any of the certmonger related commands.  I can dig it out of certmonger's request tracking file in /var/lib/certmonger/requests, but that's not very friendly.

I have been able to pass a zero-byte file as the --certs-server-cert-req option as a workaround, and https is set up properly using the passed in cert/key.  I think the request option should be deprecated, or at least made optional if there is really some purpose to giving the request to Satellite.

Comment 1 RHEL Product and Program Management 2015-06-18 22:33:39 UTC
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 4 Bryan Kearney 2016-07-26 15:25:24 UTC
Moving 6.2 bugs out to sat-backlog.

Comment 5 Bryan Kearney 2016-07-26 15:44:11 UTC
Moving 6.2 bugs out to sat-backlog.

Comment 7 Stephen Benjamin 2016-10-13 15:58:10 UTC
I believe we need the CSR, as we also sign the certificate with the internal Satellite CA.

Comment 8 Stephen Benjamin 2016-10-13 15:59:40 UTC
Created redmine issue http://projects.theforeman.org/issues/16911 from this bug

Comment 10 Tomer Brisker 2017-08-28 07:16:44 UTC
*** Bug 1423504 has been marked as a duplicate of this bug. ***

Comment 12 pm-sat@redhat.com 2017-10-30 14:20:30 UTC
Upstream bug assigned to ekohlvan@redhat.com

Comment 13 pm-sat@redhat.com 2017-10-30 14:20:35 UTC
Upstream bug assigned to ekohlvan@redhat.com

Comment 14 pm-sat@redhat.com 2018-05-31 02:18:35 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/16911 has been resolved.

Comment 22 errata-xmlrpc 2019-05-14 12:36:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.