Hide Forgot
Document URL: https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html/Installation_Guide/index.html Section Number and Name: 4.5.2. Configuring Capsule Server with a Custom Server Certificate Describe the issue: These instructions differentiate the installation of Capsule with custom certs into pre- and post-installer runs, but the second part (Configure Capsule with a Custom Server Certificate After Running the Installer) uses the wrong command to generate the Capsule certificate tarball from the Satellite server. It should read: Configure Capsule with a Custom Server Certificate After Running the Installer 1) On Satellite Server, generate a new certificate based on your custom server certificate. ~~~ # capsule-certs-generate --capsule-fqdn "mycapsule.example.com"\ --certs-tar "~/mycapsule.example.com-certs.tar"\ --server-cert /path/to/server.crt\ --server-cert-req /path/to/server-cert.req\ --server-key /path/to/server.key\ --server-ca-cert /path/to/server-ca.crt ~~~ The command provided in the docs is for actually installing the Capsule after the first installer run, rather than generating the certificate tarball from the Satellite server. Running this command on a Satellite installation would likely error out, but could potentially have disastrous results. Suggestions for improvement: Replace the first step with the correct certificate generation command (capsule-certs-generate) rather than the capsule installation command (satellite-installer --scenario capsule) ***Additionally, please make it clearer/bolder/more noticeable in the documents that if a user is going to deploy a Satellite server with custom certificates, each Capsule server *must* have their own custom certificate signed by the same CA.***
Hi Russell, When I look at attachment [2] in the linked comment, under "Configure Capsule with a Custom Server Certificate After Running Foreman Installer," it still looks as though the command issues for generating the certificate bundle from the Satellite server is: # foreman-installer --scenario capsule\ --certs-generate \ [...SNIP...] It should be: # capsule-certs-generate --capsule-fqdn "mycapsule.example.com"\ --certs-tar "~/mycapsule.example.com-certs.tar"\ --server-cert /path/to/server.crt\ --server-cert-req /path/to/server-cert.req\ --server-key /path/to/server.key\ --server-ca-cert /path/to/server-ca.crt Once this bundle is copied to the Capsule, the command to install it and update all of the certificates (which you would want to do if the installer has already been run once) is: # satellite-installer --scenario capsule\ --certs-update-server\ --capsule-parent-fqdn "satellite.example.com"\ --foreman-proxy-register-in-foreman "true"\ --foreman-proxy-foreman-base-url "https://satellite.example.com"\ --foreman-proxy-trusted-hosts "satellite.example.com"\ --foreman-proxy-trusted-hosts "capsule.example.com"\ --foreman-proxy-oauth-consumer-key "gDv6mMrsfefp5QmimiAspfzfwsvCctBm"\ --foreman-proxy-oauth-consumer-secret "Sh4d7K2v7Dk2VphMPTtZYRviFJ3tY5oY"\ --capsule-pulp-oauth-secret "ABsqCFsFCoxdSHmHTvMq9sfaN5zZcR8n"\ --capsule-certs-tar "~/capsule.example.com-certs.tar" \
Rick, I apologise for the long delay in replying. I'll look over the latest work in progress on custom certificates and check if what you've mentioned in comment 3 has been fixed.