Bug 1368260 - 4.5.2. Configuring Capsule Server with a Custom Server Certificate needs correction
Summary: 4.5.2. Configuring Capsule Server with a Custom Server Certificate needs corr...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Docs Install Guide
Version: 6.2.0
Hardware: All
OS: Linux
unspecified
medium vote
Target Milestone: Unspecified
Assignee: Russell Dickenson
QA Contact: Brandi Munilla
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-18 21:02 UTC by Rick Dixon
Modified: 2019-12-16 06:24 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 04:54:03 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Rick Dixon 2016-08-18 21:02:34 UTC
Document URL:  

https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html/Installation_Guide/index.html


Section Number and Name: 

4.5.2. Configuring Capsule Server with a Custom Server Certificate


Describe the issue: 

These instructions differentiate the installation of Capsule with custom certs into pre- and post-installer runs, but the second part (Configure Capsule with a Custom Server Certificate After Running the Installer) uses the wrong command to generate the Capsule certificate tarball from the Satellite server. 

It should read:


Configure Capsule with a Custom Server Certificate After Running the Installer

1) On Satellite Server, generate a new certificate based on your custom server certificate. 

~~~
# capsule-certs-generate
--capsule-fqdn "mycapsule.example.com"\
--certs-tar "~/mycapsule.example.com-certs.tar"\
--server-cert /path/to/server.crt\
--server-cert-req /path/to/server-cert.req\
--server-key /path/to/server.key\
--server-ca-cert /path/to/server-ca.crt
~~~

The command provided in the docs is for actually installing the Capsule after the first installer run, rather than generating the certificate tarball from the Satellite server. Running this command on a Satellite installation would likely error out, but could potentially have disastrous results.


Suggestions for improvement: 

Replace the first step with the correct certificate generation command (capsule-certs-generate) rather than the capsule installation command (satellite-installer --scenario capsule)

***Additionally, please make it clearer/bolder/more noticeable in the documents that if a user is going to deploy a Satellite server with custom certificates, each Capsule server *must* have their own custom certificate signed by the same CA.***

Comment 3 Rick Dixon 2016-09-01 00:17:36 UTC
Hi Russell,

When I look at attachment [2] in the linked comment, under "Configure Capsule with a Custom Server Certificate After Running Foreman Installer," it still looks as though the command issues for generating the certificate bundle from the Satellite server is:


# foreman-installer --scenario capsule\
    --certs-generate \
[...SNIP...]


It should be:


# capsule-certs-generate
--capsule-fqdn "mycapsule.example.com"\
--certs-tar "~/mycapsule.example.com-certs.tar"\
--server-cert /path/to/server.crt\
--server-cert-req /path/to/server-cert.req\
--server-key /path/to/server.key\
--server-ca-cert /path/to/server-ca.crt


Once this bundle is copied to the Capsule, the command to install it and update all of the certificates (which you would want to do if the installer has already been run once) is:


# satellite-installer --scenario capsule\
--certs-update-server\
--capsule-parent-fqdn "satellite.example.com"\
--foreman-proxy-register-in-foreman "true"\
--foreman-proxy-foreman-base-url "https://satellite.example.com"\
--foreman-proxy-trusted-hosts "satellite.example.com"\
--foreman-proxy-trusted-hosts "capsule.example.com"\
--foreman-proxy-oauth-consumer-key "gDv6mMrsfefp5QmimiAspfzfwsvCctBm"\
--foreman-proxy-oauth-consumer-secret "Sh4d7K2v7Dk2VphMPTtZYRviFJ3tY5oY"\
--capsule-pulp-oauth-secret "ABsqCFsFCoxdSHmHTvMq9sfaN5zZcR8n"\
--capsule-certs-tar "~/capsule.example.com-certs.tar" \

Comment 4 Russell Dickenson 2016-09-07 02:34:23 UTC
Rick,

I apologise for the long delay in replying. I'll look over the latest work in progress on custom certificates and check if what you've mentioned in comment 3 has been fixed.


Note You need to log in before you can comment on or make changes to this bug.