Hide Forgot
Document URL: https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html/Installation_Guide/sect-Red_Hat_Satellite-Installation_Guide-Running_the_Installation_and_Configuration_Program-Optional_Configuration_Options.html#sect-Red_Hat_Satellite-Installation_Guide-Configuring_Red_Hat_Satellite_with_a_Custom_Server_Certificate.xml Section Number and Name: Describe the issue: Procedure 2.6. To Set a Custom Server Certificate After Running the Katello Installer Suggestions for improvement: In Procedure 2.6, to update custom certs with Red Hat Satellite, we documented the changes necessary to update the Server certs and the CA certs. When just updating CA and Server certs, if we go to Satellite webUI >> Infrastructure -> Capsule -> click on Certificates button fails with below exception / traceback ~~~ ProxyAPI::ProxyException ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates ([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verif...) for proxy https://<SATELLITE>:9090/puppet/ca lib/proxy_api/puppetca.rb:47:in `rescue in all' lib/proxy_api/puppetca.rb:45:in `all' app/services/smart_proxies/puppet_ca.rb:21:in `all' app/services/smart_proxies/puppet_ca.rb:36:in `find_by_state' app/controllers/puppetca_controller.rb:8:in `index' app/models/concerns/foreman/thread_session.rb:33:in `clear_thread' lib/middleware/catch_json_parse_errors.rb:9:in `call' ~~~ The reason for this traceback is due puppet certs not updated when running katello-installer with --certs-update-server --certs-update-server-ca. To properly update all the certs, one has to use all the below 3 options # katello-installer --help | grep "certs-update" --certs-update-server This option will enforce an update of the HTTPS certificates (default: false) --certs-update-server-ca This option will enforce an update of the CA used for HTTPS certificates. (default: false) --certs-update-all This option will enforce an update of all the certificates for given host (default: false Additional information:
Assigning to Russell for review.
I still think the --certs-update-server should be enough for the custom certs installation procedure, the --certs-update-all is meant to be used only, when one needs to regenerate client-certificates that are used for inter-services communication. The custom certificates are used only for server-side verification, and therefore the --cesrts-update-server should be enough here.
Since Nagoor confirmed an exception, in at least one instance, but Ivan is confident that "--certs-update-all" is not required, this requires further testing. Nagoor will conduct his own testing, and I will do the same.
Nagoor has confirmed that this is a known issue for Satellite 6.1. He and I independently confirmed that it does *NOT* affect Satellite 6.2. To minimise the risk of this issue affecting customers, I will amend the custom certificate instructions in the Satellite 6.1 Installation Guide.
Hello This update is live on the customer portal Procedure 2.6. To Set a Custom Server Certificate After Running the Katello Installer: https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html/Installation_Guide/sect-Red_Hat_Satellite-Installation_Guide-Running_the_Installation_and_Configuration_Program-Optional_Configuration_Options.html#proc-Red_Hat_Satellite-Installation_Guide-Configuring_RednbspHat_Satellite_with_a_Custom_Server_Certificate-Setting_a_Custom_Server_Certificate_after_running_katello_installer