Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1393640

Summary:	Procedure 2.6. in Installation document doesn't cover updating all certificates
Product:	Red Hat Satellite	Reporter:	Nagoor Shaik <nshaik>
Component:	Docs Install Guide	Assignee:	Russell Dickenson <rdickens>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Stephen Wadeley <swadeley>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	6.1.10	CC:	adahms, inecas, nshaik, zhunting
Target Milestone:	Unspecified	Keywords:	Documentation
Target Release:	Unused
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-03-16 12:30:26 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Nagoor Shaik 2016-11-10 04:02:26 UTC

Document URL: 
https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html/Installation_Guide/sect-Red_Hat_Satellite-Installation_Guide-Running_the_Installation_and_Configuration_Program-Optional_Configuration_Options.html#sect-Red_Hat_Satellite-Installation_Guide-Configuring_Red_Hat_Satellite_with_a_Custom_Server_Certificate.xml
Section Number and Name: 

Describe the issue: 
Procedure 2.6. To Set a Custom Server Certificate After Running the Katello Installer

Suggestions for improvement: 

In Procedure 2.6, to update custom certs with Red Hat Satellite, we documented the changes necessary to update the Server certs and the CA certs.

When just updating CA and Server certs, if we go to Satellite webUI >>  Infrastructure -> Capsule -> click on Certificates button fails with below exception / traceback

~~~
ProxyAPI::ProxyException
ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates ([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verif...) for proxy https://<SATELLITE>:9090/puppet/ca
lib/proxy_api/puppetca.rb:47:in `rescue in all'
lib/proxy_api/puppetca.rb:45:in `all'
app/services/smart_proxies/puppet_ca.rb:21:in `all'
app/services/smart_proxies/puppet_ca.rb:36:in `find_by_state'
app/controllers/puppetca_controller.rb:8:in `index'
app/models/concerns/foreman/thread_session.rb:33:in `clear_thread'
lib/middleware/catch_json_parse_errors.rb:9:in `call' 
~~~

The reason for this traceback is due puppet certs not updated when running katello-installer with --certs-update-server --certs-update-server-ca.

To properly update all the certs, one has to use all the  below 3 options 

# katello-installer --help | grep "certs-update"
    --certs-update-server         This option will enforce an update of the HTTPS certificates (default: false)
    --certs-update-server-ca      This option will enforce an update of the CA used for HTTPS certificates. (default: false)
    --certs-update-all            This option will enforce an update of all the certificates for given host (default: false

Additional information:

Comment 1 Andrew Dahms 2016-11-14 00:47:12 UTC

Assigning to Russell for review.

Comment 4 Ivan Necas 2016-11-15 08:57:45 UTC

I still think the --certs-update-server should be enough for the custom certs installation procedure, the --certs-update-all is meant to be used only, when one needs to regenerate client-certificates that are used for inter-services communication. The custom certificates are used only for server-side verification, and therefore the --cesrts-update-server should be enough here.

Comment 5 Russell Dickenson 2016-11-16 02:45:56 UTC

Since Nagoor confirmed an exception, in at least one instance, but Ivan is confident that "--certs-update-all" is not required, this requires further testing.

Nagoor will conduct his own testing, and I will do the same.

Comment 6 Russell Dickenson 2016-11-16 06:14:42 UTC

Nagoor has confirmed that this is a known issue for Satellite 6.1. He and I independently confirmed that it does *NOT* affect Satellite 6.2.

To minimise the risk of this issue affecting customers, I will amend the custom certificate instructions in the Satellite 6.1 Installation Guide.

Comment 43 Stephen Wadeley 2017-03-16 12:30:26 UTC

Hello

This update is live on the customer portal

Procedure 2.6. To Set a Custom Server Certificate After Running the Katello Installer:

https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html/Installation_Guide/sect-Red_Hat_Satellite-Installation_Guide-Running_the_Installation_and_Configuration_Program-Optional_Configuration_Options.html#proc-Red_Hat_Satellite-Installation_Guide-Configuring_RednbspHat_Satellite_with_a_Custom_Server_Certificate-Setting_a_Custom_Server_Certificate_after_running_katello_installer