Description of problem: Issue occured when I tried to apply custom SSL certificates using command satellite-installer --scenario satellite - -certs-server-cert $PWD/satosix.crt --certs-server-cert-req $PWD/satosix.csr --certs-server-key $PWD/satosix.key --certs-server-ca-cert $PWD/RHCA-chain1.crt --certs-update-server --certs-update-server-ca Certificate itself has been applied correctly, however the CA certificate chain hasn't been. Long investigation showed that an old certificate chain remained in use for httpd. The command has been found in official documentation and also in output of 'katelo-certs-check' command. So...in those two files: /etc/httpd/conf.d/03-crane.conf /etc/httpd/conf.d/03-foreman-ssl.conf was found following content (common for both): SSLCertificateChainFile "/etc/pki/katello/certs/katello-default-ca.crt" SSLCACertificateFile "/etc/pki/katello/certs/katello-default-ca.crt" I found that on given path (/etc/pki/katello/certs) wer both files, 'katello-default-ca.crt' and also the one added by command above, now named 'katello-server-ca.crt' When I changed the word 'default' to 'server' in configuration files and restarted apache, the satellite provided all correct information when establising https connection. I believe config files were not altered correctly. I consider my change just as workaround to the described malfunction in satellite setup process. Also... I remember that right after very first run of the command for certificates setup everything worked, only later it stopeed (the provided CA chain was replaced by default one). Maybe puppet involved in this... I will observe the behavior and report if anything changes.
Another issue found: regardless web services work over https with correct CA chain, there is also katello certificate .rpm package for download that still provides file 'katello-default-ca.crt' - the old one instead newly applied. Result is: no packages will be applied no updates... nothing from that satelilite server. Thus my previous workaround is not good enough. I assume rewriting the -default-ca file with new content would work better, however. fixing that bug in satellite is the right solution. Kind regards -michael arbet-
The first issue is a duplicate of BZ1306964. Please open a separate bug for the RPM issue if it needs one, although if you're on 6.2.1, you could be hitting https://bugzilla.redhat.com/show_bug.cgi?id=1283865. *** This bug has been marked as a duplicate of bug 1306964 ***