Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1420975 - The capsule-certs-generate command example mentions the Satellite Server's input files, not those of the Capsule Server
Summary: The capsule-certs-generate command example mentions the Satellite Server's in...
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Docs Install Guide
Version: 6.2.7
Hardware: Unspecified
OS: Unspecified
Target Milestone: Unspecified
Assignee: Russell Dickenson
QA Contact: Charles Wood
Depends On: 1417399
TreeView+ depends on / blocked
Reported: 2017-02-10 03:25 UTC by Russell Dickenson
Modified: 2019-09-25 20:41 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-02-21 23:13:53 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Russell Dickenson 2017-02-10 03:25:49 UTC
Document URL: https://access.redhat.com/documentation/en/red-hat-satellite/6.2/single/installation-guide#create_the_capsule_certificates_archive_file

Section Number and Name: Create the Capsule Server’s Certificates Archive File

Describe the issue: The capsule-certs-generate command example mentions the Satellite Server's input files, not those of the Capsule Server.

Suggestions for improvement:

1. All instances of "satellite_" must be replaced with "capsule_".
2. The values for all parameters except "-server-ca-cert" should use "caps_cert", not "sat_cert" since this operation is for the Capsule Server.

Comment 2 Russell Dickenson 2017-02-10 04:12:09 UTC
NOTE: Before making the changes proposed in the BZ ticket's description, this must be verified by an SME. It is the "katello-certs-check" command which puts "satellite_" in each parameter. If this is incorrect, then the command's output must be corrected as well as the documentation linked in this BZ ticket.

Comment 3 Russell Dickenson 2017-02-10 04:39:14 UTC

I need a sanity check on this BZ ticket. Below is example output of the katello-certs-check command, as per the Installation Guide, section " Validate the Satellite Server’s SSL Certificate" [1].

The part that I simply don't understand is after "To use them inside a $CAPSULE, run this command INSTEAD:". From what I can tell, this takes the Satellite Server's certificate and creates the TAR file. When this is then copied to the Capsule Server, and used as input in the "satellite-installer" command, this deploys the Satellite Server's certificate, instead of the Capsule Server's certificate.

Is this correct, or do I misunderstand? I came to the above conclusion because, after walking through the workflow detailed in the Installation Guide, I not find any mention of the Capsule Server's custom certificate being used.

Validating the certificate subject= /C=AU/ST=Queensland/L=Brisbane/O=Example/OU=Sales/CN=satellite.example.com/emailAddress=example@example.com
Check private key matches the certificate: [OK]
Check ca bundle verifies the cert file: [OK]

Validation succeeded.

To install the Satellite main server with the custom certificates, run:

    satellite-installer --scenario satellite\
                        --certs-server-cert "/root/sat_cert/satellite_cert.pem"\
                        --certs-server-cert-req "/root/sat_cert/satellite_cert_csr.pem"\
                        --certs-server-key "/root/sat_cert/satellite_cert_key.pem"\
                        --certs-server-ca-cert "/root/sat_cert/ca_cert_bundle.pem"

To update the certificates on a currently running Satellite installation, run:

    satellite-installer --scenario satellite\
                        --certs-server-cert "/root/sat_cert/satellite_cert.pem"\
                        --certs-server-cert-req "/root/sat_cert/satellite_cert_csr.pem"\
                        --certs-server-key "/root/sat_cert/satellite_cert_key.pem"\
                        --certs-server-ca-cert "/root/sat_cert/ca_cert_bundle.pem"\
                        --certs-update-server --certs-update-server-ca

To use them inside a $CAPSULE, run this command INSTEAD:

    capsule-certs-generate --capsule-fqdn ""\
                           --certs-tar  "/root/certs.tar"\
                           --server-cert "/root/sat_cert/satellite_cert.pem"\
                           --server-cert-req "/root/sat_cert/satellite_cert_csr.pem"\
                           --server-key "/root/sat_cert/satellite_cert_key.pem"\
                           --server-ca-cert "/root/sat_cert/ca_cert_bundle.pem"\

[1] https://access.redhat.com/documentation/en/red-hat-satellite/6.2/single/installation-guide#configuring_satellite_server_with_custom_server_certificate

Comment 4 Chris Roberts 2017-02-13 19:13:39 UTC
Hi Russell,

This is correct it would do that if the customer ran that, as of right now there is no option to tell that the cert is used by satellite or capsule so the check gives out all the options. There is currently an open bz for this here:


- Chris

Comment 10 Andrew Dahms 2017-02-21 23:13:53 UTC
This content is live on the Customer Portal.


Note You need to log in before you can comment on or make changes to this bug.