Bug 1479428 - [RFE] Capsule need to trust all 'default CAs' in a Satellite cluster
Summary: [RFE] Capsule need to trust all 'default CAs' in a Satellite cluster
Status: NEW
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Certificates
Version: 6.2.9
Hardware: Unspecified
OS: Unspecified
medium vote
Target Milestone: Unspecified
Assignee: Eric Helms
QA Contact: Stephen Wadeley
Depends On:
Blocks: 1196002
TreeView+ depends on / blocked
Reported: 2017-08-08 14:32 UTC by Sean O'Keeffe
Modified: 2019-07-30 03:45 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Foreman Issue Tracker 20021 None None None 2017-08-08 14:32:45 UTC

Description Sean O'Keeffe 2017-08-08 14:32:21 UTC
Description of problem:
A Satellite cluster requires capsules trust the 'default ca' on every Satellite server. 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Build 2 Satellites, /var/lib/pgsql, /var/lib/mongodb, /var/lib/pulp on shared storage
- Start services on node 1, Stop services on node 2
- installer:
  - ensure various oauth_options are the same on both nodes
  - ensure db_passoword options are the same on both nodes
  - provide the same custom certs with multiple dns alt names
  - ensure /etc/foreman/encryption_key.rb is the same on both nodes
4. confirm fail over works
  a. stop services on node 1 
  b. fail over storage
  c. start services on node 2
3. on the active node generate certs with custom certificates and register a capsule (all should be working)
4. fail over again and any communication with the proxy will fail from this node with SSL errors.

Actual results:
SSL errors

Expected results:
Proxy comms to work

Additional info:
I can supply better details to reproduce this if required..

Note You need to log in before you can comment on or make changes to this bug.