Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1499323

Summary: katello-certs-check has "" for the capsule fqdn when you need to specify that
Product: Red Hat Satellite Reporter: Peter Gervase <pgervase>
Component: CertificatesAssignee: Chris Roberts <chrobert>
Status: CLOSED NEXTRELEASE QA Contact: Katello QA List <katello-qa-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2.12CC: bbuckingham, chrobert
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-09 13:16:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Gervase 2017-10-06 18:19:59 UTC 
Description of problem:
After you run katello-certs-check with the correct arguments, you get output like
To use them inside an EXISTING $CAPSULE, run this command INSTEAD:
    capsule-certs-generate --capsule--fqdn ""\
                           --certs-tar  "~/-certs.tar"\

You need to specify the fqdn rather than ""

Version-Release number of selected component (if applicable):
foreman-installer-katello-3.0.0.96-1.el7sat.noarch

How reproducible:
100%

Steps to Reproduce:
1. Run katello-certs-check with the required parameters
2.
3.

Actual results:
To use them inside an EXISTING $CAPSULE, run this command INSTEAD:
    capsule-certs-generate --capsule--fqdn ""\
                           --certs-tar  "~/-certs.tar"\

Expected results:
To use them inside an EXISTING $CAPSULE, run this command INSTEAD:
    capsule-certs-generate --capsule--fqdn "capsule.mydomain.com"\
                           --certs-tar  "~/-certs.tar"\

Additional info:
Comment 2 Chris Roberts 2017-10-30 19:47:05 UTC 
Fixed upstream:

= Module foreman_proxy_certs:
    --certs-tar                   Path to tar file with certs to generate (current: UNDEF)
    --foreman-proxy-cname         additional names of the foreman proxy (current: [])
    --foreman-proxy-fqdn          FQDN of the foreman proxy (current: "test.katello.lan")
    --parent-fqdn                 FQDN of the parent node. Does not usually
                                  need to be set. (current: "test.katello.lan")


Will address downstream
Comment 3 Chris Roberts 2017-10-31 15:46:51 UTC 
Ignore last screen, still fixed upstream/6.3

[root@centos7-katello-nightly ~]# katello-certs-check -b /etc/pki/katello/certs/katello-default-ca.crt -r /etc/pki/katello/certs/katello-default-ca.crt -k /etc/pki/katello/private/katello-apache.key -c /etc/pki/katello/certs/katello-apache.crt 
Checking expiration of certificate: [OK]
Checking expiration of CA bundle: [OK]
Checking if server cert has CA:TRUE flag[OK]
Validating the certificate subject= /C=US/ST=North Carolina/O=Katello/OU=SomeOrgUnit/CN=centos7-katello-nightly.vault111.example.com
Checking to see if the private key matches the certificate: [OK]
Checking ca bundle against the cert file: [OK]

Validation succeeded.

To install the Katello main server with the custom certificates, run:

    foreman-installer --scenario katello\
                      --certs-server-cert "/etc/pki/katello/certs/katello-apache.crt"\
                      --certs-server-cert-req "/etc/pki/katello/certs/katello-default-ca.crt"\
                      --certs-server-key "/etc/pki/katello/private/katello-apache.key"\
                      --certs-server-ca-cert "/etc/pki/katello/certs/katello-default-ca.crt"

To update the certificates on a currently running Katello installation, run:

    foreman-installer --scenario katello\
                      --certs-server-cert "/etc/pki/katello/certs/katello-apache.crt"\
                      --certs-server-cert-req "/etc/pki/katello/certs/katello-default-ca.crt"\
                      --certs-server-key "/etc/pki/katello/private/katello-apache.key"\
                      --certs-server-ca-cert "/etc/pki/katello/certs/katello-default-ca.crt"\
                      --certs-update-server --certs-update-server-ca

To use them inside a NEW $FOREMAN_PROXY, run this command:

    foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY"\
                                 --certs-tar  "~/$FOREMAN_PROXY-certs.tar"\
                                 --server-cert "/etc/pki/katello/certs/katello-apache.crt"\
                                 --server-cert-req "/etc/pki/katello/certs/katello-default-ca.crt"\
                                 --server-key "/etc/pki/katello/private/katello-apache.key"\
                                 --server-ca-cert "/etc/pki/katello/certs/katello-default-ca.crt"\

To use them inside an EXISTING $FOREMAN_PROXY, run this command INSTEAD:

    foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY"\
                                 --certs-tar  "~/$FOREMAN_PROXY-certs.tar"\
                                 --server-cert "/etc/pki/katello/certs/katello-apache.crt"\
                                 --server-cert-req "/etc/pki/katello/certs/katello-default-ca.crt"\
                                 --server-key "/etc/pki/katello/private/katello-apache.key"\
                                 --server-ca-cert "/etc/pki/katello/certs/katello-default-ca.crt"\
                                 --certs-update-server