Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1560607 - Undocumented change of the capsule-certs-generate tool
Summary: Undocumented change of the capsule-certs-generate tool
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Docs Install Guide
Version: 6.3.0
Hardware: x86_64
OS: Linux
medium
low
Target Milestone: Unspecified
Assignee: Russell Dickenson
QA Contact: csherrar
URL:
Whiteboard:
Depends On:
Blocks: 1122832
TreeView+ depends on / blocked
 
Reported: 2018-03-26 14:48 UTC by Nikola Kresic
Modified: 2021-09-09 13:31 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-10 23:37:55 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Nikola Kresic 2018-03-26 14:48:13 UTC 
Description of problem:

Cannot find a document covering the change of the capsule-certs-generate tool options, between Satellite releases 6.2 and 6.3:


Satellite 6.2 :

= Module capsule_certs:
    --capsule-fqdn                fqdn of the capsule. REQUIRED (default: "certs::node_fqdn")
    --certs-tar                   path to tar file with certs to generate. REQUIRED (default: nil)
    --parent-fqdn                 fqdn of the parent node. Does not usually
                                  need to be set. (default: "inf3.coe.muc.redhat.com")
 
 
= Module certs:
    --ca-common-name              Common name for the generated CA certificate (default: "inf3.coe.muc.redhat.com")
    --ca-expiration               Ca expiration attribute for managed certificates (default: "36500")
    --city                        City attribute for managed certificates (default: "Raleigh")
    --country                     Country attribute for managed certificates (default: "US")
    --default-ca-name             The name of the default CA (default: "katello-default-ca")
    --deploy                      Deploy the certs on the configured system. False means
                                  we want apply it on a different system (default: false)
    --expiration                  Expiration attribute for managed certificates (default: "7300")
    --generate                    Should the generation of the certs be part of the
                                  configuration (default: true)
    --group                       The group who should own the certs; (default: "foreman")
    --log-dir                     When the log files should go (default: "/var/log/certs")
    --node-fqdn                   The fqdn of the host the generated certificates
                                  should be for (default: "inf3.coe.muc.redhat.com")
    --org                         Org attribute for managed certificates (default: "Default_Organization")
    --org-unit                    Org unit attribute for managed certificates (default: "SomeOrgUnit")
    --password-file-dir           The location to store password files (default: "certs::params::password_file_dir")
    --pki-dir                     The PKI directory under which to place certs (default: "/etc/pki/katello")
    --regenerate                  Force regeneration of the certificates (excluding
                                  ca certificates) (default: false)
    --regenerate-ca               Force regeneration of the ca certificate (default: false)
    --server-ca-cert              Path to the CA that issued the ssl certificates for https
                                  if not specified, the default CA will be used (default: nil)
    --server-ca-name              The name of the server CA (used for https) (default: "katello-server-ca")
    --server-cert                 Path to the ssl certificate for https
                                  if not specified, the default CA will generate one (default: nil)
    --server-cert-req             Path to the ssl certificate request for https (default: nil)
    --server-key                  Path to the ssl key for https
                                  if not specified, the default CA will generate one (default: nil)
    --ssl-build-dir               The directory where SSL keys, certs and RPMs will be generated (default: "/root/ssl-build")
    --state                       State attribute for managed certificates (default: "North Carolina")
    --user                        The system user name who should own the certs; (default: "root")





Satellite 6.3 :

= Module certs:
    --cname                       The alternative names of the host the generated certificates
                                  should be for (current: [])
    --node-fqdn                   The fqdn of the host the generated certificates
                                  should be for (current: "nkresic.muc.csb")
    --server-ca-cert              Path to the CA that issued the ssl certificates for https
                                  if not specified, the default CA will be used (current: UNDEF)
    --server-cert                 Path to the ssl certificate for https
                                  if not specified, the default CA will generate one (current: UNDEF)
    --server-cert-req             Path to the ssl certificate request for https
                                  if not specified, the default CA will generate one (current: UNDEF)
    --server-key                  Path to the ssl key for https
                                  if not specified, the default CA will generate one (current: UNDEF)


= Module foreman_proxy_certs:
    --certs-tar                   Path to tar file with certs to generate (current: UNDEF)
    --foreman-proxy-cname         additional names of the foreman proxy (current: [])
    --foreman-proxy-fqdn          FQDN of the foreman proxy (current: "nkresic.muc.csb")
    --parent-fqdn                 FQDN of the parent node. Does not usually
                                  need to be set. (current: "nkresic.muc.csb")




Version-Release number of selected component (if applicable):

satellite-installer-6.3.0.12-1.el7sat.noarch : Puppet-based installer for Satellite and Capsule
Repo        : Sat63
Matched from:
Filename    : /usr/sbin/capsule-certs-generate


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:

New and switched options for the capsule-certs-generate tool with little to no documentation, also the change is not documented

Expected results:

Documentation covering the new options, change logged somewhere

Additional info:
Comment 2 Russell Dickenson 2018-05-25 04:13:24 UTC 
Nikola,

To confirm which capsule-certs-generate parameters changed between Satellite 6.2 and 6.3, I ran "capsule-certs-generate --help" on both a Satellite 6.2 and 6.3 instance. In fact for Satellite 6.3 I added parameter "--full-help" since there has been a change to the behaviour in Satellite 6.3.

With the help for both versions in separate files, I then compared the two using `Meld`. Although there have been a number of changes, the main noteworthy changes appear to be the following:

Satellite 6.2: --capsule-fqdn, and Satellite 6.3: --foreman-proxy-fqdn

Satellite 6.3:
** Several instances of "--reset-<parameter>" were added, allowing each parameter to be reset to its default value. A parameter "--certs-reset" was added in Satellite 6.3 which "will reset any custom certificates and use the self-signed CA instead."
** The "--foreman-proxy-cname" parameter, though use of that option may not yet be supported for Satellite 6.3

In preparation for Satellite 6.3, we already changed the Installation Guide to use "--foreman-proxy-fqdn" instead if the Satellite 6.2 "--capsule-fqdn".

I agree we should document these changes in the Satellite 6.3 Release Notes. To do so I need to find in which BZ tickets it was that these changes were made. I have done a preliminary search but failed to find them. I will consult the SMEs who are responsible for these features.
Comment 8 Russell Dickenson 2018-06-10 23:37:55 UTC 
I have written and published [1] on the Customer Portal, a Release Notes entry for this BZ ticket.


[1] https://access.redhat.com/documentation/en-us/red_hat_satellite/6.3/html-single/release_notes/
Note You need to log in before you can comment on or make changes to this bug.