Red Hat Bugzilla – Bug 1560607
Undocumented change of the capsule-certs-generate tool
Last modified: 2018-08-31 11:20 EDT
Description of problem: Cannot find a document covering the change of the capsule-certs-generate tool options, between Satellite releases 6.2 and 6.3: Satellite 6.2 : = Module capsule_certs: --capsule-fqdn fqdn of the capsule. REQUIRED (default: "certs::node_fqdn") --certs-tar path to tar file with certs to generate. REQUIRED (default: nil) --parent-fqdn fqdn of the parent node. Does not usually need to be set. (default: "inf3.coe.muc.redhat.com") = Module certs: --ca-common-name Common name for the generated CA certificate (default: "inf3.coe.muc.redhat.com") --ca-expiration Ca expiration attribute for managed certificates (default: "36500") --city City attribute for managed certificates (default: "Raleigh") --country Country attribute for managed certificates (default: "US") --default-ca-name The name of the default CA (default: "katello-default-ca") --deploy Deploy the certs on the configured system. False means we want apply it on a different system (default: false) --expiration Expiration attribute for managed certificates (default: "7300") --generate Should the generation of the certs be part of the configuration (default: true) --group The group who should own the certs; (default: "foreman") --log-dir When the log files should go (default: "/var/log/certs") --node-fqdn The fqdn of the host the generated certificates should be for (default: "inf3.coe.muc.redhat.com") --org Org attribute for managed certificates (default: "Default_Organization") --org-unit Org unit attribute for managed certificates (default: "SomeOrgUnit") --password-file-dir The location to store password files (default: "certs::params::password_file_dir") --pki-dir The PKI directory under which to place certs (default: "/etc/pki/katello") --regenerate Force regeneration of the certificates (excluding ca certificates) (default: false) --regenerate-ca Force regeneration of the ca certificate (default: false) --server-ca-cert Path to the CA that issued the ssl certificates for https if not specified, the default CA will be used (default: nil) --server-ca-name The name of the server CA (used for https) (default: "katello-server-ca") --server-cert Path to the ssl certificate for https if not specified, the default CA will generate one (default: nil) --server-cert-req Path to the ssl certificate request for https (default: nil) --server-key Path to the ssl key for https if not specified, the default CA will generate one (default: nil) --ssl-build-dir The directory where SSL keys, certs and RPMs will be generated (default: "/root/ssl-build") --state State attribute for managed certificates (default: "North Carolina") --user The system user name who should own the certs; (default: "root") Satellite 6.3 : = Module certs: --cname The alternative names of the host the generated certificates should be for (current: []) --node-fqdn The fqdn of the host the generated certificates should be for (current: "nkresic.muc.csb") --server-ca-cert Path to the CA that issued the ssl certificates for https if not specified, the default CA will be used (current: UNDEF) --server-cert Path to the ssl certificate for https if not specified, the default CA will generate one (current: UNDEF) --server-cert-req Path to the ssl certificate request for https if not specified, the default CA will generate one (current: UNDEF) --server-key Path to the ssl key for https if not specified, the default CA will generate one (current: UNDEF) = Module foreman_proxy_certs: --certs-tar Path to tar file with certs to generate (current: UNDEF) --foreman-proxy-cname additional names of the foreman proxy (current: []) --foreman-proxy-fqdn FQDN of the foreman proxy (current: "nkresic.muc.csb") --parent-fqdn FQDN of the parent node. Does not usually need to be set. (current: "nkresic.muc.csb") Version-Release number of selected component (if applicable): satellite-installer-6.3.0.12-1.el7sat.noarch : Puppet-based installer for Satellite and Capsule Repo : Sat63 Matched from: Filename : /usr/sbin/capsule-certs-generate How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: New and switched options for the capsule-certs-generate tool with little to no documentation, also the change is not documented Expected results: Documentation covering the new options, change logged somewhere Additional info:
Nikola, To confirm which capsule-certs-generate parameters changed between Satellite 6.2 and 6.3, I ran "capsule-certs-generate --help" on both a Satellite 6.2 and 6.3 instance. In fact for Satellite 6.3 I added parameter "--full-help" since there has been a change to the behaviour in Satellite 6.3. With the help for both versions in separate files, I then compared the two using `Meld`. Although there have been a number of changes, the main noteworthy changes appear to be the following: Satellite 6.2: --capsule-fqdn, and Satellite 6.3: --foreman-proxy-fqdn Satellite 6.3: ** Several instances of "--reset-<parameter>" were added, allowing each parameter to be reset to its default value. A parameter "--certs-reset" was added in Satellite 6.3 which "will reset any custom certificates and use the self-signed CA instead." ** The "--foreman-proxy-cname" parameter, though use of that option may not yet be supported for Satellite 6.3 In preparation for Satellite 6.3, we already changed the Installation Guide to use "--foreman-proxy-fqdn" instead if the Satellite 6.2 "--capsule-fqdn". I agree we should document these changes in the Satellite 6.3 Release Notes. To do so I need to find in which BZ tickets it was that these changes were made. I have done a preliminary search but failed to find them. I will consult the SMEs who are responsible for these features.
I have written and published [1] on the Customer Portal, a Release Notes entry for this BZ ticket. [1] https://access.redhat.com/documentation/en-us/red_hat_satellite/6.3/html-single/release_notes/