Currently, using certs without Key Encipherment will pass katello-certs-check, but these certificates will ultimately fail when clients attempt to retrieve updates: From a client update attempt: https://satellite.example.com/pulp/repos/ORG/ENV/VIEW/content/dist/rhel/server/7/7Server/x86_64/optional/os/repodata/repomd.xml: [Errno 14] curl#60 - "Certificate key usage inadequate for attempted operation." Certificates without Key Encipherment should fail in the certs check to avoid deployment of certs that ultimately fail when used.
VERIFIED Version tested: Satellite 6.4 snap 17 # openssl x509 -text -in server.valid.crt -noout | grep -A1 "Key Usage" X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment Checking server certificate's encoding: [OK] Checking expiration of certificate: [OK] Checking expiration of CA bundle: [OK] Checking if server cert has CA:TRUE flag[OK] Validating the certificate subject= /C=IN/ST=Maharashtra/L=Pune/O=redhat/OU=QE/CN=xyz/emailAddress=administrator Checking to see if the private key matches the certificate: [OK] Checking ca bundle against the cert file: [OK] Checking Subject Alt Name on certificate[OK] Checking Key Usage extension on certificate for Key Encipherment[OK] Validation succeeded. To install the Katello main server with the custom certificates, run: satellite-installer --scenario satellite\ --certs-server-cert "/root/server.valid.crt"\ --certs-server-key "/root/server.key"\ --certs-server-ca-cert "/root/rootCA.pem" To update the certificates on a currently running Katello installation, run: satellite-installer --scenario satellite\ --certs-server-cert "/root/server.valid.crt"\ --certs-server-key "/root/server.key"\ --certs-server-ca-cert "/root/rootCA.pem"\ --certs-update-server --certs-update-server-ca To use them inside a NEW $FOREMAN_PROXY, run this command: capsule-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY"\ --certs-tar "~/$FOREMAN_PROXY-certs.tar"\ --server-cert "/root/server.valid.crt"\ --server-key "/root/server.key"\ --server-ca-cert "/root/rootCA.pem"\ To use them inside an EXISTING $FOREMAN_PROXY, run this command INSTEAD: capsule-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY"\ --certs-tar "~/$FOREMAN_PROXY-certs.tar"\ --server-cert "/root/server.valid.crt"\ --server-key "/root/server.key"\ --server-ca-cert "/root/rootCA.pem"\ --certs-update-server
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:2927