Description of problem: If we try to install custom certs on satellite with wildcard i.e CN=*.example.com katello-certs-check gives the wrong output. katello-certs-check gives the command to generate the capsule certs as below instead of satellite-installer command. -------------------------------------------------------------------------------------------------------- To use them inside a NEW $FOREMAN_PROXY, run this command: capsule-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY"\ --certs-tar "~/$FOREMAN_PROXY-certs.tar"\ --server-cert "/customcerts/cert_crt.pem"\ --server-key "/customcerts/cert_key.pem"\ --server-ca-cert "/customcerts/CA_crt.pem"\ To use them inside an EXISTING $FOREMAN_PROXY, run this command INSTEAD: capsule-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY"\ --certs-tar "~/$FOREMAN_PROXY-certs.tar"\ --server-cert "/customcerts/cert_crt.pem"\ --server-key "/customcerts/cert_key.pem"\ --server-ca-cert "/customcerts/CA_crt.pem"\ --certs-update-server -------------------------------------------------------------------------------------------------------- This issue was caused because the fix in the following RFE [RFE] katello-certs-check to distinguish between Satellite and Capsule https://projects.theforeman.org/issues/22694 Version-Release number of selected component (if applicable): satellite6.4
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/25564 has been resolved.
See also Bug 1758181 - katello-certs-check does not support wildcard certificates Bug 1658360 - katello-certs-check is not showing satellite-installer command if wildcard SSL certificate is used.
Upstream bug assigned to supatil
Created attachment 1669054 [details] cert-bundle
Hello Testing with latest snap [root@sat-6-7-qa-rhel7 ~]# rpm -q satellite satellite-6.7.0-6.el7sat.noarch Fixed in version says: foreman-installer-1.24.1.19-1 I have: [root@sat-6-7-qa-rhel7 ~]# rpm -q foreman-installer foreman-installer-1.24.1.20-1.el7sat.noarch Create CA -------------- [root@sat-6-7-qa-rhel7 ~]# git clone https://github.com/iNecas/ownca.git Cloning into 'ownca'... [root@sat-6-7-qa-rhel7 ~]# cd ownca/ [root@sat-6-7-qa-rhel7 ownca]# ./generate-ca.sh Generating a 2048 bit RSA private key .................................................................+++ ..........................................+++ writing new private key to 'private/cakey.crt' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Organization Name (company) [My Company]: Organizational Unit Name (department, division) []: Email Address []: Locality Name (city, district) [My Town]: State or Province Name (full name) [State or Providence]: Country Name (2 letter code) [US]: Common Name (hostname, IP, or your name) []: [root@sat-6-7-qa-rhel7 ownca]# Generate the certificate with wildcard in host name portion of FQDN --------------------------------------------------------------------------- [root@sat-6-7-qa-rhel7 ownca]# ./generate-crt.sh "*.example.com" Generating a 2048 bit RSA private key ..+++ ...............+++ writing new private key to './*.example.com/*.example.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Organization Name (company) [My Company]:Organizational Unit Name (department, division) []:Email Address []:Locality Name (city, district) [My Town]:State or Province Name (full name) [State or Providence]:Country Name (2 letter code) [US]:Common Name (hostname, IP, or your name) []:Using configuration from ./openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows organizationName :PRINTABLE:'My Company' localityName :PRINTABLE:'My Town' stateOrProvinceName :PRINTABLE:'State or Providence' countryName :PRINTABLE:'US' commonName :T61STRING:'*.example.com' Certificate is to be certified until Mar 16 13:47:38 2021 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@sat-6-7-qa-rhel7 ownca]# Copy CA cert to server certs directory ---------------------------------------- [root@sat-6-7-qa-rhel7 ownca]# cp cacert.crt \*.example.com/ [root@sat-6-7-qa-rhel7 ownca]# cd \*.example.com/ [root@sat-6-7-qa-rhel7 *.example.com]# ls cacert.crt *.example.com.crt *.example.com.crt.req *.example.com.key [root@sat-6-7-qa-rhel7 *.example.com]# Check that the wildcard name is in the cert: ----------------------------------------------- [root@sat-6-7-qa-rhel7 *.example.com]# openssl x509 -text -in \*.example.com.crt -noout | grep -B1 DNS X509v3 Subject Alternative Name: DNS:*.example.com Check the certificate with katello-certs-check ----------------------------------------------- [root@sat-6-7-qa-rhel7 *.example.com]# katello-certs-check -c *.example.com.crt -k *.example.com.key -b cacert.crt Checking server certificate encoding: [OK] Checking expiration of certificate: [OK] Checking expiration of CA bundle: [OK] Checking if server certificate has CA:TRUE flag [OK] Checking for private key passphrase: [OK] Checking to see if the private key matches the certificate: [OK] Checking CA bundle against the certificate file: [OK] Checking CA bundle size: [OK] Checking Subject Alt Name on certificate [OK] Checking Key Usage extension on certificate for Key Encipherment [OK] Validation succeeded To install the Red Hat Satellite Server with custom certificates, run: satellite-installer --scenario satellite \ --certs-server-cert "/root/ownca/*.example.com/*.example.com.crt" \ --certs-server-key "/root/ownca/*.example.com/*.example.com.key" \ --certs-server-ca-cert "/root/ownca/*.example.com/cacert.crt" To update the certificates on a currently running Red Hat Satellite installation, run: satellite-installer --scenario satellite \ --certs-server-cert "/root/ownca/*.example.com/*.example.com.crt" \ --certs-server-key "/root/ownca/*.example.com/*.example.com.key" \ --certs-server-ca-cert "/root/ownca/*.example.com/cacert.crt" \ --certs-update-server --certs-update-server-ca To use them inside a NEW $CAPSULE, rerun this command with -t capsule [root@sat-6-7-qa-rhel7 *.example.com]# OK, command output on last line looks better now: To use them inside a NEW $CAPSULE, rerun this command with -t capsule Thank you
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:1454