Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
Use case:
I added a service (secondary) IP address with DNS A record 'sat6dev.example.com' on the Sat6 to have a consistent ip address to be programmed in the firewalls.
But the problem case would be when using a CNAME
FQDN of server is 'server1.example.com'
I have got certificates with only 'sat6d.example.com' in it to be indepednent of the real FQDN of the server.
When installing Sat6 with the defaults and external certifictes i can access the sat6 on the 'sat6dev.example.com' from the browser and have a valid certificates. The problem left is that Sat6 creates internal certifictes and rpm for the client with katello-ca-consumer-server1.example.com
To prevent this problem i found the option 'certs-node-fqdn'. When i tried it on an existing sat6 installation i was seeing it creeated the expected katello-ca-consumer-sat6dev.example.com'. So i started a re-kickstart and fresh installation to have the process validated for future installations.
Sadly the fresh installation fails with the 'forema-rake db:seed' step with an SSL verification error in populating Candlepin.
Troubleshooting it i see in the installer log
/Stage[main]/Certs::Candlepin/Cert[sat6d.example.com-tomcat]/ensure: created
But i found in /etc/foreman/plugins/katello.yaml the candlepin url is on the FQDN server1.example.com and not on the name provided in the certifciate.
There is also no option for the installer to update the URL for candlepin like there is for puppet and co.
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1. Add a CNAME sat6dev.example.com to fqdn
2. Create a external certificate only valid for sat6dev.example.com
2. Install satellite and provide certs-node-fqdn
3.
Actual results:
Installer fails at db:seed step in provisioning candlepin
Expected results:
Success, candlepin is connected using certs-node-fqdn
Additional info:
After creating this specific BZ I found a longstanding RFE that matches my overall use case https://bugzilla.redhat.com/show_bug.cgi?id=1160344 [RFE] Satellite support for cname as alternate cname.
This specific BZ shall concentrae on the fact that cert-node-fqdn is used to create the katello-ca-consumer (=client phasing) and also impacted all internal connections.
I verified that changing the cert-node-fqdn to the 'CNAME' and sertting then cert-cname to 'fqdn' works for the internal connection (at least to candlepin)
I think some safeguarding steps in the installer can be added to make sure that cert-node-fqdn+cert-cname contains the fqdn.
Comment 4Zach Huntington-Meath
2019-07-11 13:55:09 UTC
*** This bug has been marked as a duplicate of bug 1160344 ***