1721532 – Satellite Installer option certs-node-fqdn gives ssl errors for all url that are defaulting to fqdn

Bug 1721532 - Satellite Installer option certs-node-fqdn gives ssl errors for all url that are defaulting to fqdn

Summary: Satellite Installer option certs-node-fqdn gives ssl errors for all url that ...

Keywords:
Status:	CLOSED DUPLICATE of bug 1160344
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Installation
Sub Component:
Version:	6.5.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Perry Gagne
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1122832
TreeView+	depends on / blocked

Reported:	2019-06-18 13:41 UTC by Peter Vreman
Modified:	2019-11-08 07:45 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-07-11 13:55:09 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Peter Vreman 2019-06-18 13:41:22 UTC

Description of problem:
Use case:
I added a service (secondary) IP address with DNS A record 'sat6dev.example.com' on the Sat6 to have a consistent ip address to be programmed in the firewalls.
But the problem case would be when using a CNAME
FQDN of server is 'server1.example.com'

I have got certificates with only 'sat6d.example.com' in it to be indepednent of the real FQDN of the server.

When installing Sat6 with the defaults and external certifictes i can access the sat6 on the 'sat6dev.example.com' from the browser and have a valid certificates. The problem left is that Sat6 creates internal certifictes and rpm for the client with katello-ca-consumer-server1.example.com
To prevent this problem i found the option 'certs-node-fqdn'. When i tried it on an existing sat6 installation i was seeing it creeated the expected katello-ca-consumer-sat6dev.example.com'. So i started a re-kickstart and fresh installation to have the process validated for future installations.

Sadly the fresh installation fails with the 'forema-rake db:seed' step with an SSL verification error in populating Candlepin.

Troubleshooting it i see in the installer log

/Stage[main]/Certs::Candlepin/Cert[sat6d.example.com-tomcat]/ensure: created

But i found in /etc/foreman/plugins/katello.yaml the candlepin url is on the FQDN server1.example.com and not on the name provided in the certifciate.

There is also no option for the installer to update the URL for candlepin like there is for puppet and co.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Add a CNAME sat6dev.example.com to fqdn
2. Create a external certificate only valid for sat6dev.example.com
2. Install satellite and provide certs-node-fqdn
3.

Actual results:
Installer fails at db:seed step in provisioning candlepin

Expected results:
Success, candlepin is connected using certs-node-fqdn

Additional info:

Comment 3 Peter Vreman 2019-06-18 18:25:41 UTC

After creating this specific BZ I found a longstanding RFE that matches my overall use case https://bugzilla.redhat.com/show_bug.cgi?id=1160344 [RFE] Satellite support for cname as alternate cname.

This specific BZ shall concentrae on the fact that cert-node-fqdn is used to create the katello-ca-consumer (=client phasing) and also impacted all internal connections.

I verified that changing the cert-node-fqdn to the 'CNAME' and sertting then cert-cname to 'fqdn' works for the internal connection (at least to candlepin)

I think some safeguarding steps in the installer can be added to make sure that cert-node-fqdn+cert-cname contains the fqdn.

Comment 4 Zach Huntington-Meath 2019-07-11 13:55:09 UTC


*** This bug has been marked as a duplicate of bug 1160344 ***

Note You need to log in before you can comment on or make changes to this bug.