Bug 1770394 - katello-certs-check output print foreman-installer/ katello/foreman-proxy-certs-generate on sat 6.7
Summary: katello-certs-check output print foreman-installer/ katello/foreman-proxy-cer...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installer
Version: 6.7.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: 6.7.0
Assignee: Chris Roberts
QA Contact: Devendra Singh
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-08 21:38 UTC by Nikhil Kathole
Modified: 2020-04-14 13:26 UTC (History)
2 users (show)

Fixed In Version: foreman-installer-1.24.1.4-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-14 13:26:24 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1454 None None None 2020-04-14 13:26:33 UTC

Description Nikhil Kathole 2019-11-08 21:38:50 UTC
Description of problem:


To install the Katello main server with the custom certificates, run:

    foreman-installer --scenario katello \
                      --certs-server-cert "/root/server.valid.crt" \
                      --certs-server-key "/root/server.key" \
                      --certs-server-ca-cert "/root/rootCA.pem"

To update the certificates on a currently running Katello installation, run:

    foreman-installer --scenario katello \
                      --certs-server-cert "/root/server.valid.crt" \
                      --certs-server-key "/root/server.key" \
                      --certs-server-ca-cert "/root/rootCA.pem" \
                      --certs-update-server --certs-update-server-ca

To use them inside a NEW $FOREMAN_PROXY, rerun this command with -t foreman-proxy



Version-Release number of selected component (if applicable):
Satellite 6.7 snap 1


How reproducible: always


Steps to Reproduce:
1. katello-certs-check -c server.valid.crt -k server.key -b rootCA.pem


Actual results:
Output has upstream names foreman-proxy-certs-generate/FOREMAN-PROXY/foreman-installer/katello.

Expected results:
Output should use capsule-certs-generate/CAPSULE/satellite-installer/satellite.

Additional info:

Comment 6 Nikhil Kathole 2020-01-20 16:57:02 UTC
FailedQA

Version tested:
Satellite 6.7 snap 9

# rpm -qa | grep installer
foreman-installer-1.24.1.3-1.el7sat.noarch
foreman-installer-katello-1.24.1.3-1.el7sat.noarch
satellite-installer-6.7.0.6-1.beta.el7sat.noarch

Causes regression : Even if CN != hostname, command for satellite scenario is printed

[root@sgi-uv20-01 ~]# katello-certs-check -c /root/ownca/test.example.com/test.example.com.crt -k /root/ownca/test.example.com/test.example.com.key  -b /root/ownca/cacert.crt 
Checking server certificate encoding: 
[OK]

Checking expiration of certificate: 
[OK]

Checking expiration of CA bundle: 
[OK]

Checking if server certificate has CA:TRUE flag 
[OK]

Checking for private key passphrase: 
[OK]

Checking to see if the private key matches the certificate: 
[OK]

Checking CA bundle against the certificate file: 
[OK]

Checking Subject Alt Name on certificate 
[OK]

Checking Key Usage extension on certificate for Key Encipherment 
[OK]

Validation succeeded


To install the Red Hat Satellite Server with the custom certificates, run:

    satellite-installer --scenario satellite \
                      --certs-server-cert "/root/ownca/test.example.com/test.example.com.crt" \
                      --certs-server-key "/root/ownca/test.example.com/test.example.com.key" \
                      --certs-server-ca-cert "/root/ownca/cacert.crt"

To update the certificates on a currently running Red Hat Satellite installation, run:

    satellite-installer --scenario satellite \
                      --certs-server-cert "/root/ownca/test.example.com/test.example.com.crt" \
                      --certs-server-key "/root/ownca/test.example.com/test.example.com.key" \
                      --certs-server-ca-cert "/root/ownca/cacert.crt" \
                      --certs-update-server --certs-update-server-ca

Comment 9 Devendra Singh 2020-02-03 09:23:51 UTC
Version tested:
Satellite 6.7 snap 10

# rpm -qa | grep installer
foreman-installer-katello-1.24.1.5-1.el7sat.noarch
satellite-installer-6.7.0.6-1.beta.el7sat.noarch
foreman-installer-1.24.1.5-1.el7sat.noarch

When CN==hostname, Command of Satellite pinted

Checking server certificate encoding: 
[OK]

Checking expiration of certificate: 
[OK]

Checking expiration of CA bundle: 
[OK]

Checking if server certificate has CA:TRUE flag 
[OK]

Checking for private key passphrase: 
[OK]

Checking to see if the private key matches the certificate: 
[OK]

Checking CA bundle against the certificate file: 
[OK]

Checking Subject Alt Name on certificate 
[OK]

Checking Key Usage extension on certificate for Key Encipherment 
[OK]

Validation succeeded


To install the Red Hat Satellite Server with the custom certificates, run:

    satellite-installer --scenario satellite \
                      --certs-server-cert "/root/server.valid.crt" \
                      --certs-server-key "/root/server.key" \
                      --certs-server-ca-cert "/root/rootCA.pem"

To update the certificates on a currently running Red Hat Satellite installation, run:

    satellite-installer --scenario satellite \
                      --certs-server-cert "/root/server.valid.crt" \
                      --certs-server-key "/root/server.key" \
                      --certs-server-ca-cert "/root/rootCA.pem" \
                      --certs-update-server --certs-update-server-ca


When CN!=hostname, Command of Capsule printed

Checking server certificate encoding: 
[OK]

Checking expiration of certificate: 
[OK]

Checking expiration of CA bundle: 
[OK]

Checking if server certificate has CA:TRUE flag 
[OK]

Checking for private key passphrase: 
[OK]

Checking to see if the private key matches the certificate: 
[OK]

Checking CA bundle against the certificate file: 
[OK]

Checking Subject Alt Name on certificate 
[OK]

Checking Key Usage extension on certificate for Key Encipherment 
[OK]

Validation succeeded


  To use them inside a NEW $CAPSULE, run this command:

      capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" \
                                   --certs-tar  "~/$CAPSULE-certs.tar" \
                                   --server-cert "/root/server.valid.crt" \
                                   --server-key "/root/server.key" \
                                   --server-ca-cert "/root/rootCA.pem" \

  To use them inside an EXISTING $CAPSULE, run this command INSTEAD:

      capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" \
                                   --certs-tar  "~/$CAPSULE-certs.tar" \
                                   --server-cert "/root/server.valid.crt" \
                                   --server-key "/root/server.key" \
                                   --server-ca-cert "/root/rootCA.pem" \
                                   --certs-update-server

Comment 12 errata-xmlrpc 2020-04-14 13:26:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1454


Note You need to log in before you can comment on or make changes to this bug.