Description of problem: To install the Katello main server with the custom certificates, run: foreman-installer --scenario katello \ --certs-server-cert "/root/server.valid.crt" \ --certs-server-key "/root/server.key" \ --certs-server-ca-cert "/root/rootCA.pem" To update the certificates on a currently running Katello installation, run: foreman-installer --scenario katello \ --certs-server-cert "/root/server.valid.crt" \ --certs-server-key "/root/server.key" \ --certs-server-ca-cert "/root/rootCA.pem" \ --certs-update-server --certs-update-server-ca To use them inside a NEW $FOREMAN_PROXY, rerun this command with -t foreman-proxy Version-Release number of selected component (if applicable): Satellite 6.7 snap 1 How reproducible: always Steps to Reproduce: 1. katello-certs-check -c server.valid.crt -k server.key -b rootCA.pem Actual results: Output has upstream names foreman-proxy-certs-generate/FOREMAN-PROXY/foreman-installer/katello. Expected results: Output should use capsule-certs-generate/CAPSULE/satellite-installer/satellite. Additional info:
FailedQA Version tested: Satellite 6.7 snap 9 # rpm -qa | grep installer foreman-installer-1.24.1.3-1.el7sat.noarch foreman-installer-katello-1.24.1.3-1.el7sat.noarch satellite-installer-6.7.0.6-1.beta.el7sat.noarch Causes regression : Even if CN != hostname, command for satellite scenario is printed [root@sgi-uv20-01 ~]# katello-certs-check -c /root/ownca/test.example.com/test.example.com.crt -k /root/ownca/test.example.com/test.example.com.key -b /root/ownca/cacert.crt Checking server certificate encoding: [OK] Checking expiration of certificate: [OK] Checking expiration of CA bundle: [OK] Checking if server certificate has CA:TRUE flag [OK] Checking for private key passphrase: [OK] Checking to see if the private key matches the certificate: [OK] Checking CA bundle against the certificate file: [OK] Checking Subject Alt Name on certificate [OK] Checking Key Usage extension on certificate for Key Encipherment [OK] Validation succeeded To install the Red Hat Satellite Server with the custom certificates, run: satellite-installer --scenario satellite \ --certs-server-cert "/root/ownca/test.example.com/test.example.com.crt" \ --certs-server-key "/root/ownca/test.example.com/test.example.com.key" \ --certs-server-ca-cert "/root/ownca/cacert.crt" To update the certificates on a currently running Red Hat Satellite installation, run: satellite-installer --scenario satellite \ --certs-server-cert "/root/ownca/test.example.com/test.example.com.crt" \ --certs-server-key "/root/ownca/test.example.com/test.example.com.key" \ --certs-server-ca-cert "/root/ownca/cacert.crt" \ --certs-update-server --certs-update-server-ca
Version tested: Satellite 6.7 snap 10 # rpm -qa | grep installer foreman-installer-katello-1.24.1.5-1.el7sat.noarch satellite-installer-6.7.0.6-1.beta.el7sat.noarch foreman-installer-1.24.1.5-1.el7sat.noarch When CN==hostname, Command of Satellite pinted Checking server certificate encoding: [OK] Checking expiration of certificate: [OK] Checking expiration of CA bundle: [OK] Checking if server certificate has CA:TRUE flag [OK] Checking for private key passphrase: [OK] Checking to see if the private key matches the certificate: [OK] Checking CA bundle against the certificate file: [OK] Checking Subject Alt Name on certificate [OK] Checking Key Usage extension on certificate for Key Encipherment [OK] Validation succeeded To install the Red Hat Satellite Server with the custom certificates, run: satellite-installer --scenario satellite \ --certs-server-cert "/root/server.valid.crt" \ --certs-server-key "/root/server.key" \ --certs-server-ca-cert "/root/rootCA.pem" To update the certificates on a currently running Red Hat Satellite installation, run: satellite-installer --scenario satellite \ --certs-server-cert "/root/server.valid.crt" \ --certs-server-key "/root/server.key" \ --certs-server-ca-cert "/root/rootCA.pem" \ --certs-update-server --certs-update-server-ca When CN!=hostname, Command of Capsule printed Checking server certificate encoding: [OK] Checking expiration of certificate: [OK] Checking expiration of CA bundle: [OK] Checking if server certificate has CA:TRUE flag [OK] Checking for private key passphrase: [OK] Checking to see if the private key matches the certificate: [OK] Checking CA bundle against the certificate file: [OK] Checking Subject Alt Name on certificate [OK] Checking Key Usage extension on certificate for Key Encipherment [OK] Validation succeeded To use them inside a NEW $CAPSULE, run this command: capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" \ --certs-tar "~/$CAPSULE-certs.tar" \ --server-cert "/root/server.valid.crt" \ --server-key "/root/server.key" \ --server-ca-cert "/root/rootCA.pem" \ To use them inside an EXISTING $CAPSULE, run this command INSTEAD: capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" \ --certs-tar "~/$CAPSULE-certs.tar" \ --server-cert "/root/server.valid.crt" \ --server-key "/root/server.key" \ --server-ca-cert "/root/rootCA.pem" \ --certs-update-server
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:1454