Description of problem: When we are using katello-certs-check to check our custom/External SSL certificates for installation and output of command which we need to pass with an installer, we have seen extra character at the end of capsule-certs-generate Version-Release number of selected component (if applicable): satellite-capsule-6.7.0-5.beta.el7sat.noarch foreman-installer-katello-1.24.1.5-1.el7sat.noarch How reproducible: Installation of SSL certs Steps to Reproduce: 1. Create CSR and Signed it from CA 2. Use katello-certs-check tool to check certificates and installer commands 3. Actual results: # katello-certs-check -c vm123.crt -k vm123_cert_key.pem -b CA-Chain.crt Checking server certificate encoding: [OK] Checking expiration of certificate: [OK] Checking expiration of CA bundle: [OK] Checking if server certificate has CA:TRUE flag [OK] Checking for private key passphrase: [OK] Checking to see if the private key matches the certificate: [OK] Checking CA bundle against the certificate file: [OK] Checking Subject Alt Name on certificate [OK] Checking Key Usage extension on certificate for Key Encipherment [OK] Validation succeeded To use them inside a NEW $CAPSULE, run this command: capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" \ --certs-tar "~/$CAPSULE-certs.tar" \ --server-cert "/root/certs/vm123.crt" \ --server-key "/root/certs/vm123_cert_key.pem" \ --server-ca-cert "/root/certs/CA-Chain.crt" \ <---- we should remove this "\" To use them inside an EXISTING $CAPSULE, run this command INSTEAD: capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" \ --certs-tar "~/$CAPSULE-certs.tar" \ --server-cert "/root/certs/vm123.crt" \ --server-key "/root/certs/vm123_cert_key.pem" \ --server-ca-cert "/root/certs/CA-Chain.crt" \ --certs-update-server Expected results: capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" \ --certs-tar "~/$CAPSULE-certs.tar" \ --server-cert "/root/certs/vm123.crt" \ --server-key "/root/certs/vm123_cert_key.pem" \ --server-ca-cert "/root/certs/CA-Chain.crt" Additional info:
Tested with Sat 6.7 Snap 15 (foreman-installer-1.24.1.14-1.el7sat.noarch) # katello-certs-check -c dhcp-2-41.vms.sat.rdu2.redhat.com.crt -k dhcp-2-41.vms.sat.rdu2.redhat.com.key -b cacert.asc Checking server certificate encoding: [OK] Checking expiration of certificate: [OK] Checking expiration of CA bundle: [OK] Checking if server certificate has CA:TRUE flag [OK] Checking for private key passphrase: [OK] Checking to see if the private key matches the certificate: [OK] Checking CA bundle against the certificate file: [OK] Checking Subject Alt Name on certificate [OK] Checking Key Usage extension on certificate for Key Encipherment [OK] Validation succeeded To install the Red Hat Satellite Server with the custom certificates, run: satellite-installer --scenario satellite \ --certs-server-cert "/root/customssl/dhcp-2-41.vms.sat.rdu2.redhat.com.crt" \ --certs-server-key "/root/customssl/dhcp-2-41.vms.sat.rdu2.redhat.com.key" \ --certs-server-ca-cert "/root/customssl/cacert.asc" To update the certificates on a currently running Red Hat Satellite installation, run: satellite-installer --scenario satellite \ --certs-server-cert "/root/customssl/dhcp-2-41.vms.sat.rdu2.redhat.com.crt" \ --certs-server-key "/root/customssl/dhcp-2-41.vms.sat.rdu2.redhat.com.key" \ --certs-server-ca-cert "/root/customssl/cacert.asc" \ --certs-update-server --certs-update-server-ca The trailing "\" is gone.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:1454