Description of problem: Satellite 6.8 capsule-certs-generate does not include cname in apache certificates when specified via --foreman-proxy-cname' Version-Release number of selected component (if applicable): Satellite 6.8.0 How reproducible: Always Steps to Reproduce: 1. Setup: 1 Sattelite and 2 capsules(puppet ca capsule + normal capsule) with a loadbalancer and a client 2. Referring to https://access.redhat.com/documentation/en-us/red_hat_satellite/6.7/html-single/load_balancing_guide/index#configuring-capsule-server-with-default-ssl-certificates-for-load-balancing-with-puppet (4.2) Actual results: Client is not able to register through subscription-manager. Resulting in "Unable to reach the server at <loadbalancer.example.com>:8443/rhsm" Expected results: Client should be able to register through subscription-manager via loadbalancer Additional info: 1. The certs on the capsules are missing the CNAME, which subscription-manager needs to register properly through the LB + capsule. While viewing the cert with openssl, there is no DNS entry related to the loadbalancer. Unlike in 6.7 where it worked fine. 2. Please note the puppet command #puppet cert generate capsule.example.com --dns_alt_names=loadbalancer.example.com is no longer functional. Use `#puppetserver ca` instead
Hi Akhil, Based upon the discussion and comment 6, can you confirm if this is indeed a regression in behavior from Satellite 6.7? Thanks!
I remember checking the same(this bug) with 6.7. It was there as well. Had to delete the directory and regenerate the certs. So no, it's not a regression from 6.7
@Akhil @Brad - I am removing the regression keyword based on Comment 11
Created redmine issue https://projects.theforeman.org/issues/31234 from this bug
*** Bug 1883594 has been marked as a duplicate of this bug. ***
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/31234 has been resolved.
Verified. Satellite Version: 6.9.0 Snap 2.0 Observation: Cname was added without having to delete the ssl-build/<capsule> directory.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.9 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:1313