1857176 – Users have to delete ssl-build/<capsule> directory and regenerate the certificates to add a cname in capsule certificates

Bug 1857176 - Users have to delete ssl-build/<capsule> directory and regenerate the certificates to add a cname in capsule certificates

Summary: Users have to delete ssl-build/<capsule> directory and regenerate the certifi...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Certificates
Sub Component:
Version:	6.8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	6.9.0
Assignee:	Eric Helms
QA Contact:	Akhil Jha
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1883594 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-07-15 10:41 UTC by Akhil Jha
Modified:	2024-02-28 20:32 UTC (History)
CC List:	8 users (show)
Fixed In Version:	foreman-installer-2.3.0-0
Doc Type:	Known Issue
Doc Text:	Users have to delete ssl-build/<capsule> directory and regenerate the certificates to add a cname in capsule certificates
Clone Of:
Environment:
Last Closed:	2021-04-21 13:15:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	31234	Normal	Closed	Users have to delete ssl-build/<capsule> directory and regenerate the certificates to add a cname in capsule certificate...	2021-02-15 08:45:16 UTC
Github	SatelliteQE robottelo pull 8355	None	closed	added the test coverage for bugzilla_1857176	2021-03-04 05:41:48 UTC
Red Hat Product Errata	RHSA-2021:1313	None	None	None	2021-04-21 13:17:10 UTC

Description Akhil Jha 2020-07-15 10:41:27 UTC

Description of problem:
Satellite 6.8 capsule-certs-generate does not include cname in apache certificates when specified via --foreman-proxy-cname'

Version-Release number of selected component (if applicable):
Satellite 6.8.0

How reproducible:
Always

Steps to Reproduce:
1. Setup: 1 Sattelite and 2 capsules(puppet ca capsule + normal capsule) with a loadbalancer and a client
2. Referring to https://access.redhat.com/documentation/en-us/red_hat_satellite/6.7/html-single/load_balancing_guide/index#configuring-capsule-server-with-default-ssl-certificates-for-load-balancing-with-puppet (4.2)

Actual results:
Client is not able to register through subscription-manager. Resulting in "Unable to reach the server at <loadbalancer.example.com>:8443/rhsm"

Expected results:
Client should be able to register through subscription-manager via loadbalancer 

Additional info:
1. The certs on the capsules are missing the CNAME, which subscription-manager needs to register properly through the LB + capsule.
While viewing the cert with openssl, there is no DNS entry related to the loadbalancer. Unlike in 6.7 where it worked fine. 

2. Please note the puppet command
#puppet cert generate capsule.example.com --dns_alt_names=loadbalancer.example.com  is no longer functional.
Use `#puppetserver ca` instead

Comment 10 Brad Buckingham 2020-09-08 19:16:51 UTC

Hi Akhil,

Based upon the discussion and comment 6, can you confirm if this is indeed a regression in behavior from Satellite 6.7?

Thanks!

Comment 11 Akhil Jha 2020-09-09 06:40:25 UTC

I remember checking the same(this bug) with 6.7. It was there as well. Had to delete the directory and regenerate the certs.
So no, it's not a regression from 6.7

Comment 12 Sudhir Mallamprabhakara 2020-09-15 05:15:54 UTC

@Akhil @Brad - I am removing the regression keyword based on Comment 11

Comment 13 Eric Helms 2020-11-02 20:53:57 UTC

Created redmine issue https://projects.theforeman.org/issues/31234 from this bug

Comment 14 Eric Helms 2020-11-05 16:36:29 UTC

*** Bug 1883594 has been marked as a duplicate of this bug. ***

Comment 15 Bryan Kearney 2020-11-06 00:04:35 UTC

Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/31234 has been resolved.

Comment 16 Akhil Jha 2020-11-25 08:05:45 UTC

Verified.

Satellite Version: 6.9.0 Snap 2.0

Observation:
Cname was added without having to delete the ssl-build/<capsule> directory.

Comment 19 errata-xmlrpc 2021-04-21 13:15:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.9 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1313

Note You need to log in before you can comment on or make changes to this bug.