The java-client cert and key in /etc/pki/katello are correctly updated, and are a valid pair => [root@dhcp-2-190 certs]# openssl x509 -noout -modulus -in java-client.crt | openssl md5 (stdin)= d74483a4ae79b6b2a6ea09afe1b21095 [root@dhcp-2-190 certs]# openssl rsa -noout -modulus -in ../private/java-client.key | openssl md5 (stdin)= d74483a4ae79b6b2a6ea09afe1b21095 However, candlepin's truststore doesn't know about the new java-client.crt (called 'artemis-client' in the store) => [root@dhcp-2-190 certs]# keytool -list -keystore truststore Enter keystore password: Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 2 entries artemis-client, Dec 10, 2020, trustedCertEntry, Certificate fingerprint (SHA1): 17:91:F0:47:4C:18:8B:19:57:49:D3:4C:1E:05:38:D9:59:66:82:3B Compare that fingerprint to /etc/pki/katello/certs/java-client.crt => [root@dhcp-2-190 certs]# openssl x509 -noout -fingerprint -sha1 -inform pem -in java-client.crt SHA1 Fingerprint=2C:E3:3C:D1:B3:A5:01:EF:B7:5E:00:5D:6B:87:DF:6B:CA:28:A3:56 They should match, but don't
Created from redmine issue https://projects.theforeman.org/issues/31574
Upstream bug assigned to ehelms
Hello We hit this in Pulp3 migration, the workaround: rm -rf /etc/candlepin/certs/truststore && foreman-installer
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/31574 has been resolved.
Verified on 6.9.2 Snap2. Verification points: 1- Generate the new certificate using the satellite-installer satellite-installer --certs-update-all 2021-05-07 00:57:04 [NOTICE] [root] Loading default values from puppet modules... 2021-05-07 00:57:10 [NOTICE] [root] ... finished 2021-05-07 00:57:13 [NOTICE] [root] Running validation checks Package versions are locked. Continuing with unlock. 2021-05-07 00:57:24 [NOTICE] [configure] Starting system configuration. The total number of configuration tasks may increase during the run. Observe logs or specify --verbose-log-level to see individual configuration tasks. 2021-05-07 00:57:39 [NOTICE] [configure] 100 out of 2363 done. 2021-05-07 01:00:09 [NOTICE] [configure] System configuration has finished. Success! 2- Checked the certificate at /root/ssl-build/${hostname} location. # ls -l /root/ssl-build/xyz.com|wc -l 58 3- Remove the certificate from /root/ssl-build/${hostname} and run the installer again and found the certificate updated successfully at /root/ssl-build/${hostname} location. # rm -rf /root/ssl-build/xyz.com # satellite-installer --certs-update-all 2021-05-07 01:02:08 [NOTICE] [root] Loading default values from puppet modules... 2021-05-07 01:02:14 [NOTICE] [root] ... finished 2021-05-07 01:02:17 [NOTICE] [root] Running validation checks Package versions are locked. Continuing with unlock. 2021-05-07 01:02:27 [NOTICE] [configure] Starting system configuration. The total number of configuration tasks may increase during the run. Observe logs or specify --verbose-log-level to see individual configuration tasks. 2021-05-07 01:02:43 [NOTICE] [configure] 100 out of 2363 done. .... 2021-05-07 01:05:09 [NOTICE] [configure] 3200 out of 3223 done. 2021-05-07 01:05:13 [NOTICE] [configure] System configuration has finished. Success! # ls -l /root/ssl-build/xyz.com|wc -l 58 4- Verified the fixed package # rpm -qa|grep foreman-installer-2.3.1.13-1 foreman-installer-2.3.1.13-1.el7sat.noarch
I think the only part you are missing is either verification of the truststore or if you want to verify Satellite behavior, hitting the ping API and verifying all services are happy.
(In reply to Eric Helms from comment #11) > I think the only part you are missing is either verification of the > truststore or if you want to verify Satellite behavior, hitting the ping API > and verifying all services are happy. Checked candlepin services after the certificate updates and it works fine. # hammer ping database: Status: ok Server Response: Duration: 0ms candlepin: Status: ok Server Response: Duration: 345ms candlepin_events: Status: ok message: 3 Processed, 0 Failed Server Response: Duration: 0ms candlepin_auth: Status: ok Server Response: Duration: 41ms katello_events: Status: ok message: 0 Processed, 0 Failed Server Response: Duration: 0ms pulp: Status: ok Server Response: Duration: 279ms pulp_auth: Status: ok Server Response: Duration: 147ms foreman_tasks: Status: ok Server Response: Duration: 5ms
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Satellite 6.9.2 Async Bug Fix Update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2074