Project

General

Profile

Bug #11785

Issues with custom certificates

Added by Eric Helms about 4 years ago. Updated about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
Category:
-
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

Support issue for collecting problems/issues related to custom certificate usage

History

#1 Updated by Greg Swift about 4 years ago

In our environment we have to jump through a few hoops because we use signed SAN certs from thawte.

We lay down the SSL certs onto the local file system in a "staging" path, and then pass those paths to the installer command along with our answer file.

---
- name: Run Katello Installer (This step takes ~30 minutes and has no output)
  command: >
     chdir=/etc/katello-installer
     katello-installer
     --certs-server-cert katello.cert
     --certs-server-cert-req katello.req
     --certs-server-key katello.key
     --certs-server-ca-cert katello.ca.cert
     --certs-update-all
  register: command_result
  failed_when: "'Success!' not in command_result.stdout" 

- name: Set Installed Fact
  shell: touch /etc/katello_bootstrapped

The output puts us in a situation that "sorta" works. It seems that different parts of the system are using a different ca file:

[ root@katello-n01.staging conf.d ]# grep SSLCertificateChainFile * 
03-crane.conf:  SSLCertificateChainFile "/etc/pki/katello/certs/katello-server-ca.crt" 
05-foreman-ssl.conf:  SSLCertificateChainFile "/etc/pki/katello/certs/katello-default-ca.crt" 
[ root@katello-n01.staging conf.d ]# grep SSLCACertificateFile * 
03-crane.conf:  SSLCACertificateFile    "/etc/pki/katello/certs/katello-server-ca.crt" 
05-foreman-ssl.conf:  SSLCACertificateFile    "/etc/pki/katello/certs/katello-default-ca.crt" 
pulp.conf:SSLCACertificateFile /etc/pki/katello/certs/katello-default-ca.crt

katello-server-ca.crt seems to be the correct tone. katello-default-ca.crt has a self-signed (generated by the installer?)

#2 Updated by Eric Helms over 3 years ago

  • Tracker changed from Support to Bug
  • Legacy Backlogs Release (now unused) set to 114

Also available in: Atom PDF