Project

General

Profile

Bug #15931

katello installer doesn't fully support cname alternate cname for satellite server

Added by Stephen Benjamin almost 3 years ago. Updated 12 months ago.

Status:
Resolved
Priority:
Normal
Category:
Installer
Target version:
Difficulty:
medium
Triaged:
Yes
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1160344
Description of problem:

hostname: xyz123-us.acme.com
cname: satellite.acme.com

katello-installer --foreman-db-password foreman --foreman-db-username foreman --katello-proxy-url http://applicationwebproxy.acme.com --katello-proxy-port 8080 --certs-ca-common-name "satellite.acme.com" --certs-node-fqdn "satellite.acme.com" --capsule-parent-fqdn "satellite.acme.com" --foreman-foreman-url="https://satellite.acme.com" --foreman-admin-password changeme

it does not update /etc/pulp/server.conf [messaging] and [tasks] sections with CNAME and i get

Nov 4 00:41:59 totlx90101 pulp: celery.worker.consumer:ERROR: consumer: Cannot connect to qpid://:5671//: Connection hostname 'xyz123-us.acme.com' does not match names from peer certificate: ['satellite.acme.com', u'satellite.acme.com'].
Nov 4 00:41:59 xyz123-us pulp: celery.worker.consumer:ERROR: Trying again in 12.00 seconds...
Nov 4 00:41:59 xyz123-us pulp: celery.worker.consumer:ERROR:

I have manually modified /etc/pulp/server.conf and everything seems to be working now.

Version-Release number of selected component (if applicable):

Current Satellite 6

How reproducible:

See above

Actual results:

Expected results:

pulp should correctly set /etc/pulp/server.conf

Additional info:

Customer can use a cname as a way to have a hotbackup of the Satellite server for DR purposes. This removes requirements to change certs.

The alternative approach requires cert changes.

Updating the hostname of a Red Hat Satellite 6 Server and updating associated SSL certificates.
https://access.redhat.com/solutions/1232133

and this one
https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html/User_Guide/sect-Disaster_Recovery.html

Reference to other BZs for cname support

[RFE] CNAME and SRV record support in foreman
https://bugzilla.redhat.com/show_bug.cgi?id=1045613

Associated revisions

Revision db682119 (diff)
Added by Evgeni Golov over 2 years ago

refs #15931 - allow passing the cname parameter when generating certs (#120)

  • refs #15931 - allow passing the cname parameter to all cert classes

this enables Kafo to set the subjectAltName of the certificates via
--certs-node-cname. The option can be given multiple times to add
multple cnames.

this enables Kafo to set the subjectAltName of the certificates via
--foreman-proxy-cname. The option can be given multiple times to add
multple cnames.

History

#1 Updated by Justin Sherrill almost 3 years ago

  • Legacy Backlogs Release (now unused) set to 114

#2 Updated by Eric Helms over 2 years ago

  • Legacy Backlogs Release (now unused) deleted (114)
  • Pull request https://github.com/Katello/puppet-certs/pull/120 added

#3 Updated by Justin Sherrill over 2 years ago

  • Legacy Backlogs Release (now unused) set to 114

#4 Updated by Chris Roberts 12 months ago

  • Difficulty set to medium
  • Assignee set to Stephen Benjamin
  • Status changed from New to Resolved
  • Fixed in Releases Katello 3.5.3 added

Also available in: Atom PDF