Project

General

Profile

Feature #16911

katello-installer certificate options should not require --certs-server-cert-req

Added by Stephen Benjamin over 2 years ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Category:
Installer
Target version:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1233431
I'm running through an install of Satellite 6.0.4 with IdM on RHEL 7.1 to set up external auth. All of that is working fine, but I also want to use a certificate from IdM for the web UI by passing it in at install time. According to the documentation, I need to use the following options:

--certs-server-cert ~/path/to/server.crt\
--certs-server-cert-req ~/path/to/server.crt.req\
--certs-server-key ~/path/to/server.crt.key\
--certs-server-ca-cert ~/path/to/cacert.crt

The certificate request should not be needed, as a certificate has already been issued. If we already have an issued certificate, we should just need the key and server certificate along with the CA certificate for trust purposes. If I use 'ipa-getcert' to request and retrieve a certificate from IdM, I only get back the key and cert:

ipa-getcert request -w -k ./satellite.key -f ./satellite.crt

There is no provision to output the raw CSR from any of the certmonger related commands. I can dig it out of certmonger's request tracking file in /var/lib/certmonger/requests, but that's not very friendly.

I have been able to pass a zero-byte file as the --certs-server-cert-req option as a workaround, and https is set up properly using the passed in cert/key. I think the request option should be deprecated, or at least made optional if there is really some purpose to giving the request to Satellite.


Related issues

Copied to Katello - Feature #23766: katello-installer certificate options should not require --certs-server-cert-reqClosed2016-10-13

Associated revisions

Revision 5089bb3d (diff)
Added by Ewoud Kohl van Wijngaarden about 1 year ago

Fixes #16911 - Make $server_cert_req optional

History

#1 Updated by Justin Sherrill over 2 years ago

  • Subject changed from katello-installer certificate options should not require --certs-server-cert-req to katello-installer certificate options should not require --certs-server-cert-req
  • Legacy Backlogs Release (now unused) set to 114

#2 Updated by Brad Buckingham over 2 years ago

  • Status changed from New to Assigned
  • Pull request https://github.com/Katello/puppet-certs/pull/126 added

#3 Updated by The Foreman Bot almost 2 years ago

  • Status changed from Assigned to Ready For Testing
  • Assignee set to Ewoud Kohl van Wijngaarden
  • Pull request https://github.com/Katello/puppet-certs/pull/172 added

#4 Updated by Anonymous about 1 year ago

  • % Done changed from 0 to 100
  • Status changed from Ready For Testing to Closed

#5 Updated by Chris Roberts about 1 year ago

  • Copied to Feature #23766: katello-installer certificate options should not require --certs-server-cert-req added

Also available in: Atom PDF