Plugins » Katello

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1434948

Description of problem:

When regenerating the CA certificates on Katello the ueber certificates should also be regenerated. Otherwise, downstream Proxies will run into issues with synchronizing content.

How reproducible:

Always.

Steps to Reproduce:

1. Delete contents of /root/ssl-build and /root/ssl-build/<KAT_FQDN>
2. # katello-installer --certs-update-all --certs-regenerate-ca --certs-regenerate
3. Generate and install new certificate bundle for Proxies
4. Observe that Proxy content synchronization fails

nectar.downloaders.threaded:ERROR: Skipping requests to <KAT_FQDN> due to repeated connection failures: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:579)

Actual results:

- ueber certificate is still based off of old CA
- Proxy content synchronization fails

Expected results:

- ueber certificate has been refreshed against the new CA
- Proxy content synchronization is successful

Additional info:

Can be worked around by manually deleting the old ueber certificates in Candlepin.

Perhaps the installer can run this rake task in upstream that regenerates the ueber certificates:

http://projects.theforeman.org/issues/18403