Users have to delete ssl-build/<capsule> directory and regenerate the certificates to add a cname in capsule certificates
Description of problem:
Satellite 6.8 capsule-certs-generate does not include cname in apache certificates when specified via --foreman-proxy-cname'
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Setup: 1 Sattelite and 2 capsules(puppet ca capsule + normal capsule) with a loadbalancer and a client
2. Referring to https://access.redhat.com/documentation/en-us/red_hat_satellite/6.7/html-single/load_balancing_guide/index#configuring-capsule-server-with-default-ssl-certificates-for-load-balancing-with-puppet (4.2)
Client is not able to register through subscription-manager. Resulting in "Unable to reach the server at <loadbalancer.example.com>:8443/rhsm"
Client should be able to register through subscription-manager via loadbalancer
1. The certs on the capsules are missing the CNAME, which subscription-manager needs to register properly through the LB + capsule.
While viewing the cert with openssl, there is no DNS entry related to the loadbalancer. Unlike in 6.7 where it worked fine.
2. Please note the puppet command
#puppet cert generate capsule.example.com --dns_alt_names=loadbalancer.example.com is no longer functional.
Use `#puppetserver ca` instead
Fixes #31234: Create new certificate bundle everytime
The first time a certificate bundle is created for a foreman proxy
any updates a user wishes to make are not reflected in the bundle
unless the user deletes it on disk or explicitly passes --certs-regenerate.
Given the foreman-proxy-certs-generate command is intended for
users to generate bundles for a foreman-proxy, this bundle should
be generated, with updates, anytime a user runs the command. This
enables that change by setting regenerate to true as the default.
#3 Updated by Eric Helms 3 months ago
- Status changed from Ready For Testing to Closed
Applied in changeset installer|8b9d39288266f59298abd25ece13e87b34a2265d.