Project

General

Profile

Bug #31234

Users have to delete ssl-build/<capsule> directory and regenerate the certificates to add a cname in capsule certificates

Added by Eric Helms 11 months ago. Updated 10 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
foreman-installer script
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1857176

Description of problem:
Satellite 6.8 capsule-certs-generate does not include cname in apache certificates when specified via --foreman-proxy-cname'

Version-Release number of selected component (if applicable):
Satellite 6.8.0

How reproducible:
Always

Steps to Reproduce:
1. Setup: 1 Sattelite and 2 capsules(puppet ca capsule + normal capsule) with a loadbalancer and a client
2. Referring to https://access.redhat.com/documentation/en-us/red_hat_satellite/6.7/html-single/load_balancing_guide/index#configuring-capsule-server-with-default-ssl-certificates-for-load-balancing-with-puppet (4.2)

Actual results:
Client is not able to register through subscription-manager. Resulting in "Unable to reach the server at <loadbalancer.example.com>:8443/rhsm"

Expected results:
Client should be able to register through subscription-manager via loadbalancer

Additional info:
1. The certs on the capsules are missing the CNAME, which subscription-manager needs to register properly through the LB + capsule.
While viewing the cert with openssl, there is no DNS entry related to the loadbalancer. Unlike in 6.7 where it worked fine.

2. Please note the puppet command
#puppet cert generate capsule.example.com --dns_alt_names=loadbalancer.example.com is no longer functional.
Use `#puppetserver ca` instead

Associated revisions

Revision 8b9d3928 (diff)
Added by Eric Helms 11 months ago

Fixes #31234: Create new certificate bundle everytime

The first time a certificate bundle is created for a foreman proxy
any updates a user wishes to make are not reflected in the bundle
unless the user deletes it on disk or explicitly passes --certs-regenerate.
Given the foreman-proxy-certs-generate command is intended for
users to generate bundles for a foreman-proxy, this bundle should
be generated, with updates, anytime a user runs the command. This
enables that change by setting regenerate to true as the default.

History

#1 Updated by The Foreman Bot 11 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman-installer/pull/608 added

#2 Updated by The Foreman Bot 11 months ago

  • Fixed in Releases 2.4.0 added

#3 Updated by Eric Helms 11 months ago

  • Status changed from Ready For Testing to Closed

#4 Updated by Tomer Brisker 10 months ago

  • Fixed in Releases 2.3.0 added
  • Fixed in Releases deleted (2.4.0)

#5 Updated by Ewoud Kohl van Wijngaarden 10 months ago

  • Triaged changed from No to Yes
  • Target version set to 2.3.0
  • Category set to foreman-installer script

Also available in: Atom PDF