[Custom Certs] - Failed to install the custom certs on Katello 4.3, works on 4.1
Description of problem:
[Custom Certs] - Failed to install the custom certs on the Satellite 7.0.0 works fine in 6.10
Version-Release number of selected component (if applicable):
fails on Satellite 7.0.0
Passes on Satellite 6.10
Steps to Reproduce:
1. Generate the CA certs bundle and install it as follows
[root@dhcp-3-215 ~]# satellite-installer --scenario satellite \
--certs-server-cert "/root/satellite.redhat.com/satellite.redhat.com.crt" \
--certs-server-key "/root/satellite.redhat.com/satellite.redhat.com.key" \
--certs-server-ca-cert "/root/cacert.crt" \
Satellite Installer is not installing the custom certs in Satellite.
Satellite Installer should install the custom certs on the Satellite.
#1 Updated by Evgeni Golov 10 months ago
- Subject changed from [Custom Certs] - Failed to install the custom certs on Katello 4.3, works on 4.1 to [Custom Certs] - Failed to install the custom certs on Katello 4.3, works on 4.1
- Found in Releases 3.1.0 added
The problem is that puppet-certs dropped the "trusted_ca" use in the following commit:
commit 953261ffd2eb52b7176ab365fb0c4e9245435d99 Author: Eric D. Helms <email@example.com> Date: Thu Jul 2 15:16:29 2020 -0400 Refs #30316: Drop bootstrap RPM code
And moved it to puppet-foreman_proxy_content:
commit 7bf101dc5507c90936b9e6169b91848ef106fe0f Author: Eric D. Helms <firstname.lastname@example.org> Date: Thu Jul 2 14:09:33 2020 -0400 Fixes #30316: Move bootstrap RPM generation from puppet-certs
but due to ordering, the fpc code is not executed before
Foreman::Register/Foreman_host is called, so at that point the CA is still untrusted and everything fails.
Re-running the installer works, as now the CA is trusted.
#2 Updated by Ewoud Kohl van Wijngaarden 10 months ago
- Target version set to 3.1.1
- Category set to Foreman modules
I think the problem is that it's using the wrong file:
That should be using the chain, not the CA.
SSLCertificateChainFile is what signed the public key, SSLCACertificateFile is the one that allows client certs.
#5 Updated by Ewoud Kohl van Wijngaarden 10 months ago
- Status changed from Ready For Testing to Closed
Applied in changeset puppet-foreman|4648167da572951f81db118c57ea8cf30fffcd3f.