Bug #37695
open
default CA file used on smart proxy server for foreman_ssl_ca.pem instead of server CA
Description
Using custom TLS certificates signed by the same CA chain on a main foreman/katello host with an in-built smart proxy results in `/etc/foreman-proxy/foreman_ssl_ca.pem` having the contents of the "server CA", or the trust chain of the custom SSL certificate. The tarball generated from the `foreman-proxy-certs-generate` command does include both files in `ssl-build/`, but `katello-default-ca.crt` file is being used for both `/etc/foreman-proxy/foreman_ssl_ca.pem` and `/etc/foreman-proxy/ssl_ca.pem` on the standalone smart proxy when I deploy the certificates with the command generated by the `foreman-proxy-certs-generate` command on the main foreman/katello server:
```
foreman-installer --scenario foreman-proxy-content --certs-tar-file "/root/<smart proxy fqdn>-certs.tar" \
--foreman-proxy-register-in-foreman "true" \
--foreman-proxy-foreman-base-url "<main foreman/katello fqdn>" \
--foreman-proxy-trusted-hosts "<main foreman/katello fqdn>" \
--foreman-proxy-trusted-hosts "<smart proxy fqdn>" \
--foreman-proxy-oauth-consumer-key "XXX" \
--foreman-proxy-oauth-consumer-secret "XXX"
```
I would guess it's an issue with which file gets copied from the tarball into `/etc/foreman-proxy/foreman_ssl_ca.pem` since the installer options for `--foreman-proxy-foreman-ssl-ca` and `--foreman-proxy-ssl-ca` are the same on the main server and the smart proxy.
Updated by 
Updated by 
Updated by