Bug #18987
Updated by John Mitsch over 7 years ago
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1434948
*Description of problem:*
When regenerating the CA certificates on Katello 6 the ueber certificates should also be regenerated. Otherwise, downstream Proxies will run into issues with synchronizing content.
*How reproducible:*
Always.
*Steps to Reproduce:*
1. Delete contents of /root/ssl-build and /root/ssl-build/<KAT_FQDN>
2. # katello-installer --certs-update-all --certs-regenerate-ca --certs-regenerate
3. Generate and install new certificate bundle for Proxies
4. Observe that Proxy content synchronization fails
nectar.downloaders.threaded:ERROR: Skipping requests to <KAT_FQDN> due to repeated connection failures: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:579)
*Actual results:*
- ueber certificate is still based off of old CA
- Proxy content synchronization fails
*Expected results:*
- ueber certificate has been refreshed against the new CA
- Proxy content synchronization is successful
*Additional info:*
Can be worked around by manually deleting the old ueber certificates in Candlepin.
Perhaps the installer can run this rake task in upstream that regenerates the ueber certificates:
http://projects.theforeman.org/issues/18403