How to install Capsule for Red Hat Satellite 6 with certificate signed by different Certification Authority (CA)

Solution Verified - Updated

Environment

  • Red Hat Satellite 6
  • Satellite and Capsule certificates signed by different Certificate Authorities

Issue

  • Capsule server installation fails when the Capsule server uses certificates signed by a different CA root trust than the Red Hat Satellite server.

  • Capsule installation fails with:

      Could not set 'present' on ensure: 422 Unprocessable Entity at 12:/usr/share/katello-installer/modules/foreman_proxy/manifests/register.pp
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[capsule.domain2.local]/ensure: change from absent to present failed: Could not set 'present' on ensure: 422 Unprocessable Entity at 12:/usr/share/katello-installer/modules/foreman_proxy/manifests/register.pp

  • The Foreman log on Satellite reports SSL verification errors:

    [E] Unprocessable entity SmartProxy (id: new):
  Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verif...) for proxy https://capsule.domain2.local:9090/features

    This occurs because Satellite does not trust the CA that signed the Capsule certificates

Resolution

  • Create a merged CA bundle that includes:

    • The CA certificate used by Satellite

    • The CA certificate used by the Capsule

    Then update both Satellite and Capsule to use this merged CA bundle.

  • Identify the current Satellite CA bundle

    # grep server_ca_cert /etc/foreman-installer/scenarios.d/satellite-answers.yaml

    Note the CA file currently in use.

  • Create a merged CA bundle. Combine the Satellite CA and Capsule CA certificates into a single file:

    # cat satellite_ca.pem capsule_ca.pem > merged_ca_bundle.pem

    Copy this merged CA bundle to a known location on the Satellite server.

  • Verify that both Satellite and Capsule certificates are trusted using below command on Satellite:

       # openssl verify -CAfile merged_ca_bundle.pem /etc/pki/katello/certs/katello-apache.crt

   # openssl verify -CAfile merged_ca_bundle.pem /path/to/capsule_cert.pem

    Both commands should return OK

  • Update Satellite to trust the merged CA bundle:

    # satellite-installer --scenario satellite --certs-server-cert /root/sat_certs/server.pem --certs-server-cert-req /root/sat_certs/server_csr.pem --certs-server-key /root/sat_certs/server_key.pem --certs-server-ca-cert /path/to/merged_ca_bundle.pem --certs-update-server --certs-update-server-ca

  • Validate Satellite connectivity:

       # hammer ping

   # curl -v --cacert /etc/foreman/proxy_ca.pem https://satellite.example.com:9090/features

    A successful response (HTTP 200) confirms the CA update is effective.

  • Generate Capsule certificates using the merged CA by running below command on Satellite server:

    # capsule-certs-generate --foreman-proxy-fqdn  "capsule.domain2.local" --certs-tar "capsule.domain2.local-certs.tar" --server-cert /root/sat_cert/capsule.pem --server-key /root/sat_certs/capsule_key.pem --server-ca-cert /path/to/merged_ca_bundle.pem --certs-update-all

    Retain a copy of the satellite-installer command that the capsule-certs-generate command returns for deploying the certificate to your Capsule Server.

  • Copy the generated certificate archive file from Satellite server to Capsule Server. On Capsule Server, to deploy the certificate, enter the satellite-installer command that the capsule-certs-generate command returns.

Root Cause

  • Satellite requires explicit trust configuration for any CA used to sign Capsule certificates.

  • If the Capsule CA is not added to Satellite’s trusted CA bundle, Foreman cannot establish a secure SSL connection to the Capsule smart-proxy.

Diagnostic Steps

  • Capsule installation fails with error:

     /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[capsule.domain2.local]/ensure: change from absent to present failed: Could not set 'present' on ensure: 422 Unprocessable Entity at 12:/usr/share/katello-installer/modules/foreman_proxy/manifests/register.pp

  • Foreman log on Satellite server side reports:

    Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verif...) for proxy https://capsule.domain2.local:9090/features

  • A RFE This content is not included.Jira-32021 has been filed with Red Hat Engineering to ensure that the katello-certs-check command used for Capsule certificate generation should validate that the CA bundle provided with the -b option matches the CA bundle from the Satellite

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.