How to revert from custom certificates to default certificates in RedHat satellite 6?

Solution Verified - Updated

Environment

  • Red Hat Satellite 6

Issue

  • How to revert from custom certificates to default certificates?

Resolution

  • Execute the following command on the affected Red Hat Satellite server to revert back to self-signed\default certificates. 

    # cp -par /root/ssl-build /root/ssl-build_orig_`date +%F`
# satellite-installer --certs-reset

    ( Ensure that the /root/ssl-build directory itself is present or else removal of the same could lead to unexpected issues )

  • If any capsule servers are connected to the satellite, then

    • Execute the following on the satellite server to generate a new certificate bundle for the capsule server.

      # capsule-certs-generate --foreman-proxy-fqdn capsule.example.com --certs-tar /root/capsule.example.com-certs.tar --certs-update-all

      ( Replace capsule.example.com with the FQDN of the concerned capsule server )

    • Note down the satellite-installer command provided by the above command.

    • Copy that /root/capsule.example.com-certs.tar file from the satellite to the /root of the concerned capsule server.

    • Execute the entire satellite-installer command ( provided by the capsule-certs-generate command earlier ) on the concerned capsule server.

  • If it's a load-balanced capsule infrastructure, then follow the exact same steps as mentioned in these documentations:

    For Capsule 6.11 or above

    For Capsule 6.10 and below

    • Two additional adjustments will be required while executing the steps from the documentation.

      • Use --certs-update-server --certs-update-all additionally along with every capsule-certs-generate command executions on the satellite server.

      • Use --certs-update-all --certs-regenerate true --certs-deploy true additionally with every satellite-installer execution on the capsule server.

  • For every system connected with the concerned satellite or capsule server, execute (for example, via Remote Execution) the following commands:

       # rpm -Uvh http://<satellite-or-capsule-fqdn>/pub/katello-ca-consumer-latest.noarch.rpm

   # subscription-manager refresh

    ( The same step needs to be executed on every capsule server connected with the satellite as well )

  • For every system connected with a load-balanced capsule infrastructure, execute the following commands:

       # rpm -Uvh http://<loadbalancer-fqdn>/pub/katello-ca-consumer-latest.noarch.rpm

   # subscription-manager config --server.hostname <satellite-or-capsule-fqdn> \
      --rhsm.baseurl https://<satellite-or-capsule-fqdn>/pulp/content/

   # subscription-manager refresh

 

Reach out to This content is not included.Red Hat Technical Support in case of any further assistance or clarification will be required.

For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues

Root Cause

Any of the following scenarios may require a revert back to the default\self-signed certificates:

  • Authority Key Identifier on /etc/foreman-proxy/ssl_cert.pem and /etc/foreman/proxy_ca.pem don't match.

  • The custom SSL certificates applied to the Red Hat Satellite\Capsule servers have expired.

  • When Red Hat Satellite is configured with Custom SSL certs, It's missing the valid entry in the Subject Alternative Names, leading to unexpected SSL errors.

Diagnostic Steps

  • Compare the Authority Key Identifier on /etc/foreman-proxy/ssl_cert.pem and /etc/foreman/proxy_ca.pem

    # openssl x509 -in etc/foreman-proxy/ssl_cert.pem -text -noout | grep -A 1 'Authority Key Identifier'
            X509v3 Authority Key Identifier:
                keyid:F7:73:E0:51:46:DD:58:6B:36:19:84:B1:C8:25:85:3C:B9:38:34:02

    doesn't match:

    # openssl x509 -in etc/foreman/proxy_ca.pem -text -noout | grep -A 1 'Subject Key Identifier'
            X509v3 Subject Key Identifier:
                 BB:A7:67:E9:24:94:41:CF:71:EA:0D:7C:0A:89:13:18:F4:47:55:15

  • In the case of default\self-signed certificates, under /root/ssl-build, the following files should be of the same size.

    # ls -l /root/ssl-build/katello-*.crt
-rw-r--r--. 1 root root 5488 Nov  6  2018 /root/ssl-build/katello-default-ca.crt
-rw-r--r--. 1 root root 5488 Nov  6  2018 /root/ssl-build/katello-server-ca.crt

  • The satellite-installer command fails with the following error.

        /Stage[main]/Certs::Ca/Privkey[/etc/pki/katello/private/katello-default-ca.key]: Could not evaluate: Execution of '/bin/openssl rsa -in /root/ssl-build/katello-default-ca.key -out /root/ssl-build/katello-default-ca.key.tmp -passin file:/etc/pki/katello/private/katello-default-ca.pwd' returned 1: unable to load Private Key

   or

   openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass 9Hhx2JQOUEE6MVjr7nsXXY5p76z3g6zj -srcstorepass 9Hhx2JQOUEE6MVjr7nsXXY5p76z3g6zj -
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.