Satellite 6 Custom SSL certificate not used by crane and foreman
Environment
- Red Hat Satellite 6.
- Custom SSL certificate with certificate chain
Issue
- In
Red Hat Satellite 6, Custom SSL certificates are not used bycraneandforeman.
Resolution
This is expected behaviour. There are two sets of certificates used by satellite server for communication.
- The first set is used by satellite server for the WebUI and foreman components.
- The second set is used for communication between Satellite/Capsule server and its client and it can be only regenerated using
katello-installer, but it cannot be replaced by custom certificates the same way the WebUI certificates can.
For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues
Diagnostic Steps
-
In
/etc/httpd/conf.d/03-crane.confand/etc/httpd/conf.d/05-foreman-ssl.conffiles,SSLCertificateChainFileandSSLCACertificateFileparameters points towards the/etc/pki/katello/certs/katello-default-ca.crtwhich is a default certificate genrated and self-signed by katello-installer. -
In file /etc/httpd/conf.d/03-crane.conf -
SSLCertificateChainFile "/etc/pki/katello/certs/katello-default-ca.crt" SSLCACertificatePath "/etc/pki/tls/certs" SSLCACertificateFile "/etc/pki/katello/certs/katello-default-ca.crt" -
In file /etc/httpd/conf.d/05-foreman-ssl.conf -
SSLCertificateChainFile "/etc/pki/katello/certs/katello-default-ca.crt" SSLCACertificatePath "/etc/pki/tls/certs" SSLCACertificateFile "/etc/pki/katello/certs/katello-default-ca.crt"
- Additional discussion & tracking in
- This content is not included.Bug 1294959 - Red Hat Satellite should provide ability to replace the Self-Signed certificates with Custom SSL certificates for all the services listening on public interface and ports
- Closed - Not a bug
- This content is not included.Bug 1898091 - Add the ability to use a given CA internally instead of using self-signed certs
- This content is not included.Bug 1294959 - Red Hat Satellite should provide ability to replace the Self-Signed certificates with Custom SSL certificates for all the services listening on public interface and ports
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.