[Satellite6] Updating SSL certificates after upgrading from 6.1 to 6.2 leaves client machines without a valid CA

Solution Verified - Updated

Environment

  • Red Hat Satellite 6.2 (or newer)
    • upgraded from Satellite 6.1 (or older)

Issue

  • having Satellite 6.0 or 6.1 being upgraded to 6.2 or newer
  • after that, updating SSL certificates (i.e. starting to use 3rd party CA) on the Satellite
  • even though katello-ca-consumer package was upgraded on client machines, they cant connect to the Satellite due to SSL errors

Resolution

As a reactive step, on any affected system, execute the script:

/usr/bin/katello-rhsm-consumer

to re-deploy the certificates properly - see Root Cause for reasoning.

As a preventive step, do not reinstall / localinstall the katello-ca-consumer "latest" package, but first uninstall the old one and then install the new / "latest" one.

For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues

Root Cause

There was a change in the katello-ca-consumer package content and the way how it installs certificate files:

  • the package generated by Satellite 6.1 or older contains 2 (certificate) files /etc/rhsm/ca/katello-default-ca.pem and /etc/rhsm/ca/katello-server-ca.pem that RHSM or katello-agent relies on. postinstall script of such package then just updates system trust and restart goferd (plus few other less important steps)
  • the package generated by Satellite 6.2 or newer contains /usr/bin/katello-rhsm-consumer bash script that contains the certificate files contents in its body. Postinstall script of this package then first deploys the certificates, and then updates system trust etc.

When upgrading a package (to deploy current version of katello-ca-consumer package with new certificates), the sequence of steps is the following:

  • Run the %pre section of the RPM being installed. (nothing here)
  • Install the files that the RPM provides. (installs just the /usr/bin/katello-rhsm-consumer)
  • Run the %post section of the RPM. (runs the script that deploys the CA files etc.)
  • Run the %preun of the old package. (nothing here)
  • Delete any old files not overwritten by the newer version. (This step deletes files that the new package does not require.) * (deletes files /etc/rhsm/ca/katello-default-ca.pem and /etc/rhsm/ca/katello-server-ca.pem since they belong to old package but not new one) *
  • Run the %postun hook of the old package. (nothing here)

So the newly deployed certificate files via /usr/bin/katello-rhsm-consumer script are deleted by removing not-further-required files belonging to the old package but not the new one.

Re-running /usr/bin/katello-rhsm-consumer then obviously re-deploys the certificate files properly.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.