Is it possible to change Candlepin self-signed certificates on Satellite 6?
Environment
- Red Hat Satellite 6.x
Issue
- I've managed to change the
Red Hat SatelliteWebUI Certificate to a internal/external signed certificate, but I want to change theCandlepinSelf-signedcertificates too, is that possible ? - We are receving the security alerts to remediate the self singed certificates being used for
Candlepin. - SSL Certificates shows can not be trusted on ports
8443Red Hat Satellite` Red Hat Satelliteserver is using customSigned Certificate, butCandlepinuses self-signed, how to change it to use custom cert?
Resolution
This far, is not possible to change the Candlepin certificates:
-
Candlepinis the component used to handle all information related toSubscriptions. All of these certificates are generated byCandlepinautomatically. -
One example of the usage, is the package "katello-ca-consumer-latest.noarch.rpm", that is used to instruct the clients to connect
Red Hat SatelliteServer instead ofRed Hat Customer Portal, this package contains configuration files and certificates and sets theSatelliteas aRoot CAto trust. -
So, the certificates used internally ( Satellite -> Clients ) are generated and signed by
Red Hat Satelliteas aCertificate Authorityto grant access toSubscriptions.
For more KB articles/solutions related to Red Hat Satellite 6.x Candlepin Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x Candlepin Issues
For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues
Root Cause
- Red Hat Engineering team is already aware of this bug and is currently tracking the same in
- This content is not included.Bug 1294959 - Red Hat Satellite should provide ability to replace the Self-Signed certificates with Custom SSL certificates for all the services listening on public interface and ports
- Closed - Not a bug
- This content is not included.SAT-5516 - Add the ability to use a given CA internally instead of using self-signed certs
- This content is not included.Bug 1294959 - Red Hat Satellite should provide ability to replace the Self-Signed certificates with Custom SSL certificates for all the services listening on public interface and ports
Diagnostic Steps
-
In
candlepin.confcandlepin.ca_cert parameters points towards the/etc/candlepin/certs/candlepin-ca.crtwhich is a default certificate generated andself-signedbysatellite-installer.# cat /etc/candlepin/candlepin.conf |grep -iE "_cert|_key" candlepin.ca_key=/etc/candlepin/certs/candlepin-ca.key candlepin.ca_cert=/etc/candlepin/certs/candlepin-ca.crt
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.