katello-cert-check utility failing to verify the Server certificate details : line 189: [: ==: unary operator expected
Environment
- Red Hat Satellite 6
Issue
-
What is the process to create a
CSRfile according toRed Hat satellite6? -
Katello cert checks verification of SSL certificates failing on the below error
Checking if any Subject Alt Name on certificate matches the Subject CN/sbin/katello-certs-check: line 189: [: ==: unary operator expected [FAIL] -
How do I generate a new CSR with proper details?
Resolution
-
Utilize the
OpenSSLcommand to examine and confirm the CA-signedSSLserver certificate details.# openssl crl2pkcs7 -nocrl -certfile satellite_cert.pem | openssl pkcs7 -text -print_certs | egrep '(Issuer:|Subject:|CA:|DNS:|Digital|Not Before|Not After|keyid|serial:|TLS)' Issuer: DC=CC, DC=DD, CN=PKI Class Intermediate-CA2 Not Before: May 1 21:40:57 2023 IST Not After : Feb 10 21:01:07 2025 IST Subject: C=ABC, ST=Venus, L=Earth, O=IT, OU=Data Center Digital Signature, Key Encipherment DNS:satellite.example.com- Require a
CNfield containing the full Server FQDN like below
Subject: C=XYZ, ST=Moon, L=Earth, O=IT, OU=Data Center, CN=satellite.example.com - Require a
-
In SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security), a
Common Name(CN) refers to a value in the Subject field of anX.509digital certificate. TheSubject fieldcontains information about the entity that the certificate identifies, such as a website, a server, or an individual. -
The
CNvalue is typically used to identify the domain name associated with the certificate. When a user's web browser establishes anSSL/TLSconnection to a Server, the Server presents its digital certificate to the browser, which then checks that the certificate'sCNmatches the domain name in the URL that the user is trying to access. If the CN and domain name do not match, the browser may display a warning to the user, indicating that the website's identity cannot be verified. -
If the
Common Name(CN) is not included in anSSL/TLScertificate, it will not be a valid certificate and may cause errors or warnings when a user tries to establish a secure connection to your server. -
Therefore, it is important to ensure that
SSL/TLScertificate includes the correctCNthat matches theFQDNname of the server. -
For a more detailed guide on
creatingaCSRforRed Hat Satellite, refer to the article Step-by-Step Guide: Configuring Custom SSL Certificates for Red Hat Satellite and Capsule -
For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues
Root Cause
- The server certificates signed by the CA are missing the CN field.
- For SSL configuration and installation-related queries on Red Hat Satellite 6, please refer Red Hat satellite documentation and Capsule documentation
Diagnostic Steps
-
Use the
# katello-certs-checkcommand to verify if there are any problems with the CA-signed SSL certificate.# katello-certs-check -c /root/satellite_cert/satellite_cert.pem -k /root/satellite_cert/satellite_cert_key.pem -b /root/satellite_cert/ca_cert_bundle.pem
- Path to Satellite Server certificate file that is signed by a Certificate Authority.
- Path to the private key that was used to sign the Satellite Server certificate.
- Path to the Certificate Authority bundle.
-
Please take into account the following considerations when configuring Satellite/Capsule Server with custom certificates:
- You must use the Privacy-Enhanced Mail (PEM) encoding for the SSL certificates.
- You cannot use the same certificate for both Satellite Server and Capsule Server.
- The same Certificate Authority must sign certificates for Satellite Server and Capsule Server.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.