The installation process for custom CA-signed certificates on Red Hat Satellite and Capsule fails due to an error related to invalid parameters.

Solution Verified - Updated 5 Jun 2025

Environment

Red Hat Satellite 6
Red Hat Capsule 6

Issue

The installation process for custom CA-signed certificates on Red Hat satellite and Capsule fails due to an error related to invalid parameters. Specifically, the values for the certs-server-cert, certs-server-ca-cert, and certs-server-key parameters do not match the required regular expression patterns. These patterns are designed to validate the format of the provided values.
An error is encountered during the process of regenerating SSL certificates.

The attempt to create a certificate archive using custom certificates fails for the Red Hat capsule server.

    # satellite-installer --scenario satellite --certs-server-cert "satellite_cert.pem" --certs-server-key "satellite_cert_key.pem" --certs-server-ca-cert "ca_cert_bundle.pem" --certs-update-server --certs-update-server-ca

    2023-05-22 12:57:22 [ERROR ] [root] Parameter certs-server-cert invalid: satellite_cert.pem is not one of regexes matching /\A(([a-zA-Z]:[\\\/])|([\\\/][\\\/][^\\\/]+[\\\/][^\\\/]+)|([\\\/][\\\/]\?[\\\/][^\\\/]+)).*\z/ or regexes matching /\A\/([^\n\/\0]+\/*)*\z/
2023-05-22 12:57:22 [ERROR ] [root] Parameter certs-server-key invalid: "satellite_cert_key.pem" is not one of regexes matching /\A(([a-zA-Z]:[\\\/])|([\\\/][\\\/][^\\\/]+[\\\/][^\\\/]+)|([\\\/][\\\/]\?[\\\/][^\\\/]+)).*\z/ or regexes matching /\A\/([^\n\/\0]+\/*)*\z/
2023-05-22 12:57:22 [ERROR ] [root] Parameter certs-server-ca-cert invalid: ca_cert_bundle.pem is not one of regexes matching /\A(([a-zA-Z]:[\\\/])|([\\\/][\\\/][^\\\/]+[\\\/][^\\\/]+)|([\\\/][\\\/]\?[\\\/][^\\\/]+)).*\z/ or regexes matching /\A\/([^\n\/\0]+\/*)*\z/
2023-05-22 12:57:22 [DEBUG ] [root] Exit with status code: 21 (signal was invalid_values)

    # capsule-certs-generate --foreman-proxy-fqdn "capsule.example.com" --certs-tar "/root/capsule.example.com-certs.tar" --server-cert "capsule_cert.pem" --server-key "capsule_cert_key.pem" --server-ca-cert "ca_cert_bundle.pem" --certs-update-server

    2023-06-06 01:59:09 [ERROR ] [root] Parameter server-cert invalid:  capsule_cert.pem is not one of regexes matching /\A(([a-zA-Z]:[\\\/])|([\\\/][\\\/][^\\\/]+[\\\/][^\\\/]+)|([\\\/][\\\/]\?[\\\/][^\\\/]+)).*\z/ or regexes matching /\A\/([^\n\/\0]+\/*)*\z/
    2023-06-06 01:59:09 [ERROR ] [root] Parameter server-key invalid:   capsule_cert_key.pem is not one of regexes matching /\A(([a-zA-Z]:[\\\/])|([\\\/][\\\/][^\\\/]+[\\\/][^\\\/]+)|([\\\/][\\\/]\?[\\\/][^\\\/]+)).*\z/ or regexes matching /\A\/([^\n\/\0]+\/*)*\z/
    2023-06-06 01:59:09 [ERROR ] [root] Parameter server-ca-cert invalid:  ca_cert_bundle.pem is not one of regexes matching /\A(([a-zA-Z]:[\\\/])|([\\\/][\\\/][^\\\/]+[\\\/][^\\\/]+)|([\\\/][\\\/]\?[\\\/][^\\\/]+)).*\z/ or regexes matching /\A\/([^\n\/\0]+\/*)*\z/
2023-06-06 01:59:09 [DEBUG ] [root] Exit with status code: 21 (signal was invalid_values)

Resolution

To update Custom CA-signed certificates through the satellite-installer, provide the absolute paths of the certificate files as arguments.
Refer to installation documentation for more information 4.12. Configuring Satellite Server with a Custom SSL Certificate

For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues

Root Cause

The satellite-installer or capsule-certs-generate command requires the complete path of the SSL certificates to be provided.

Diagnostic Steps

To validate the CA-signed SSL certificate for the Red Hat satellite and Capsule, utilize the katello-certs-check command, ensuring that you specify the appropriate location of the certificate files.
```
 # katello-certs-check -t [satellite|capsule] -c [Satellite/Capsule SSL certificate] -k [Satellite/Capsule SSL certificate key] -b [Certificate Authority bundle]  
```
1. Path to Satellite/Capsule Server certificate file that is signed by a Certificate Authority.
2. Path to the private key that was used to sign the Satellite/Capsule Server certificate.
3. Path to the Certificate Authority bundle.
Please take into account the following considerations when configuring Satellite/Capsule Server with custom certificates:
- You must use the Privacy-Enhanced Mail (PEM) encoding for the SSL certificates.
- You cannot use the same certificate for both Satellite Server and Capsule Server.
- The same Certificate Authority must sign certificates for Satellite Server and Capsule Server.

SBR

SysMgmt

Product(s)

Red Hat Satellite

Components

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.