SSL Certs
Hello,
I am installing a RedHat Satellite Server 6.2 on a RHEL 7.3 server.
The install went smoothly. However now I am trying to install SSL certificates. This is where I am having problems and cannot find any real documentation.
What I did was as follows:
I looked at the content of the file 05-foreman-ssl.conf located at /etc/httpd/conf.d.
this had the following entries which I think are the ones I need to edit.
## SSL directives
SSLEngine on
SSLCertificateFile "/etc/pki/katello/certs/katello-apache.crt"
SSLCertificateKeyFile "/etc/pki/katello/private/katello-apache.key"
SSLCertificateChainFile "/etc/pki/katello/certs/katello-default-ca.crt"
SSLCACertificateFile "/etc/pki/katello/certs/katello-default-ca.crt"
So in essence what I did was I copied in my SSL cert files for my company,
ie the .key, .ca-bundle & .crt files and renamed the files as above.
So I restart httpd and it is successful & I even rebooted. However when I launch the url I still receive the message that site is unsecure and get the yellow exclaimation point thru the lock.
Could anyone offer any assstence as to where I am going wrong. I don't have any experience with Satellite Server tbh - this I believe is causing me problems now with trying to import via my manifest as I receive different error messages about that. However, I believe its due to my server trying to talk to RedHat on a unsecure connection as I am trying to get away from RedHat Classic.
Any help would be greatly appreciated.
Thank you,
Patrick
Responses
Patrick,
It's best not to manually edit, or replace, files like these which are a core part of Satellite 6. The Satellite 6 installer uses the Puppet configuration tool. By its nature, Puppet reinstates files to a specific, known configuration if they are altered. The aim is to ensure that once a specified configuration is in place, it remains that way. When you re-run the Satellite 6 installer, perhaps to do an incremental upgrade, these files will likely be restored to their former state.
Instead of the manual method you used, I recommend you follow the instructions contained at the following URLs.
Please reply if you have any further questions.
Configuring Satellite Server with a Custom Server Certificate
Patrick,
Thank you. I realise that we need to explain further the term "Certificate Authority". I'll make a note of that and expand upon on the term in the documentation.
A certificate authority is a company from which you purchase SSL certificates - for example, Symantec, Digicert, and Comodo. When you make this purchase, you send them the Certificate Request File, usually as an attachment. In the documentation the example file name for the CSR is satellite_cert_csr.pem. When you make the request, do NOT share with the company the private key (satellite_cert_key.pem in the documentation).
When you purchase a certificate, you specify the lifespan, generally measured in years. The certificate's validity period is contained in the certificate itself. When it expires, it must be replaced with another certificate. Keep in mind that when you obtain a custom SSL certificate for the Satellite Server, it must then be distributed to all hosts under its management. The steps for doing so are described in "3.4.6.4. Install the New Certificate on all Hosts Connected to the Satellite Server". I believe the current maximum lifespan for an SSL certificate is 3 years, though a change in regulation comes into effect in 2018 which places a much shorter maximum lifespan.
You should receive from the Certificate Authority two files - the certificate itself, and a public with which the certificate was signed. The naming of these files is decided by the Certificate Authority. The Satellite documentation uses example filenames.
Has this further explanation been helpful? Please any any further questions here. Alternatively, if you need a quicker answer, please raise a Support Case with Red Hat Technical Support.
Patrick,
That's great news! I'm sorry you had to go through all this to get your company's certificate installed. I will definitely explain the term "Certificate Authority" as I took too much for granted there. Thank you for highlighting that.
The recommended method of migrating existing RHEL hosts under management by Satellite 6 is to use the bootstrap script. It automates several steps and checks which previously were manual. Note that the script is only available in Satellite 6.2 and later.
You can find information on the bootstrap script, and how to use it, as the following links. If you are like me, and find it easiest to understand when someone provides a demonstration, you might like to first watch the video, then read the other sources.
From the Satellite 6.2 Content Management Guide: Adding New Hosts To Satellite 6 Using The Bootstrap Script
Red Hat Satellite 6.2 Feature Overview: Importing Existing Hosts via the Bootstrap Script
Video Satellite 6.2 Feature Overview: Importing Existing Hosts via the Bootstrap Script
Patrick,
I have raised a ticket [1] to have the term "Certificate Authority" explained further in the Satellite 6 Installation Guide. I hope this will help other customers in future.
[1] Bug 1455020 - The term "Certificate Authority" needs to be explained in more detail
Hi Guys,
We have recently installed satellite 6.2 and when we are trying to access it through web UI we are getting red cross mark on the browser stating not secure https. Can you please guide on this, we have windows team which provides certificate. Can you let me know what kind of certificate I need to request to my windows team and how to install it on my already install satellite.Help will be appreciated
Mothilal,
The browser warning appears because the Satellite certificate is self-signed. In other words, it was created and signed by the Satellite Server itself, not a certificate authority known by your web browser.
The process of requesting a certificate signed by a Certificate Authority is described in Configuring Satellite Server with a Custom Server Certificate. The main requirement is that the certificate be signed by a Certificate Authority that is trusted by your web browser.
Please ask if you need a more detailed explanation.
Thanks for your Response on this Russell! Please provide more detailed explanation on this . Along with this I have one more question, in order to get authenticate through AD its asking to generate a certificate from AD as well. So how different is this certificate from the one we are talking about
Mothilal,
I recommend you read Configuring Satellite Server with a Custom Server Certificate if you haven't yet done so as it may answer some of your questions.
I believe you can have the custom certificate signed using Active Directory Certificate Services. I cannot provide advice on this configuration but I recommend you contact your Active Directory administrators.
Essentially, the requirement is that you create a Certificate Signing request, have it signed by a Certificate Authority trusted by the web browser you are using, and you should no longer see a certificate warning.
Hello, Not sure if I should start a new thread however, I seem to be having the same issue as the original but the DNS name of my server does match the cert provided by our CA. All seems to have installed well and the curl -k confirms that the url should work but, I'm receiving a "Can't connect securely to this page" from my Windows Explorer 11 browser. I'm unable to install any other browser in this environment so checking another browser isn't an option. Any help or feedback would be greatly appreciated.
Hi,
I am also a newbie in Satellite/Capsule thingy. Still need a lot to learn.
I have managed to install satellite and connected some clients to it (using default certs). There still couples of problem that i need to tackle in my Satellite which i think i can do it later.
Now I am setting up Capsule to be connected to that satellite and here is all problems come. LOL.
Started to register the Capsule to Satellite via https giving me below error (error found when i curl to the satellite server):
curl#60 - "Peer's certificate issuer has been marked as not trusted by the user."
Please anyone has advise on this?
Ahmad,
Are you following the instructions contained in 4.1. Registering Capsule Server to Satellite Server?
Please list the commands you have used so far in registering the Capsule to the Satellite.
Which version of Red Hat Satellite do you have installed on the Satellite and Capsule?
Hi Russell,
Thanks for replying.
My Satellite version is 6.3.2
I did not run any command yet except installing Satellite’s CA certificates from the Capsules (RHEL7.5)
rpm -Uvh https://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm
This command Is failing and when I did “curl -v https://satellite.example.com/pub”, it returns me the above error.
Hi Russell,
Somehow i have solved my issue.
Instead of issue a command "rpm -Uvh https://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm" I am getting the rpm using "wget https://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm -no-check-certificate"
And i installed it manually by issue command "rpm -ivh katello-ca-consumer-latest.noarch.rpm"
Ahmad,
I'm glad to hear you've solved that problem. I'm still a little concerned that the Capsule may not be properly registered to the Satellite. If you find any odd behavior between the Satellite and Capsule, please raise a support case with Red Hat. I recommend you do this anyway, but the decision is yours. It would be good to know that everything's OK.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
