Chapter 4. Configuring Capsule Servers for Load Balancing

This chapter outlines how to configure Capsule Servers for load balancing. Proceed to one of the following sections depending on your Satellite Server configuration:

Use different file names for the Katello certificates you create for each Capsule Server. For example, name the certificate archive file with the Capsule Server FQDN.

4.1. Configuring Capsule Server with Default SSL Certificates for Load Balancing without Puppet

The following section describes how to configure Capsule Servers that use default SSL certificates for load balancing without Puppet.

Complete this procedure on each Capsule Server that you want to configure for load balancing.

Procedure

  1. On Satellite Server, generate Katello certificates for Capsule Server, for example:

    # capsule-certs-generate \
    --foreman-proxy-fqdn capsule.example.com \
    --certs-tar "/root/capsule.example.com-certs.tar" \
    --foreman-proxy-cname loadbalancer.example.com

    Retain a copy of the example satellite-installer command that is output by the capsule-certs-generate command for installing the Capsule Server certificate.

  2. Copy the certificate archive file from Satellite Server to Capsule Server.

    # scp /root/capsule.example.com-certs.tar \
    root@capsule.example.com:capsule.example.com-certs.tar
  3. Append the following options to the satellite-installer command that you obtain from the output of the capsule-certs-generate command. Set the --puppet-ca-server option to point to the Capsule Server where you enter the command. You must install Puppet CA on your Capsule Servers, regardless of whether you intend to use it or not. Puppet is configured in its default single-node configuration.

    --certs-cname                              "loadbalancer.example.com" \
    --puppet-dns-alt-names                     "loadbalancer.example.com" \
    --puppet-ca-server                         "capsule.example.com" \
    --foreman-proxy-puppetca                   "true" \
    --puppet-server-ca                         "true" \
    --enable-foreman-proxy-plugin-remote-execution-ssh
  4. On Capsule Server, enter the satellite-installer command, for example:

    # satellite-installer --scenario capsule \
    --foreman-proxy-content-parent-fqdn        "satellite.example.com" \
    --foreman-proxy-register-in-foreman        "true" \
    --foreman-proxy-foreman-base-url           "https://satellite.example.com" \
    --foreman-proxy-trusted-hosts              "satellite.example.com" \
    --foreman-proxy-trusted-hosts              "capsule.example.com" \
    --foreman-proxy-oauth-consumer-key         "oauth key" \
    --foreman-proxy-oauth-consumer-secret      "oauth secret" \
    --certs-tar-file                           "capsule.example.com-certs.tar" \
    --puppet-server-foreman-url                "https://satellite.example.com" \
    --certs-cname                              "loadbalancer.example.com" \
    --puppet-dns-alt-names                     "loadbalancer.example.com" \
    --puppet-ca-server                         "capsule.example.com" \
    --foreman-proxy-puppetca                   "true" \
    --puppet-server-ca                         "true" \
    --enable-foreman-proxy-plugin-remote-execution-ssh

4.2. Configuring Capsule Server with Default SSL Certificates for Load Balancing with Puppet

The following section describes how to configure Capsule Servers that use default SSL certificates for load balancing with Puppet.

If you use Puppet in your Satellite configuration, you must complete the following procedures:

Configuring Capsule Server to Generate and Sign Puppet Certificates

Complete this procedure only for the system where you want to configure Capsule Server to generate and sign Puppet certificates for all other Capsule Servers that you configure for load balancing. In the examples in this procedure, the FQDN of this Capsule Server is capsule_ca.example.com.

  1. On Satellite Server, generate Katello certificates for the system where you configure Capsule Server to generate and sign Puppet certificates:

    # capsule-certs-generate \
    --foreman-proxy-fqdn capsule_ca.example.com \
    --certs-tar "/root/capsule_ca.example.com-certs.tar" \
    --foreman-proxy-cname loadbalancer.example.com

    Retain a copy of the example satellite-installer command that is output by the capsule-certs-generate command for installing the Capsule Server certificate.

  2. Copy the certificate archive file from Satellite Server to Capsule Server:

    # scp /root/capsule_ca.example.com-certs.tar \
    root@capsule_ca.example.com:capsule_ca.example.com-certs.tar
  3. Append the following options to the satellite-installer command that you obtain from the output of the capsule-certs-generate command:

    --certs-cname                              "loadbalancer.example.com" \
    --puppet-dns-alt-names                     "loadbalancer.example.com" \
    --puppet-ca-server                         "capsule_ca.example.com" \
    --foreman-proxy-puppetca                   "true" \
    --puppet-server-ca                         "true" \
    --enable-foreman-proxy-plugin-remote-execution-ssh
  4. On Capsule Server, enter the satellite-installer command, for example:

    # satellite-installer --scenario capsule \
    --foreman-proxy-content-parent-fqdn        "satellite.example.com" \
    --foreman-proxy-register-in-foreman        "true" \
    --foreman-proxy-foreman-base-url           "https://satellite.example.com" \
    --foreman-proxy-trusted-hosts              "satellite.example.com" \
    --foreman-proxy-trusted-hosts              "capsule_ca.example.com" \
    --foreman-proxy-oauth-consumer-key         "oauth key" \
    --foreman-proxy-oauth-consumer-secret      "oauth secret" \
    --certs-tar-file          "capsule_ca.example.com-certs.tar" \
    --puppet-server-foreman-url                "https://satellite.example.com" \
    --certs-cname                              "loadbalancer.example.com" \
    --puppet-dns-alt-names                     "loadbalancer.example.com" \
    --puppet-ca-server                         "capsule_ca.example.com" \
    --foreman-proxy-puppetca                   "true" \
    --puppet-server-ca                         "true" \
    --enable-foreman-proxy-plugin-remote-execution-ssh
  5. On Capsule Server, generate Puppet certificates for all other Capsule Servers that you configure for load balancing, except this first system where you configure Puppet certificates signing:

    # puppet cert generate capsule.example.com \
    --dns_alt_names=loadbalancer.example.com

    This command creates the following files on the system where you configure Capsule Server to sign Puppet certificates:

    • /etc/puppetlabs/puppet/ssl/certs/ca.pem
    • /etc/puppetlabs/puppet/ssl/certs/capsule.example.com.pem
    • /etc/puppetlabs/puppet/ssl/private_keys/capsule.example.com.pem
    • /etc/puppetlabs/puppet/ssl/public_keys/capsule.example.com.pem

Configuring Remaining Capsule Servers for Load Balancing

Complete this procedure on each Capsule Server excluding the system where you configure Capsule Server to sign Puppet certificates.

  1. On Satellite Server, generate Katello certificates for Capsule Server:

    # capsule-certs-generate \
    --foreman-proxy-fqdn capsule.example.com \
    --certs-tar "/root/capsule.example.com-certs.tar" \
    --foreman-proxy-cname loadbalancer.example.com

    Retain a copy of the example satellite-installer command that is output by the capsule-certs-generate command for installing the Capsule Server certificate.

  2. Copy the certificate archive file from Satellite Server to Capsule Server:

    # scp /root/capsule.example.com-certs.tar \
    root@capsule.example.com:capsule.example.com-certs.tar
  3. On Capsule Server, install the puppetserver package:

    # yum install puppetserver
  4. On Capsule Server, create directories for puppet certificates:

    # mkdir -p /etc/puppetlabs/puppet/ssl/certs/ \
    /etc/puppetlabs/puppet/ssl/private_keys/ \
    /etc/puppetlabs/puppet/ssl/public_keys/
  5. On Capsule Server, copy the Puppet certificates for this Capsule Server from the system where you configure Capsule Server to sign Puppet certificates:

    # scp root@capsule_ca.example.com:/etc/puppetlabs/puppet/ssl/certs/ca.pem \
    /etc/puppetlabs/puppet/ssl/certs/ca.pem
    # scp root@capsule_ca.example.com:/etc/puppetlabs/puppet/ssl/certs/capsule.example.com.pem \
    /etc/puppetlabs/puppet/ssl/certs/capsule.example.com.pem
    # scp root@capsule_ca.example.com:/etc/puppetlabs/puppet/ssl/private_keys/capsule.example.com.pem \
    /etc/puppetlabs/puppet/ssl/private_keys/capsule.example.com.pem
    # scp root@capsule_ca.example.com:/etc/puppetlabs/puppet/ssl/public_keys/capsule.example.com.pem \
    /etc/puppetlabs/puppet/ssl/public_keys/capsule.example.com.pem
  6. On Capsule Server, change the directory ownership to user puppet, group puppet and set the SELinux contexts:

    # chown -R puppet:puppet /etc/puppetlabs/puppet/ssl/
    # restorecon -Rv /etc/puppetlabs/puppet/ssl/
  7. Append the following options to the satellite-installer command that you obtain from the output of the capsule-certs-generate command:

    --certs-cname                              "loadbalancer.example.com" \
    --puppet-dns-alt-names                     "loadbalancer.example.com" \
    --puppet-ca-server                         "capsule_ca.example.com" \
    --foreman-proxy-puppetca                   "false" \
    --puppet-server-ca                         "false" \
    --enable-foreman-proxy-plugin-remote-execution-ssh
  8. On Capsule Server, enter the satellite-installer command, for example:

    # satellite-installer --scenario capsule \
    --foreman-proxy-content-parent-fqdn        "satellite.example.com" \
    --foreman-proxy-register-in-foreman        "true" \
    --foreman-proxy-foreman-base-url           "https://satellite.example.com" \
    --foreman-proxy-trusted-hosts              "satellite.example.com" \
    --foreman-proxy-trusted-hosts              "capsule.example.com" \
    --foreman-proxy-oauth-consumer-key         "oauth key" \
    --foreman-proxy-oauth-consumer-secret      "oauth secret" \
    --certs-tar-file                           "capsule.example.com-certs.tar" \
    --puppet-server-foreman-url                "https://satellite.example.com" \
    --certs-cname                              "loadbalancer.example.com" \
    --puppet-dns-alt-names                     "loadbalancer.example.com" \
    --puppet-ca-server                         "capsule_ca.example.com" \
    --foreman-proxy-puppetca                   "false" \
    --puppet-server-ca                         :false" \
    --enable-foreman-proxy-plugin-remote-execution-ssh

4.3. Configuring Capsule Server with Custom SSL Certificates for Load Balancing without Puppet

The following section describes how to configure Capsule Servers that use custom SSL certificates for load balancing without Puppet.

4.3.1. Creating Custom SSL Certificates for Capsule Server

This procedure outlines how to create a configuration file for the Certificate Signing Request and include the load balancer and Capsule Server as Subject Alternative Names (SAN). Complete this procedure on each Capsule Server that you want to configure for load balancing.

Procedure

  1. On Capsule Server, create a directory to contain all the source certificate files, accessible to only the root user:

    # mkdir /root/capsule_cert
    # cd /root/capsule_cert
  2. Create a private key with which to sign the Certificate Signing Request (CSR).

    Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.

    If you already have a private key for this Capsule Server, skip this step.

    # openssl genrsa -out /root/capsule_cert/capsule_cert_key.pem 4096
  3. Create the certificate request configuration file with the following content:

    [ req ]
    default_bits       = 4096
    distinguished_name = req_distinguished_name
    req_extensions     = req_ext
    prompt = no
    
    [ req_distinguished_name ]
    countryName=2 Letter Country Code
    stateOrProvinceName=State or Province Full Name
    localityName=Locality Name
    0.organizationName=Organization Name
    organizationalUnitName=Capsule Organization Unit Name
    commonName=capsule.example.com  1
    emailAddress=Email Address
    
    [ req_ext ]
    #authorityKeyIdentifier=keyid,issuer
    #basicConstraints=CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    subjectAltName = @alt_names
    
    [alt_names]                  2
    DNS.1 = loadbalancer.example.com
    DNS.2 = capsule.example.com
    1
    The certificate’s common name must match the FQDN of Capsule Server. Ensure to change this when running the command on each Capsule Server that you configure for load balancing.
    2
    Under [alt_names], include the FQDN of the load balancer as DNS.1 and the FQDN of Capsule Server as DNS.2.
  4. Create a Certificate Signing Request (CSR) for the SAN certificate.

    # openssl req -new \
    -key /root/capsule_cert/capsule_cert_key.pem \ 1
    -config SAN_config.cfg \                   2
    -out /root/capsule_cert/capsule_cert_csr.pem   3
    1
    Capsule Server’s private key, used to sign the certificate
    2
    The certificate request configuration file
    3
    Certificate Signing Request file
  5. Send the certificate request to the Certificate Authority:

    When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the Certificate Authority for the preferred method. In response to the request, you can expect to receive a Certificate Authority bundle and a signed certificate, in separate files.

  6. Copy the Certificate Authority bundle and Capsule Server certificate file that you receive from the Certificate Authority, and the Capsule Server private key to your Satellite Server.
  7. On Satellite Server, validate the Capsule Server certificate input files:

    # katello-certs-check \
    -c /root/capsule_cert/capsule_cert.pem \      1
    -k /root/capsule_cert/capsule_cert_key.pem \  2
    -b /root/capsule_cert/ca_cert_bundle.pem      3
    1
    Capsule Server certificate file, provided by your Certificate Authority
    2
    Capsule Server’s private key that you used to sign the certificate
    3
    Certificate Authority bundle, provided by your Certificate Authority

    Retain a copy of the example capsule-certs-generate command that is output by the katello-certs-check command for creating the Certificate Archive File for this Capsule Server.

4.3.2. Configuring Capsule Server with Custom SSL Certificates for Load Balancing without Puppet

Complete this procedure on each Capsule Server that you want to configure for load balancing.

Procedure

  1. Append the following option to the capsule-certs-generate command that you obtain from the output of the katello-certs-check command:

    --foreman-proxy-cname loadbalancer.example.com
  2. On Satellite Server, enter the capsule-certs-generate command to generate Capsule certificates. For example:

    # capsule-certs-generate \
    --foreman-proxy-fqdn capsule.example.com \
    --certs-tar /root/capsule_cert/capsule.tar \
    --server-cert /root/capsule_cert/capsule.pem \
    --server-key /root/capsule_cert/capsule.pem \
    --server-ca-cert /root/capsule_cert/ca_cert_bundle.pem \
    --foreman-proxy-cname loadbalancer.example.com

    Retain a copy of the example satellite-installer command from the output for installing the Capsule Server certificates.

  3. Copy the certificate archive file from Satellite Server to Capsule Server:

    # scp /root/capsule.example.com-certs.tar \
    root@capsule.example.com:capsule.example.com-certs.tar
  4. Append the following options to the satellite-installer command that you obtain from the output of the capsule-certs-generate command. Set the --puppet-ca-server option to point to the Capsule Server where you enter the command. You must install Puppet CA on your Capsule Servers, regardless of whether you intend to use it or not. Puppet is configured in its default single-node configuration.

    --certs-cname                              "loadbalancer.example.com" \
    --puppet-dns-alt-names                     "loadbalancer.example.com" \
    --puppet-ca-server                         "capsule.example.com" \
    --foreman-proxy-puppetca                   "true" \
    --puppet-server-ca                         "true" \
    --enable-foreman-proxy-plugin-remote-execution-ssh
  5. On Capsule Server, enter the satellite-installer command, for example:

    # satellite-installer --scenario capsule \
    --foreman-proxy-content-parent-fqdn        "satellite.example.com" \
    --foreman-proxy-register-in-foreman        "true" \
    --foreman-proxy-foreman-base-url           "https://satellite.example.com" \
    --foreman-proxy-trusted-hosts              "satellite.example.com" \
    --foreman-proxy-trusted-hosts              "capsule.example.com" \
    --foreman-proxy-oauth-consumer-key         "oauth key" \
    --foreman-proxy-oauth-consumer-secret      "oauth secret" \
    --certs-tar-file                           "capsule.example.com-certs.tar" \
    --puppet-server-foreman-url                "https://satellite.example.com" \
    --certs-cname                              "loadbalancer.example.com" \
    --puppet-dns-alt-names                     "loadbalancer.example.com" \
    --puppet-ca-server                         "capsule.example.com" \
    --foreman-proxy-puppetca                   "true" \
    --puppet-server-ca                         "true" \
    --enable-foreman-proxy-plugin-remote-execution-ssh

4.4. Configuring Capsule Server with Custom SSL Certificates for Load Balancing with Puppet

The following section describes how to configure Capsule Servers that use custom SSL certificates for load balancing with Puppet.

4.4.1. Creating Custom SSL Certificates for Capsule Server

This procedure outlines how to create a configuration file for the Certificate Signing Request and include the load balancer and Capsule Server as Subject Alternative Names (SAN). Complete this procedure on each Capsule Server that you want to configure for load balancing.

Procedure

  1. On Capsule Server, create a directory to contain all the source certificate files, accessible to only the root user:

    # mkdir /root/capsule_cert
    # cd /root/capsule_cert
  2. Create a private key with which to sign the Certificate Signing Request (CSR).

    Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.

    If you already have a private key for this Capsule Server, skip this step.

    # openssl genrsa -out /root/capsule_cert/capsule.pem 4096
  3. Create the certificate request configuration file with the following content:

    [ req ]
    default_bits       = 4096
    distinguished_name = req_distinguished_name
    req_extensions     = req_ext
    prompt = no
    
    [ req_distinguished_name ]
    countryName=2 Letter Country Code
    stateOrProvinceName=State or Province Full Name
    localityName=Locality Name
    0.organizationName=Organization Name
    organizationalUnitName=Capsule Organization Unit Name
    commonName=capsule.example.com  1
    emailAddress=Email Address
    
    [ req_ext ]
    #authorityKeyIdentifier=keyid,issuer
    #basicConstraints=CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    subjectAltName = @alt_names
    
    [alt_names]                  2
    DNS.1 = loadbalancer.example.com
    DNS.2 = capsule.example.com
    1
    The certificate’s common name must match the FQDN of Capsule Server. Ensure to change this when running the command on each Capsule Server.
    2
    Under [alt_names], include the FQDN of the load balancer as DNS.1 and the FQDN of Capsule Server as DNS.2.
  4. Create a Certificate Signing Request (CSR) for the SAN certificate:

    # openssl req -new \
    -key /root/capsule_cert/capsule.pem \ 1
    -config SAN_config.cfg \          2
    -out /root/capsule_cert/capsule.pem   3
    1
    Capsule Server’s private key, used to sign the certificate
    2
    The certificate request configuration file
    3
    Certificate Signing Request file
  5. Send the certificate request to the Certificate Authority:

    When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the Certificate Authority for the preferred method. In response to the request, you can expect to receive a Certificate Authority bundle and a signed certificate, in separate files.

  6. Copy the Certificate Authority bundle and Capsule Server certificate file that you receive from the Certificate Authority, and the Capsule Server private key to your Satellite Server to validate them.
  7. On Satellite Server, validate the Capsule Server certificate input files:

    # katello-certs-check \
    -c /root/capsule_cert/capsule.pem \      1
    -k /root/capsule_cert/capsule.pem \      2
    -b /root/capsule_cert/ca_cert_bundle.pem 3
    1
    Capsule Server certificate file, provided by your Certificate Authority
    2
    Capsule Server’s private key that you used to sign the certificate
    3
    Certificate Authority bundle, provided by your Certificate Authority

    Retain a copy of the example capsule-certs-generate command that is output by the katello-certs-check command for creating the Certificate Archive File for this Capsule Server.

4.4.2. Configuring Capsule Server with Custom SSL Certificates for Load Balancing with Puppet

If you use Puppet in your Satellite configuration, then you must complete the following procedures:

Configuring Capsule Server to Generate and Sign Puppet Certificates

Complete this procedure only for the system where you want to configure Capsule Server to generate Puppet certificates for all other Capsule Servers that you configure for load balancing. In the examples in this procedure, the FQDN of this Capsule Server is capsule_ca.example.com.

  1. Append the following option to the capsule-certs-generate command that you obtain from the output of the katello-certs-check command:

    --foreman-proxy-cname loadbalancer.example.com
  2. On Satellite Server, enter the capsule-certs-generate command to generate Capsule certificates. For example:

    # capsule-certs-generate \
    --foreman-proxy-fqdn capsule_ca.example.com \
    --certs-tar /root/capsule_cert/capsule_ca.tar \
    --server-cert /root/capsule_cert/capsule_ca.pem \
    --server-key /root/capsule_cert/capsule_ca.pem \
    --server-ca-cert /root/capsule_cert/ca_cert_bundle.pem \
    --foreman-proxy-cname loadbalancer.example.com

    Retain a copy of the example satellite-installer command from the output for installing the Capsule Server certificates.

  3. Copy the certificate archive file from Satellite Server to Capsule Server.
  4. Append the following options to the satellite-installer command that you obtain from the output of the capsule-certs-generate command:

    --puppet-dns-alt-names                     "loadbalancer.example.com" \
    --puppet-ca-server                         "capsule_ca.example.com" \
    --foreman-proxy-puppetca                   "true" \
    --puppet-server-ca                         "true" \
    --enable-foreman-proxy-plugin-remote-execution-ssh
  5. On Capsule Server, enter the satellite-installer command, for example:

    satellite-installer --scenario capsule \
    --foreman-proxy-content-parent-fqdn        "satellite.example.com" \
    --foreman-proxy-register-in-foreman        "true" \
    --foreman-proxy-foreman-base-url           "https://satellite.example.com" \
    --foreman-proxy-trusted-hosts              "satellite.example.com" \
    --foreman-proxy-trusted-hosts              "capsule_ca.example.com" \
    --foreman-proxy-oauth-consumer-key         "oauth key" \
    --foreman-proxy-oauth-consumer-secret      "oauth secret" \
    --certs-tar-file                           "certs.tgz" \
    --puppet-server-foreman-url                "https://satellite.example.com" \
    --certs-cname                              "loadbalancer.example.com" \
    --puppet-dns-alt-names                     "loadbalancer.example.com" \
    --puppet-ca-server                         "capsule_ca.example.com" \
    --foreman-proxy-puppetca                   "true" \
    --puppet-server-ca                         "true" \
    --enable-foreman-proxy-plugin-remote-execution-ssh
  6. On Capsule Server, generate Puppet certificates for all other Capsules that you configure for load balancing, except this first system where you configure Puppet certificates signing:

    # puppet cert generate capsule.example.com \
    --dns_alt_names=loadbalancer.example.com

    This command creates the following files on the Puppet certificate signing Capsule Server instance:

    • /etc/puppetlabs/puppet/ssl/certs/ca.pem
    • /etc/puppetlabs/puppet/ssl/certs/capsule.example.com.pem
    • /etc/puppetlabs/puppet/ssl/private_keys/capsule.example.com.pem
    • /etc/puppetlabs/puppet/ssl/public_keys/capsule.example.com.pem

Configuring Remaining Capsule Servers for Load Balancing

Complete this procedure for each Capsule Server excluding the system where you configure Capsule Server to sign Puppet certificates.

  1. Append the following option to the capsule-certs-generate command that you obtain from the output of the katello-certs-check command:

    --foreman-proxy-cname loadbalancer.example.com
  2. On Satellite Server, enter the capsule-certs-generate command to generate Capsule certificates. For example:

    # capsule-certs-generate \
    --foreman-proxy-fqdn capsule.example.com \
    --certs-tar /root/capsule_cert/capsule.tar \
    --server-cert /root/capsule_cert/capsule.pem \
    --server-key /root/capsule_cert/capsule.pem \
    --server-ca-cert /root/capsule_cert/ca_cert_bundle.pem \
    --foreman-proxy-cname loadbalancer.example.com

    Retain a copy of the example satellite-installer command from the output for installing the Capsule Server certificates.

  3. Copy the certificate archive file from Satellite Server to Capsule Server.

    # scp /root/capsule.example.com-certs.tar \
    root@capsule.example.com:capsule.example.com-certs.tar
  4. On Capsule Server, install the puppetserver package:

    # yum install puppetserver
  5. On Capsule Server, create directories for puppet certificates:

    # mkdir -p /etc/puppetlabs/puppet/ssl/certs/ \
    /etc/puppetlabs/puppet/ssl/private_keys/ \
    /etc/puppetlabs/puppet/ssl/public_keys/
  6. On Capsule Server, copy the Puppet certificates for this Capsule Server from the system where you configure Capsule Server to sign Puppet certificates:

    # scp root@capsule_ca.example.com:/etc/puppetlabs/puppet/ssl/certs/ca.pem \
    /etc/puppetlabs/puppet/ssl/certs/ca.pem
    # scp root@capsule_ca.example.com:/etc/puppetlabs/puppet/ssl/certs/capsule.example.com.pem \
    /etc/puppetlabs/puppet/ssl/certs/capsule.example.com.pem
    # scp root@capsule_ca.example.com:/etc/puppetlabs/puppet/ssl/private_keys/capsule.example.com.pem \
    /etc/puppetlabs/puppet/ssl/private_keys/capsule.example.com.pem
    # scp root@capsule_ca.example.com:/etc/puppetlabs/puppet/ssl/public_keys/capsule.example.com.pem \
    /etc/puppetlabs/puppet/ssl/public_keys/capsule.example.com.pem
  7. On Capsule Server, change the directory ownership to user puppet, group puppet and set the SELinux contexts:

    # chown -R puppet:puppet /etc/puppetlabs/puppet/ssl/
    # restorecon -Rv /etc/puppetlabs/puppet/ssl/
  8. Append the following options to the satellite-installer command that you obtain from the output of the capsule-certs-generate command:

    --certs-cname                              "loadbalancer.example.com" \
    --puppet-dns-alt-names                     "loadbalancer.example.com" \
    --puppet-ca-server                         "capsule_ca.example.com" \
    --foreman-proxy-puppetca                   "false" \
    --puppet-server-ca                         "false" \
    --enable-foreman-proxy-plugin-remote-execution-ssh
  9. On Capsule Server, enter the satellite-installer command, for example:

    # satellite-installer --scenario capsule \
    --foreman-proxy-content-parent-fqdn        "satellite.example.com" \
    --foreman-proxy-register-in-foreman        "true" \
    --foreman-proxy-foreman-base-url           "https://satellite.example.com" \
    --foreman-proxy-trusted-hosts              "satellite.example.com" \
    --foreman-proxy-trusted-hosts              "capsule.example.com" \
    --foreman-proxy-oauth-consumer-key         "oauth key" \
    --foreman-proxy-oauth-consumer-secret      "oauth secret" \
    --certs-tar-file                           "capsule.example.com-certs.tar" \
    --puppet-server-foreman-url                "https://satellite.example.com" \
    --certs-cname                              "loadbalancer.example.com" \
    --puppet-dns-alt-names                     "loadbalancer.example.com" \
    --puppet-ca-server                         "capsule_ca.example.com" \
    --foreman-proxy-puppetca                   "false" \
    --puppet-server-ca                         "false" \
    --enable-foreman-proxy-plugin-remote-execution-ssh