When trying to update the self signed Cert with CA issued one, satellite-installer gives error on satellite 6

Solution Verified - Updated -

Issue

  • When trying to update the self-signed Cert with Custom/External CA issued one, satellite-installer gives an error.

  • We have this error when we try to update the self-signed cert with our Custom/External CA generated cert.

    # satellite-installer --scenario satellite \
--certs-server-cert /root/sat_cert/satellite_cert.pem \
--certs-server-key /root/sat_cert/satellite_cert_key.pem \
--certs-server-ca-cert /root/sat_cert/ca_cert_bundle.pem \
--certs-update-server --certs-update-server-ca
Marking certificate /root/ssl-build/abcd.xyz.com/abcd.xyz.com-apache for update
Marking certificate /root/ssl-build/abcd.xyz.com/abcd.xyz.com-foreman-proxy for update
Marking certificate /root/ssl-build/katello-server-ca for update
Command '/usr/share/katello-installer/bin/katello-certs-check -c "/root/sat_cert/satellite_cert.pem"  -k " 
/root/sat_cert/satellite_cert_key.pem" -b "/root/sat_cert/ca_cert_bundle.pem"' exited with 4:
Validating the certificate subject= /L=City/ST=State/C=US/O=Company/OU=Department/CN=abcd.xyz.com
Check private key matches the certificate: [OK]
Check ca bundle verifies the cert file: [FAIL]
The /root/sat_cert/ca_cert_bundle.pem does not verify the /root/sat_cert/satellite_cert.pem
/root/sat_cert/satellite_cert.pem: C = US, O = Company, OU = Company Service Association, CN = Company 
Information Delivery Internal CA error 2 at 1 depth lookup:unable to get issuer certificate

  • We are unable to to install SSL certificate on the satellite server:

    # satellite-installer --certs-server-cert "/sat_cert/satellite_cert.pem" --certs-server-key "/root/sat_cert/satellite_cert_key.pem" --certs-server-ca-cert "/root/sat_cert/ca_cert_bundle.pem" --certs-update-server --certs-update-server-ca
2025-02-23 22:17:53 [NOTICE] [root] Loading installer configuration. This will take some time.
2025-02-23 22:17:57 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2025-02-23 22:17:57 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
Checking server certificate encoding:
[OK]

Checking expiration of certificate:
[OK]

.
.
.

Checking CA bundle against the certificate file:
[FAIL]

The /root/sat_cert/ca_cert_bundle.pem does not verify the /root/sat_cert/satellite_cert.pem
CN=satellite.example.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error /root/sat_cert/satellite_cert.pem: verification failed

Checking CA bundle size: 1
[OK]

.
.
.

Checking CA signing algorithm for sha1:
[OK]

Environment

  • Red Hat Satellite 6

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content