Satellite certificates are not updating despite proper options being passed
Environment
- Red Hat Satellite 6
Issue
After running the satellite-installer
command to replace certificates:
satellite-installer --scenario satellite \
--certs-server-cert "/root/satellite_cert/custom-certificate.cer" \
--certs-server-key "/root/satellite_cert/custom-certificate-key.key" \
--certs-server-ca-cert "/root/satellite_cert/custom-certificate-ca-bundle.pem" \
--certs-update-server --certs-update-server-ca
The old certificate being presented by the Satellite remains unchanged:
[root@satellite]# openssl s_client -connect satellite.example.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Apr 16 00:00:00 2020 GMT <-- Old certificate start date
notAfter=Apr 16 23:59:59 2022 GMT <-- Old certificate end date
Resolution
Ensure the --certs-generate
option is set to true:
satellite-installer --scenario satellite \
--certs-server-cert "/root/satellite_cert/custom-certificate.cer" \
--certs-server-key "/root/satellite_cert/custom-certificate-key.key" \
--certs-server-ca-cert "/root/satellite_cert/custom-certificate-ca-bundle.pem" \
--certs-update-server --certs-update-server-ca
--certs-generate true
Root Cause
Running satellite-installer --full-help | grep certs-generate
we can see that the certs-generate option was set to false by default:
--certs-generate Should the generation of the certs be part of the
configuration (current: false)
Diagnostic Steps
Running katello-certs-check
the certificattes are all OK:
[root@satellite]# katello-certs-check \
> -c /root/satellite_cert/custom-certificate.cer \
> -k /root/satellite_cert/custom-certificate-key.key \
> -b /root/satellite_cert/custom-certificate-ca-bundle.pem
Checking server certificate encoding:
[OK]
Checking expiration of certificate:
[OK]
Checking expiration of CA bundle:
[OK]
Checking if server certificate has CA:TRUE flag
[OK]
Checking for private key passphrase:
[OK]
Checking to see if the private key matches the certificate:
[OK]
Checking CA bundle against the certificate file:
[OK]
Checking CA bundle size: 3
[OK]
Checking Subject Alt Name on certificate
[OK]
Checking if any Subject Alt Name on certificate matches the Subject CN
[OK]
Checking Key Usage extension on certificate for Key Encipherment
[OK]
Checking for use of shortname as CN
[OK]
Validation succeeded
After running satellite-installer
to replace certificates, the server certificate has not changed:
openssl s_client -connect `hostname -f`:443 | openssl x509 -noout -dates
notBefore=Apr 16 00:00:00 2020 GMT <-- Old certificate start date
notAfter=Apr 16 23:59:59 2022 GMT <-- Old certificate end date
The new certificate should have these dates instead:
[root@satellite]# openssl x509 -in /root/satellite_cert/custom-certificate.cer -text -noout | egrep 'Not Before|Not After)'
Not Before: Apr 7 00:00:00 2022 GMT
Not After : Apr 7 23:59:59 2023 GMT
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments