Satellite certificates are not updating despite proper options being passed

Solution Verified - Updated -

Environment

  • Red Hat Satellite 6

Issue

After running the satellite-installer command to replace certificates:

    satellite-installer --scenario satellite \
                      --certs-server-cert "/root/satellite_cert/custom-certificate.cer" \
                      --certs-server-key "/root/satellite_cert/custom-certificate-key.key" \
                      --certs-server-ca-cert "/root/satellite_cert/custom-certificate-ca-bundle.pem" \
                      --certs-update-server --certs-update-server-ca

The old certificate being presented by the Satellite remains unchanged:

[root@satellite]# openssl s_client -connect satellite.example.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Apr 16 00:00:00 2020 GMT <-- Old certificate start date
notAfter=Apr 16 23:59:59 2022 GMT  <-- Old certificate end date

Resolution

Ensure the --certs-generate option is set to true:

satellite-installer --scenario satellite \
                      --certs-server-cert "/root/satellite_cert/custom-certificate.cer" \
                      --certs-server-key "/root/satellite_cert/custom-certificate-key.key" \
                      --certs-server-ca-cert "/root/satellite_cert/custom-certificate-ca-bundle.pem" \
                      --certs-update-server --certs-update-server-ca
                      --certs-generate true 

Root Cause

Running satellite-installer --full-help | grep certs-generate we can see that the certs-generate option was set to false by default:

    --certs-generate              Should the generation of the certs be part of the                                                                                                           
                                  configuration (current: false)                                                                                                                               

Diagnostic Steps

Running katello-certs-check the certificattes are all OK:

[root@satellite]# katello-certs-check \
> -c /root/satellite_cert/custom-certificate.cer \
> -k /root/satellite_cert/custom-certificate-key.key \
> -b /root/satellite_cert/custom-certificate-ca-bundle.pem
Checking server certificate encoding:
[OK]

Checking expiration of certificate:
[OK]

Checking expiration of CA bundle:
[OK]

Checking if server certificate has CA:TRUE flag
[OK]

Checking for private key passphrase:
[OK]

Checking to see if the private key matches the certificate:
[OK]

Checking CA bundle against the certificate file:
[OK]

Checking CA bundle size: 3
[OK]

Checking Subject Alt Name on certificate
[OK]

Checking if any Subject Alt Name on certificate matches the Subject CN
[OK]

Checking Key Usage extension on certificate for Key Encipherment
[OK]

Checking for use of shortname as CN
[OK]

Validation succeeded

After running satellite-installer to replace certificates, the server certificate has not changed:

openssl s_client -connect `hostname -f`:443 | openssl x509 -noout -dates
notBefore=Apr 16 00:00:00 2020 GMT <-- Old certificate start date 
notAfter=Apr 16 23:59:59 2022 GMT  <-- Old certificate end date

The new certificate should have these dates instead:

[root@satellite]# openssl x509 -in /root/satellite_cert/custom-certificate.cer -text -noout | egrep 'Not Before|Not After)'
            Not Before: Apr  7 00:00:00 2022 GMT
            Not After : Apr  7 23:59:59 2023 GMT

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments