Skip to content

Latest commit

 

History

History
90 lines (79 loc) · 4.33 KB

proc_deploying-a-custom-ssl-certificate-to-satellite-server.adoc

File metadata and controls

90 lines (79 loc) · 4.33 KB

Deploying a Custom SSL Certificate to {ProjectServer}

Use this procedure to configure your {ProjectServer} to use a custom SSL certificate signed by a Certificate Authority. The katello-certs-check command validates the input certificate files and returns the commands necessary to deploy a custom SSL certificate to {ProjectServer}.

Important

Do not store the SSL certificates or .tar bundles in /tmp or /var/tmp directory. The operating system removes files from these directories periodically. As a result, {foreman-installer} fails to execute while enabling features or upgrading {ProjectServer}.
Procedure

  1. Validate the custom SSL certificate input files. Note that for the katello-certs-check command to work correctly, Common Name (CN) in the certificate must match the FQDN of {ProjectServer}.

    # katello-certs-check \
-c /root/{project-context}_cert/{project-context}_cert.pem \      (1)
-k /root/{project-context}_cert/{project-context}_cert_key.pem \  (2)
-b /root/{project-context}_cert/ca_cert_bundle.pem        (3)

    1. Path to {ProjectServer} certificate file that is signed by a Certificate Authority.

    2. Path to the private key that was used to sign {ProjectServer} certificate.

    3. Path to the Certificate Authority bundle.

      If the command is successful, it returns two {foreman-installer} commands, one of which you must use to deploy a certificate to {ProjectServer}.

    Example output of katello-certs-check
    Validation succeeded.

To install the Katello main server with the custom certificates, run:

  foreman-installer --scenario katello \
    --certs-server-cert "/root/{project-context}_cert/{project-context}_cert.pem" \
    --certs-server-key "/root/{project-context}_cert/{project-context}_cert_key.pem" \
    --certs-server-ca-cert "/root/{project-context}_cert/ca_cert_bundle.pem"

To update the certificates on a currently running Katello installation, run:

  foreman-installer --scenario katello \
    --certs-server-cert "/root/{project-context}_cert/{project-context}_cert.pem" \
    --certs-server-key "/root/{project-context}_cert/{project-context}_cert_key.pem" \
    --certs-server-ca-cert "/root/{project-context}_cert/ca_cert_bundle.pem" \
    --certs-update-server --certs-update-server-ca

    Note that you must not access or modify /root/ssl-build.

  2. From the output of the katello-certs-check command, depending on your requirements, enter the {foreman-installer} command that installs a new {Project} with custom SSL certificates or updates certificates on a currently running {Project}.

    If you are unsure which command to run, you can verify that {Project} is installed by checking if the file /etc/foreman-installer/scenarios.d/.installed exists. If the file exists, run the second {foreman-installer} command that updates certificates.

    Important

    {foreman-installer} needs the certificate archive file after you deploy the certificate. Do not modify or delete it. It is required, for example, when upgrading {ProjectServer}.

  3. On a computer with network access to {ProjectServer}, navigate to the following URL: https://{foreman-example-com}.

  4. In your browser, view the certificate details to verify the deployed certificate.