With the completion of Tracker #32381: Communication with services from Foreman application should use a single set of client certificates - Installer - Foreman we have migrated the communication to Pulp, and Candlepin’s Artemis to use a single set of certificates by taking advantage of the Foreman client certificate. The following is true as of nightly and will be present as of Foreman 3.0. The certificates spoken of are the ones configured in settings.yaml at:
# SSL-settings
:ssl_certificate: <%= scope.lookupvar("foreman::client_ssl_cert") %>
:ssl_ca_file: <%= scope.lookupvar("foreman::client_ssl_ca") %>
:ssl_priv_key: <%= scope.lookupvar("foreman::client_ssl_key") %>
The values configured here are now what will be used when communicating to Pulp’s API when deployed as a primary Pulp or as a mirror. The client certificates are also used to communicate with Candlepin’s Artemis for reading events. These are also used to communicate with Qpid when enabling katello-agent.
On a Katello installation, these certificates are located at:
/etc/foreman/client_cert.pem
/etc/foreman/client_key.pem
/etc/foreman/proxy_ca.pem
Candlepin certificate clean up
The previously used client certificates for communication with Artemis are cleaned up on upgrades to remove them from the system since they are no longer used. Specifically that is the removal of:
/etc/pki/katello/certs/java-client.crt
/etc/pki/katello/private/java-client.key
Caveat: Pulp 3 and N-1
For Pulp, we are not yet able to clean up the older client certificates due to supporting the ability to talk to an older Katello content proxy (N-1 support). N-1 support represents the ability to upgrade the main server and then separately upgrade content proxies in different maintenance windows. Given this, we must keep around the old client certificates for 2 more releases to allow communication with the older Pulp instances. The choice of certificates used is driven by Apache configuration which older Pulp deployments won’t have.
To state this more directly, for Katello 4.2+, the following will be used to communicate with Pulp deployed on a Katello 4.2+ or a content proxy 4.2+:
/etc/foreman/client_cert.pem
/etc/foreman/client_key.pem
/etc/foreman/proxy_ca.pem
For communication with a Katello (or content proxy) version 4.1 or less, the following remains and will be used:
/etc/pki/katello/private/pulp-client.key
/etc/pki/katello/certs/pulp-client.crt