Changes to Candlepin, and Pulp certificate usage

With the completion of Tracker #32381: Communication with services from Foreman application should use a single set of client certificates - Installer - Foreman we have migrated the communication to Pulp, and Candlepin’s Artemis to use a single set of certificates by taking advantage of the Foreman client certificate. The following is true as of nightly and will be present as of Foreman 3.0. The certificates spoken of are the ones configured in settings.yaml at:

# SSL-settings
:ssl_certificate: <%= scope.lookupvar("foreman::client_ssl_cert") %>
:ssl_ca_file: <%= scope.lookupvar("foreman::client_ssl_ca") %>
:ssl_priv_key: <%= scope.lookupvar("foreman::client_ssl_key") %>

The values configured here are now what will be used when communicating to Pulp’s API when deployed as a primary Pulp or as a mirror. The client certificates are also used to communicate with Candlepin’s Artemis for reading events. These are also used to communicate with Qpid when enabling katello-agent.

On a Katello installation, these certificates are located at:


Candlepin certificate clean up

The previously used client certificates for communication with Artemis are cleaned up on upgrades to remove them from the system since they are no longer used. Specifically that is the removal of:


Caveat: Pulp 3 and N-1

For Pulp, we are not yet able to clean up the older client certificates due to supporting the ability to talk to an older Katello content proxy (N-1 support). N-1 support represents the ability to upgrade the main server and then separately upgrade content proxies in different maintenance windows. Given this, we must keep around the old client certificates for 2 more releases to allow communication with the older Pulp instances. The choice of certificates used is driven by Apache configuration which older Pulp deployments won’t have.

To state this more directly, for Katello 4.2+, the following will be used to communicate with Pulp deployed on a Katello 4.2+ or a content proxy 4.2+:


For communication with a Katello (or content proxy) version 4.1 or less, the following remains and will be used:


I’d like to emphasize that Katello can automatically detect which set of certificates to use. There is no need to manually configure anything. When upgrading the content proxies, the installer will reconfigure the content proxy and advertise the new capability.

That is a great simplification. Do I read that correctly that in case of Katello installation scenario, if I want to use custom certificates, I can pass one cert (and private key and ca cert) for the webui and only one for the infrastructure? So in total 6 installer arguments to fill in?

Not yet, but this gets us closer.