Default katello certs

normans · July 21, 2022, 1:14pm

Problem:

I have successfully updated Foreman/Katello deployment to use signed certificates.

I would like to revert this back to use default self-signed certificates (as per initial build) for further testing, I tried to do this by reverting to a VM snapshot taken with foreman services stopped prior to updating the certificates. This was unsuccessful as it was then unable to connect to upstream subscription allocation until I re-applied the signed certificates.

Is it possible to do this?

Foreman and Proxy versions:

foreman-3.1.3-1

Foreman and Proxy plugin versions:

katello-4.3.1-1

ehelms · July 21, 2022, 2:15pm

You’ll effectively need to unset the parameters you passed to the installer when configuring the custom certificates. For example,

    --reset-certs-server-cert \
    --reset-certs-server-key \
    --reset-certs-server-ca-cert

I have not directly tested the above, as it will take me some time to get a setup to give the exact command

normans · July 21, 2022, 3:33pm

Hi Eric,

This appears to work with regard to resetting the certs back to self-signed as I get invalid certificate in BUI connection (plus HSTS errors that I had to clear in chrome) but the result is the same in as much as I still get “unable to connect to upstream subscription allocation” errors when viewing the subscriptions tab and the dashboard widgets are stuck at loading.

# foreman-installer --scenario katello
> --reset-certs-server-cert
> --reset-certs-server-key
> --reset-certs-server-ca-cert
> --certs-update-server --certs-update-server-ca
…
…
Success!
* Foreman is running at https://xxxxxxxxxxxxxxxxxxxxxxx
* To install an additional Foreman proxy on separate machine continue by running:
foreman-proxy-certs-generate --foreman-proxy-fqdn “$FOREMAN_PROXY” --certs-tar “/root/$FOREMAN_PROXY-certs.tar”

Foreman Proxy is running at https://xxxxxxxxxxxxxxxxx:9090

The full log is at /var/log/foreman-installer/katello.log

# foreman-rake apipie:cache

So I assume something else also needs cleaning or resetting to get back to install state.

Regards,
Steve

ehelms · July 21, 2022, 5:50pm

This is the comment you should have led with as this does not always have to do with the certificates deployed for the server but rather around the manifest and connection back to Red Hat.

Are you using a manifest from Red Hat that you imported to get RH content? Can you describe a bit more your setup around that and what you are attempting to do that leads to this error?

normans · July 21, 2022, 6:14pm

Hi Eric,

Thanks again for your input and help.

Yes I am using a RH Manifest that was working and providing access to RH content immediately prior to making any certificate changes. On switching to signed certs the manifest connection to RH still worked, on reverting the certs back to self-signed the RH manifest connection breaks, on re-applying the signed certs the RH manifest connection works again. So the only scenario where it does not work is on reverting from signed to self-signed certs.

Regards,
Steve