[Katello] Setting Up New SSL Certificates

quick · September 8, 2021, 1:48pm

Hello, quick question!

I have an already existing Katello server that is using the self-signed certificates that were generated upon installation.

Since then, I’ve been using Foreman and Katello to provisioning, patch, and maintain production systems. However, I now need to setup a new CA signed SSL certificate.

So I obtained my certs from DigiCert, uploaded them to my Foreman server, and used the “katello-certs-check” to validate them:

# katello-certs-check -c /etc/pki/tls/certs/mycert.crt -k /etc/pki/tls/private/mycert.key -b /etc/pki/tls/certs/TrustedRoot.crt
Checking server certificate encoding:
[OK]

Checking expiration of certificate:
[OK]

Checking expiration of CA bundle:
[OK]

Checking if server certificate has CA:TRUE flag
[OK]

Checking for private key passphrase:
[OK]

Checking to see if the private key matches the certificate:
[OK]

Checking CA bundle against the certificate file:
[OK]

Checking CA bundle size:
[OK]

Checking Subject Alt Name on certificate
[OK]

Checking Key Usage extension on certificate for Key Encipherment
[OK]

Validation succeeded


To install the Katello server with the custom certificates, run:

    foreman-installer --scenario katello \
                      --certs-server-cert "/etc/pki/tls/certs/mycert.crt" \
                      --certs-server-key "/etc/pki/tls/private/mycert.key" \
                      --certs-server-ca-cert "/etc/pki/tls/certs/TrustedRoot.crt"

To update the certificates on a currently running Katello installation, run:

    foreman-installer --scenario katello \
                      --certs-server-cert "/etc/pki/tls/certs/mycert.crt" \
                      --certs-server-key "/etc/pki/tls/private/mycert.key" \
                      --certs-server-ca-cert "/etc/pki/tls/certs/TrustedRoot.crt" \
                      --certs-update-server --certs-update-server-ca

To use them inside a NEW $FOREMAN_PROXY, rerun this command with -t foreman-proxy

Awesome! Looks like we’re good to go. And it even gave me the command to run to update certificates on a currently running Katello installation (you guys think of everything!).

However, I am being extra cautious as this system is being used in production… Is there anything I should be worried about before running this? Can I seriously break anything? Is it easy to revert? Could this effect communication between Foreman/Katello and the hosts it is managing?

Note I am not running a SmartProxy on any of the hosts which Katello manages (though I believe the Katello system its self is a SmartProxy?).

Any tips/tricks would be greatly appreciated! If you need any additional details about my environment, just lemme know.

Thanks.

Marek_Hulan · September 16, 2021, 7:39am

Of course, this can break stuff, basically any communication since users and managed machines use the same web server to talk with Foreman. You can try running the installer with --noop to see what all would change. We store every installer run log in /var/log/foreman-installer so you can investigate the changes later too. To rever, you could probably rerun the installer with previous cert values.

If you succeed with this command, could you please let us know? We could convert this post to the guide for others

Yes, by default we deploy one Smart Proxy alongside with the Foreman(+Katello) host.

Marek_Hulan · September 16, 2021, 7:43am

Actually there’s already a guide which I guess you’ve followed.

esw · November 30, 2022, 8:18pm

Got here via google and found Marek’s ‘a guide’ link broken - thought I’d share some corrected URLs for future web/forum searchers - looks like between foreman v3.0 and 3.1 the relevant section was hidden on the ‘foreman only’ documentation and only present on the katello documentation:

https://docs.theforeman.org/3.0/Installing_Server_on_Red_Hat/index-foreman-el.html#configuring-satellite-custom-server-certificate_foreman
https://docs.theforeman.org/3.0/Installing_Server_on_Red_Hat/index-katello.html#configuring-satellite-custom-server-certificate_foreman
https://docs.theforeman.org/3.1/Installing_Server/index-katello.html#Configuring_Server_with_a_Custom_SSL_Certificate_foreman
https://docs.theforeman.org/3.3/Installing_Server/index-katello.html#Configuring_Server_with_a_Custom_SSL_Certificate_foreman
https://docs.theforeman.org/3.4/Installing_Server/index-katello.html#Configuring_Server_with_a_Custom_SSL_Certificate_foreman

Good luck future web searchers!