Replace Expired Red Hat Satellite Certificates

Introduction

It all started with the need to upgrade an old Satellite 6.3 to a newer version. The environment was without maintenance for a while, and the digital certificates were already expired, which prevented the upgrade process from being carried out.

Research

All documentation I found pointed to actions that would not solve the case. There seems to be no consensus on this, and it is precisely the missing points that prevented the work from being carried out successfully.

Fixing the Issue

Through previous experiences with OpenStack deployment, I used this knowledge to correctly configure OpenSSL and thus be able to successfully generate certificates. I will present the details below.

Create New TLS Certificates

Just follow the procedure below and everything should work as it should.

Initializing the Signing Host

[root@satellite ~]# touch /etc/pki/CA/index.txt
[root@satellite ~]# echo '1000' | sudo tee /etc/pki/CA/serial
1000

Creating a Certificate Authority

Be sure to customize information according to your environment.

# mkdir -p /root/satellite_cert

# openssl genrsa \
-out /root/satellite_cert/satellite_cert_ca_key.pem 4096

# openssl req \
-key /root/satellite_cert/satellite_cert_ca_key.pem \
-new -x509 -days 7300 -extensions v3_ca \
-out /root/satellite_cert/satellite_cert_ca_crt.pem

Country Name (2 letter code) [XX]:BR
State or Province Name (full name) []:SP
Locality Name (eg, city) [Default City]:Sao Paulo
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) []:My Section
Common Name (eg, your name or your server's hostname) []:satellite.example.com
Email Address []:support@domain.com

Adding the Certificate Authority to OS

# cp -v /root/satellite_cert/satellite_cert_ca_crt.pem /etc/pki/ca-trust/source/anchors/

Update Linux CA’s

# update-ca-trust extract

Creating an SSL/TLS Key

We will create keys and certificates valid for 20 years. Exaggerated? Maybe. But for an environment that is not usually maintained, this may be reasonable.

# openssl genrsa \
-out /root/satellite_cert/satellite_cert_key.pem 4096 -days 7300

Creating an SSL/TLS Certificate Signing Request

This is the most important part of the process. Pay attention to details, otherwise things won’t work out.

CSR Config

Be sure to customize the information according to your environment. Add the missing lines if needed.

# cd /root/satellite_cert

# cp /etc/pki/tls/openssl.cnf .

# vi /root/satellite_cert/openssl.conf

(...)
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only
req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = BR
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = SP
localityName = Locality Name (eg, city)
localityName_default = Sao Paulo
0.organizationName = Organization Name (eg, company)
0.organizationName_default = My Company
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = My Section
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_default = satellite.example.com
commonName_max = 64
emailAddress = Email Address
emailAddress_default = support@domain.com
emailAddress_max = 64
(...)

(...)
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ alt_names ]
IP.1 = PUT YOUR HOST IP HERE
DNS.1 = satellite.example.com
(...)

CSR Request

# openssl req -new \
-key /root/satellite_cert/satellite_cert_key.pem \
-config /root/satellite_cert/openssl.conf \
-out /root/satellite_cert/satellite_cert_csr.pem

Creating the SSL/TLS Certificate

# openssl ca \
-config /root/satellite_cert/openssl.conf \
-extensions v3_req \
-days 7300 \
-in /root/satellite_cert/satellite_cert_csr.pem \
-out /root/satellite_cert/satellite_cert_crt.pem \
-cert /root/satellite_cert/satellite_cert_ca_crt.pem \
-keyfile /root/satellite_cert/satellite_cert_ca_key.pem

Validate The Certificates

Now use Katello to verify that the generated certificates are suitable for use by the Satellite.

# katello-certs-check \
-c /root/satellite_cert/satellite_cert_crt.pem \
-k /root/satellite_cert/satellite_cert_key.pem \
-r /root/satellite_cert/satellite_cert_csr.pem \
-b /root/satellite_cert/satellite_cert_ca_crt.pem

Update Certificates on the Satellite

This step will update the certificates on all satellite components where this is needed. During a troubleshooting I did, I noticed that the certificate was not updated in Tomcat. However, according to the documentation, Tomcat will never use the certificates we are creating.

# satellite-installer \
--scenario satellite \
--certs-server-cert "/root/satellite_cert/satellite_cert_crt.pem" \
--certs-server-key "/root/satellite_cert/satellite_cert_key.pem" \
--certs-server-ca-cert "/root/satellite_cert/satellite_cert_ca_crt.pem" \
--certs-update-server \
--certs-update-server-ca

Check hammer

If the update was successful, check if the hammer is functional.

# hammer location list
---|-------|------|------------
ID | TITLE | NAME | DESCRIPTION
---|-------|------|------------
2 | PROD | PROD |Production
---|-------|------|------------

Finishing

Work done! You can now proceed with the Satellite environment upgrade. I hope this article has helped you in some way. If you need it, send me a message and I’ll try to help.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Andre Rocha

Andre Rocha

I'm just a SysAdmin with some experience in OpenSource, DevOps and Datacenter Services, who likes to share knowledge.