Replace Expired Red Hat Satellite Certificates
--
This one took me a whole day to figure out. There are plenty o documentation about this, but none of them explain how to proper build and replace an expired CA and self signed Satellite certificate. So I decided to share my experience to make things easier for the ones who need this information.
Introduction
It all started with the need to upgrade an old Satellite 6.3 to a newer version. The environment was without maintenance for a while, and the digital certificates were already expired, which prevented the upgrade process from being carried out.
Research
All documentation I found pointed to actions that would not solve the case. There seems to be no consensus on this, and it is precisely the missing points that prevented the work from being carried out successfully.
After talking to some co-workers, I understood that the process should continue with the creation of custom certificates. However, the documentation on this is somewhat vague, and the example OpenSSL configuration used to generate the CA was incomplete.
Fixing the Issue
Through previous experiences with OpenStack deployment, I used this knowledge to correctly configure OpenSSL and thus be able to successfully generate certificates. I will present the details below.
Create New TLS Certificates
Just follow the procedure below and everything should work as it should.
Initializing the Signing Host
[root@satellite ~]# touch /etc/pki/CA/index.txt
[root@satellite ~]# echo '1000' | sudo tee /etc/pki/CA/serial
1000Creating a Certificate Authority
Be sure to customize information according to your environment.
# mkdir -p /root/satellite_cert
# openssl genrsa \
-out /root/satellite_cert/satellite_cert_ca_key.pem 4096
# openssl req \
-key /root/satellite_cert/satellite_cert_ca_key.pem \
-new -x509 -days 7300 -extensions v3_ca \
-out /root/satellite_cert/satellite_cert_ca_crt.pem
Country Name (2 letter code) [XX]:BR
State or Province Name (full name) []:SP
Locality Name (eg, city) [Default City]:Sao Paulo
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) []:My Section
Common Name (eg, your name or your server's hostname) []:satellite.example.com
Email Address []:support@domain.comAdding the Certificate Authority to OS
# cp -v /root/satellite_cert/satellite_cert_ca_crt.pem /etc/pki/ca-trust/source/anchors/Update Linux CA’s
# update-ca-trust extractCreating an SSL/TLS Key
We will create keys and certificates valid for 20 years. Exaggerated? Maybe. But for an environment that is not usually maintained, this may be reasonable.
# openssl genrsa \
-out /root/satellite_cert/satellite_cert_key.pem 4096 -days 7300Creating an SSL/TLS Certificate Signing Request
This is the most important part of the process. Pay attention to details, otherwise things won’t work out.
CSR Config
Be sure to customize the information according to your environment. Add the missing lines if needed.
# cd /root/satellite_cert
# cp /etc/pki/tls/openssl.cnf .
# vi /root/satellite_cert/openssl.conf
(...)
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only
req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = BR
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = SP
localityName = Locality Name (eg, city)
localityName_default = Sao Paulo
0.organizationName = Organization Name (eg, company)
0.organizationName_default = My Company
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = My Section
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_default = satellite.example.com
commonName_max = 64
emailAddress = Email Address
emailAddress_default = support@domain.com
emailAddress_max = 64
(...)
(...)
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
IP.1 = PUT YOUR HOST IP HERE
DNS.1 = satellite.example.com
(...)CSR Request
# openssl req -new \
-key /root/satellite_cert/satellite_cert_key.pem \
-config /root/satellite_cert/openssl.conf \
-out /root/satellite_cert/satellite_cert_csr.pemCreating the SSL/TLS Certificate
# openssl ca \
-config /root/satellite_cert/openssl.conf \
-extensions v3_req \
-days 7300 \
-in /root/satellite_cert/satellite_cert_csr.pem \
-out /root/satellite_cert/satellite_cert_crt.pem \
-cert /root/satellite_cert/satellite_cert_ca_crt.pem \
-keyfile /root/satellite_cert/satellite_cert_ca_key.pemValidate The Certificates
Now use Katello to verify that the generated certificates are suitable for use by the Satellite.
# katello-certs-check \
-c /root/satellite_cert/satellite_cert_crt.pem \
-k /root/satellite_cert/satellite_cert_key.pem \
-r /root/satellite_cert/satellite_cert_csr.pem \
-b /root/satellite_cert/satellite_cert_ca_crt.pemUpdate Certificates on the Satellite
This step will update the certificates on all satellite components where this is needed. During a troubleshooting I did, I noticed that the certificate was not updated in Tomcat. However, according to the documentation, Tomcat will never use the certificates we are creating.
# satellite-installer \
--scenario satellite \
--certs-server-cert "/root/satellite_cert/satellite_cert_crt.pem" \
--certs-server-key "/root/satellite_cert/satellite_cert_key.pem" \
--certs-server-ca-cert "/root/satellite_cert/satellite_cert_ca_crt.pem" \
--certs-update-server \
--certs-update-server-caCheck hammer
If the update was successful, check if the hammer is functional.
# hammer location list
---|-------|------|------------
ID | TITLE | NAME | DESCRIPTION
---|-------|------|------------
2 | PROD | PROD |Production
---|-------|------|------------Finishing
Work done! You can now proceed with the Satellite environment upgrade. I hope this article has helped you in some way. If you need it, send me a message and I’ll try to help.
