Description of problem:

Based on the wording from the error returned from the katello-certs-check performed during the upgrade from Satellite 6.15 > 6.16. It would appear that a CA cert with trust rules should not be treated as a failure/error but instead a warning. If the CA cert is known to have no issues with containing trust rules, then the upgrade should be possible without having to remove this check manually from the katello-certs-check script. A whitelist option for the upgrade would be nice.

How reproducible:

Every time

Is this issue a regression from an earlier version:

No

Steps to Reproduce:

1. Create a Satellite with a CA that contains trust rules

2. Try to upgrade the Satellite 6.16

3.

Actual behavior:
Upgrade fails because trust rules are present:

Checking CA bundle size: 2
[OK]
Checking if CA bundle has trust rules: 1
[FAIL]
The CA bundle contains 1 certificate(s) with trust rules. This may create problems for older systems to trust the bundle. Ple
ase, recreate the bundle using certificates without trust rules
Checking Subject Alt Name on certificate
[OK]

Expected behavior:
A warning should be given to the user and the upgrade should fail with a message to whitelist the option for checking for trust rules.

A whitelist option should be available to skip the katello-certs-check on the installer.

Business Impact / Additional info:

upgrade and cert change failure imminent