Description of problem:

• katello-certs-check for capsule certificate generation should validate if the CA bundle provided in with -b parameter is the same from the Satellite

Version-Release number of selected component (if applicable):

• Red Hat Satellite 6.16

How reproducible:

• Always

Is this issue a regression from an earlier version:

• No

Steps to Reproduce:

1. Procure a certificate for the Capsule. This should be from a different CA that the Satellite.

2. Execute the following command to validate and generate the certificate tar. 

katello-certs-check -t capsule -c cert.crt -k key.pem -b ca_bundle.pem

 3. Apply the generated tar on the Capsule.

Actual behavior:{}

• The certificate installation fails with the following error.

  ~~~
  2025-03-25 12:04:08 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_host[foreman-proxy-capsule.example.com]: Could not evaluate: Exception SSL_connect returned=1 errno=0 peeraddr=192.168.1.2:443 state=error: certificate verify failed (self-signed certificate in certificate chain) in get request to: https://satellite.example.com/api/v2/hosts?search=name%3D%22capsule.example.com%22
  ~~~

   The error is expected as the CA bundle of the Satellite does not match the Capsule's.

Expected behavior:-

The katello-cert-check should fail when the CA bundles are different. This would prevent situations where the user proceeds with the process, only for it to fail later at the satellite-installer.

Business Impact / Additional info:

• Although the documentation mandates that we use the same CA for the certificates for Satellite and Capsule, it is not always possible and we have a workaround for such scenarios in this article.

  https://access.redhat.com/solutions/3989601