Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-35304

Unable to revert to default self-signed certificates after applying custom CA certs on satellite 6.18

XMLWordPrintable

    • None
    • None
    • Rejected
    • Manual

      As explained in https://docs.redhat.com/en/documentation/red_hat_satellite/6.17/html-single/installing_satellite_server_in_a_connected_network_environment/index#resetting-custom-ssl-certificate-to-default-self-signed-certificate-on-satellite_satellite ,

      The following is good enough to revert back the installed custom-certificates to a self-signed certificate issued by satellite itself:

       

      satellite-installer --certs-reset

       

       

      But execution of the same fails on satellite 6.18 , at the very last stage. 

       

      Steps to Reproduce: 

      • Install Satellite 6.18 with custom certs
      • Verify that everything is working
      • Check the certificates inside /root/ssl-build /etc/foreman and /etc/foreman-proxy dirs
      • Revert to default self-signed certs using `satellite-installer --certs-reset` 
      • Check the certificates inside /root/ssl-build /etc/foreman and /etc/foreman-proxy dirs again

       

      Actual Behavior:

       

      The `--certs-reset` action fails with the following error:

       

       

      # satellite-installer --certs-reset
2025-06-20 19:41:21 [NOTICE] [root] Loading installer configuration. This will take some time.
2025-06-20 19:41:24 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2025-06-20 19:41:24 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
2025-06-20 19:41:25 [NOTICE] [checks] System checks passed
Package versions are locked. Continuing with unlock.
Marking certificate /root/ssl-build/katello-server-ca for update
2025-06-20 19:41:31 [NOTICE] [configure] Starting system configuration.
2025-06-20 19:41:36 [NOTICE] [configure] 250 configuration steps out of 1778 steps complete.
2025-06-20 19:41:37 [NOTICE] [configure] 500 configuration steps out of 2363 steps complete.
2025-06-20 19:41:37 [NOTICE] [configure] 750 configuration steps out of 2363 steps complete.
2025-06-20 19:41:37 [NOTICE] [configure] 1000 configuration steps out of 2369 steps complete.
2025-06-20 19:41:38 [NOTICE] [configure] 1250 configuration steps out of 2372 steps complete.
2025-06-20 19:41:39 [NOTICE] [configure] 1500 configuration steps out of 2379 steps complete.
2025-06-20 19:41:39 [NOTICE] [configure] 1750 configuration steps out of 2384 steps complete.
2025-06-20 19:41:39 [NOTICE] [configure] 2000 configuration steps out of 2385 steps complete.
2025-06-20 19:41:59 [NOTICE] [configure] 2250 configuration steps out of 2385 steps complete.
2025-06-20 19:41:59 [ERROR ] [configure] Exception SSL_connect returned=1 errno=0 peeraddr=192.168.125.4:443 state=error: certificate verify failed (unable to get local issuer certificate) in post request to: https://satellite618.lab.example.com/api/v2/hosts/facts
2025-06-20 19:41:59 [ERROR ] [configure] Wrapped exception:
2025-06-20 19:41:59 [ERROR ] [configure] SSL_connect returned=1 errno=0 peeraddr=192.168.125.4:443 state=error: certificate verify failed (unable to get local issuer certificate)
2025-06-20 19:41:59 [ERROR ] [configure] /Stage[main]/Foreman::Register/Foreman_host[foreman-satellite618.lab.example.com]/ensure: change from 'absent' to 'present' failed: Exception SSL_connect returned=1 errno=0 peeraddr=192.168.125.4:443 state=error: certificate verify failed (unable to get local issuer certificate) in post request to: https://satellite618.lab.example.com/api/v2/hosts/facts
2025-06-20 19:42:00 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_host[foreman-proxy-satellite618.lab.example.com]: Could not evaluate: Exception SSL_connect returned=1 errno=0 peeraddr=192.168.125.4:443 state=error: certificate verify failed (unable to get local issuer certificate) in get request to: https://satellite618.lab.example.com/api/v2/hosts?search=name%3D%22satellite618.lab.example.com%22
2025-06-20 19:42:00 [ERROR ] [configure] Wrapped exception:
..

       

       

      The satellite-answers file also has the expected fields unset.[ related to the custom certs ]

      And investigating the certs, while the CA seems to have been reset, the cert issued for satellite ( as well as apache ) , still uses the old Custom CA signed cert. 

      i.e. 

      • /root/ssl-build/satellite618.lab.example.com/satellite618.lab.example.com-apache.crt is still old one
      • /root/ssl-build/satellite618.lab.example.com/satellite618.lab.example.com-foreman-proxy.crt is also old one
      • /etc/pki/katello/certs/katello-apache.crt is also old one
      • /etc/foreman-proxy/ssl_cert.pem is also old one

       

      Expected Behavior:

       

      This process should work and the apache and foreman-proxy certs should also be re-issued by the self-signed CA and deployed accordingly. 

      This is an important installer flag which should work properly like it did for the older versions or else the steps in the documentation needs to be corrected, in case additional installer flags are needed. 

       

      Additional Notes:

      The only way to fix this is using `satellite-installer --certs-reset --certs-update-server` . And then only installer marks all three of these certs for update and actually updates them:

      ```

      # satellite-installer --certs-reset --certs-update-server
..
Marking certificate /root/ssl-build/satellite618.lab.example.com/satellite618.lab.example.com-apache for update
Marking certificate /root/ssl-build/satellite618.lab.example.com/satellite618.lab.example.com-foreman-proxy for update
Marking certificate /root/ssl-build/katello-server-ca for update

      ```

              ekohlvan@redhat.com Ewoud Kohl van Wijngaarden
              rhn-support-saydas Sayan Das
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: