Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-41516

All communication should happen only over https during global registration execution

XMLWordPrintable

    • False
    • Proton Refinement Backlog
    • sat-proton
    • None
    • None
    • None
    • None

      Description of problem:

      Global Registration fails to complete registration when port 80 is blocked.
      Although the system is successfully registered with subscription-manager, the host fails to report back to Foreman and remains stuck in “Pending installation” state.

      The failure occurs because the Global Registration workflow attempts to call the /unattended/built endpoint over HTTP (port 80) instead of HTTPS. In secured environments where port 80 is blocked, the host initialization script fails and registration cannot be completed.

      How reproducible:

      100% reproducible in environments where port 80 is blocked on the Satellite server.

      Is this issue a regression from an earlier version:

      yes.

      Steps to Reproduce:

      1. Deploy a Red Hat Satellite server with port 80 blocked by firewall/security policy.
      1. Register a host using the Global Registration template, for example:

      {{curl --silent --show-error \
      'https://satellite.example.com/register?activation_keys=AK_RHEL8&hostgroup_id=13' \
      --header 'Authorization: Bearer <token>' | bash}}

      1. Observe the registration output and Satellite UI.

      Actual behavior:

      • Host registers successfully with subscription-manager.
      • System facts are uploaded.
      • Host initialization script fails with:

      {{ERROR: Host [client.example.com] configured, but failed to report status to Foreman
      Host initialization script failed}}

      • In Satellite UI, host remains in Pending installation (build mode).
      • The workflow fails because /unattended/built endpoint is called over HTTP (port 80).

      Expected behavior:

      Global Registration should complete fully over HTTPS (port 443) without requiring port 80.
      The host should exit build mode and appear as successfully registered in Satellite.

      Business Impact / Additional info:

      • Blocks Global Registration in hardened and regulated environments.
      • Violates security policies where inbound HTTP is not permitted.
      • Forces customers to open port 80.
      • Prevents automated onboarding of hosts using Global Registration.

      Workaround

      Manually change:

      Settings → Provisioning → Unattended URL

      From:

      http://satellite.example.com

      To:

      https://satellite.example.com

      ⚠ This workaround breaks OS provisioning workflows that rely on HTTP.

      Additional Notes

      Global Registration performs multiple post-registration actions (facts upload, insights, SSH keys, host initialization). The final step requires calling /unattended/built to exit build mode, which currently depends on HTTP.

       

      Acceptance Criteria

      1. Turn off port 80 on sat
      2. Add Sat's ca cert to a host
      3. Try to register host (not as insecure)
      4. Make sure you don't see any errors
      5.  

              Unassigned Unassigned
              rhn-support-sadas Satyajit Das
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: