Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-41516

All communication should happen only over https during global registration execution

XMLWordPrintable

    • 3
    • False
    • Proton Prioritized Backlog
    • sat-proton
    • None
    • None
    • None
    • To Do

      Description of problem:

      Global Registration fails to complete registration when port 80 is blocked.
      Although the system is successfully registered with subscription-manager, the host fails to report back to Foreman and remains stuck in “Pending installation” state.

      The failure occurs because the Global Registration workflow attempts to call the /unattended/built endpoint over HTTP (port 80) instead of HTTPS. In secured environments where port 80 is blocked, the host initialization script fails and registration cannot be completed.

      How reproducible:

      100% reproducible in environments where port 80 is blocked on the Satellite server.

      Is this issue a regression from an earlier version:

      yes.

      Steps to Reproduce:

      1. Deploy a Red Hat Satellite server with port 80 blocked by firewall/security policy.
      1. Register a host using the Global Registration template, for example:

      {{curl --silent --show-error \
      'https://satellite.example.com/register?activation_keys=AK_RHEL8&hostgroup_id=13' \
      --header 'Authorization: Bearer <token>' | bash}}

      1. Observe the registration output and Satellite UI.

      Actual behavior:

      • Host registers successfully with subscription-manager.
      • System facts are uploaded.
      • Host initialization script fails with:

      {{ERROR: Host [client.example.com] configured, but failed to report status to Foreman
      Host initialization script failed}}

      • In Satellite UI, host remains in Pending installation (build mode).
      • The workflow fails because /unattended/built endpoint is called over HTTP (port 80).

      Expected behavior:

      Global Registration should complete fully over HTTPS (port 443) without requiring port 80.
      The host should exit build mode and appear as successfully registered in Satellite.

      Business Impact / Additional info:

      • Blocks Global Registration in hardened and regulated environments.
      • Violates security policies where inbound HTTP is not permitted.
      • Forces customers to open port 80.
      • Prevents automated onboarding of hosts using Global Registration.

      Workaround

      Manually change:

      Settings → Provisioning → Unattended URL

      From:

      http://satellite.example.com

      To:

      https://satellite.example.com

      ⚠ This workaround breaks OS provisioning workflows that rely on HTTP.

      Additional Notes

      Global Registration performs multiple post-registration actions (facts upload, insights, SSH keys, host initialization). The final step requires calling /unattended/built to exit build mode, which currently depends on HTTP.

       

      Testing Steps

      1. Turn off port 80 on sat
      2. Try to register host (not as insecure)
      3. Make sure you don't see any errors

      Acceptance Criteria

      • Built snippet is altered to conditionally force https (override)
      • Make sure registration require https only. 

       

      Check with rocket on running automation on this once tested.

              Unassigned Unassigned
              rhn-support-sadas Satyajit Das
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: