Fixes #24815 - Update SAN check to warning and clean up script.

[chris1984]

No description provided.

[theforeman-bot]

Issues: #24815

[chris1984]

Output:

With cert matching hostname with all checks passing:

[root@satellite1 ~]# ./katello-certs-check -b ca.pem -k server.key -c server.crt 
Checking server certificate encoding: 
[OK]

Checking expiration of certificate: 
[OK]

Checking expiration of CA bundle: 
[OK]

Checking if server certificate has CA:TRUE flag
[OK]

Checking to see if the private key matches the certificate: 
[OK]

Checking CA bundle against the certificate file: 
[OK]

Checking Subject Alt Name on certificate
[OK]

Checking Key Usage extension on certificate for Key Encipherment
[OK]

Validation succeeded


To install the Katello main server with the custom certificates, run:

    foreman-installer --scenario katello\
                      --certs-server-cert "/root/server.crt"\
                      --certs-server-key "/root/server.key"\
                      --certs-server-ca-cert "/root/ca.pem"

To update the certificates on a currently running Katello installation, run:

    foreman-installer --scenario katello\
                      --certs-server-cert "/root/server.crt"\
                      --certs-server-key "/root/server.key"\
                      --certs-server-ca-cert "/root/ca.pem"\
                      --certs-update-server --certs-update-server-ca
					  
With cert not matching hostname with all checks passing:

[root@satellite1 capsule]# /root/katello-certs-check -b ca.pem -k server.key -c server.crt 
Checking server certificate encoding: 
[OK]

Checking expiration of certificate: 
[OK]

Checking expiration of CA bundle: 
[OK]

Checking if server certificate has CA:TRUE flag
[OK]

Checking to see if the private key matches the certificate: 
[OK]

Checking CA bundle against the certificate file: 
[OK]

Checking Subject Alt Name on certificate
[OK]

Checking Key Usage extension on certificate for Key Encipherment
[OK]

Validation succeeded


  To use them inside a NEW $FOREMAN_PROXY, run this command:

      foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY"\
                                   --certs-tar  "~/$FOREMAN_PROXY-certs.tar"\
                                   --server-cert "/root/capsule/server.crt"\
                                   --server-key "/root/capsule/server.key"\
                                   --server-ca-cert "/root/capsule/ca.pem"\

  To use them inside an EXISTING $FOREMAN_PROXY, run this command INSTEAD:

      foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY"\
                                   --certs-tar  "~/$FOREMAN_PROXY-certs.tar"\
                                   --server-cert "/root/capsule/server.crt"\
                                   --server-key "/root/capsule/server.key"\
                                   --server-ca-cert "/root/capsule/ca.pem"\
                                   --certs-update-server

With cert failing:

[root@centos7-katello-3-7 centos7-katello-3-7.vault111.example.com]# ./katello-certs-check -b /root/ownca/cacert.crt -k centos7-katello-3-7.vault111.example.com.key -c centos7-katello-3-7.vault111.example.com.crt
Checking server certificate encoding: 
[OK]

Checking expiration of certificate: 
[OK]

Checking expiration of CA bundle: 
[OK]

Checking if server certificate has CA:TRUE flag 
[OK]

Checking to see if the private key matches the certificate: 
[OK]

Checking CA bundle against the certificate file: 
[OK]

Checking Subject Alt Name on certificate 
[WARNING]

The /root/ownca/centos7-katello-3-7.vault111.example.com/centos7-katello-3-7.vault111.example.com.crt does not contain a Subject Alt Name.
Checking Key Usage extension on certificate for Key Encipherment 
[FAIL]

The /root/ownca/centos7-katello-3-7.vault111.example.com/centos7-katello-3-7.vault111.example.com.crt does not allow for the 'Digital Signature' key usage.