Fixes #6875 - Ability to pass own server certs for apache and smart-proxy #94
Conversation
|
Depends on theforeman/puppet-foreman_proxy_content#12 and theforeman/puppet-certs#25. Scratch builds are available here http://koji.katello.org/koji/taskinfo?taskID=136040 For getting a custom ca and server cerificates, one can use https://github.com/iNecas/ownca |
|
Howto is described in the README https://github.com/iNecas/katello-installer/blob/issue/6875/README.md#certificates |
|
@iNecas can you give me an explanation of what the options here do vs what the certs module is designed to do? My first impression is that these options are something the certs module should handle since it's the authority on certs. |
|
The issue with passing the options to regenerate some certificates directly to the puppet-certs is that the values get memorized when calling katello-installer. That means we would keep regenerating the certs on every katello-installer run. We probably could pass the arguments to the puppet-certs, but we would still need some hooks logic to keep the regenrate options false unless it's explicitly passed to true to the installer. Woud you like that one better? |
| @@ -85,6 +85,106 @@ Install without RVM | |||
| katello-devel-installer --katello-use-rvm false | |||
| ``` | |||
|
|
|||
| ### Certificates | |||
|
|
|||
| Katello installer comes with a default CA used both for the sever ssl | |||
|
Correction on the scratch builds http://koji.katello.org/koji/taskinfo?taskID=137381 (the old builds had no submodules updated) |
|
|
||
| When using the custom server CA, the CA needs to be used for | ||
| the server certificates on the capsules as well. The certificates for | ||
| the capsule are deployed to the capsule though the use of the |
|
@iNecas After some thought, I am OK with the current approach as it keeps a cleaner boundary to the Puppet module that is attempting to enforce a state. In the future I think we shoulder consider a mechanism within the server itself to re-generate or re-deploy certs via the Puppet master. |
| app_option( | ||
| '--certs-update-server', | ||
| :flag, | ||
| "This options will enforce to update of the https certificates for given host", |
There was a problem hiding this comment.
This option will enforce an update of the HTTPS certificates
|
I've addressed the found issues. Thanks @ehelms for looking over it. @mccun934 could you give this changes a try? The update scratch builds are available here http://koji.katello.org/koji/taskinfo?taskID=137796 |
|
Started testing this, the --certs-update-server flag worked fine. Testing custom certs next, will hit that in the AM on Aug 13 PST |
|
Tested this and got: $ katello-installer --certs-server-cert /var/tmp/certs/myserver3.example.com.crt --certs-server-cert-req /var/tmp/certs/myserver3.example.com.crt.req --certs-server-key /var/tmp/certs/myserver3.example.com.key --certs-server-ca-cert /var/tmp/certs/cacert.crt caused by this missing file in the config: $ service httpd start I verified that it is non-empty and does exist in my src directory. Debugging further |
|
Got past the above, needed to pass in the --certs-update-server flag, now stuck getting the foreman-proxy to register, from proxy.log: E, [2014-08-13T22:56:26.748794 #18483] ERROR -- : Unable to access the SSL keys. Are the values correct in settings.yml and do permissions allow reading?: header too long |
|
and further success was achieved with the addition of the --certs-update-server-ca flag ACK |
|
tested capsule-certs-generate as well. Works fine as well. Had to clear out my ssl-build dir and run it 2x to clear out some old broken certs but it worked |
|
I've updated Depends on theforeman/puppet-foreman_proxy_content#12 and theforeman/puppet-certs#25 to reflect the theforeman/puppet-pulp#25 change (expecing the ssl_ca_cert param to be renamed to server_ca_cert), and build new scratch builds here http://koji.katello.org/koji/taskinfo?taskID=141316 |
|
ACK |
…roxy Also ability to renew the sever or all certs
|
I've update the submodules (together with changes from theforeman/puppet-pulp#25) that we depend on, merging |
Fixes #6875 - Ability to pass own server certs for apache and smart-proxy
Adding require for content-view command
Also ability to renew the sever or all certs
Fixes #6875 - Ability to pass own server certs for apache and smart-proxy -
README