Chapter 4. Configuring Capsule Servers with custom SSL certificates for load balancing

Procedure

1. To store all the source certificate files, create a directory that is accessible only to the root user:

   # mkdir /root/capsule_cert

2. Create a private key with which to sign the certificate signing request (CSR).

   Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.

   If you already have a private key for this Capsule Server, skip this step.

   # openssl genrsa -out /root/capsule_cert/capsule_cert_key.pem 4096

3. Create the /root/capsule_cert/openssl.cnf configuration file for the CSR and include the following content:

   [ req ]
   req_extensions = v3_req
   distinguished_name = req_distinguished_name
   x509_extensions = usr_cert
   prompt = no
   
   [ req_distinguished_name ]
   commonName = capsule.example.com 

   1

   
   
   [ v3_req ]
   basicConstraints = CA:FALSE
   keyUsage = digitalSignature, keyEncipherment
   extendedKeyUsage = serverAuth, clientAuth
   subjectAltName = @alt_names
   
   [alt_names] 

   2

   
   DNS.1 = loadbalancer.example.com
   DNS.2 = capsule.example.com

   1

   The certificate’s common name must match the FQDN of Capsule Server. Ensure to change this when running the command on each Capsule Server that you configure for load balancing. You can also set a wildcard value *. If you set a wildcard value, you must add the -t capsule option when you use the katello-certs-check command.

   2

   Under [alt_names], include the FQDN of the load balancer as DNS.1 and the FQDN of Capsule Server as DNS.2.

   For more information about the [ v3_req ] parameters and their purpose, see RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.

4. Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the [ req_distinguished_name ] section:

   [req_distinguished_name]
   CN = capsule.example.com
   countryName = My_Country_Name 

   1

   
   stateOrProvinceName = My_State_Or_Province_Name 

   2

   
   localityName = My_Locality_Name 

   3

   
   organizationName = My_Organization_Or_Company_Name
   organizationalUnitName = My_Organizational_Unit_Name 

   4

   1

   Two letter code

   2

   Full name

   3

   Full name (example: New York)

   4

   Division responsible for the certificate (example: IT department)

5. Generate CSR:

   # openssl req -new \
   -key /root/capsule_cert/capsule_cert_key.pem \ 

   1

   
   -config /root/capsule_cert/openssl.cnf \ 

   2

   
   -out /root/capsule_cert/capsule_cert_csr.pem 

   3

   1

   Path to the private key

   2

   Path to the configuration file

   3

   Path to the CSR to generate

6. Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for Satellite Server and Capsule Server.

   When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.

7. Copy the Certificate Authority bundle and Capsule Server certificate file that you receive from the Certificate Authority, and Capsule Server private key to your Satellite Server.

8. On Satellite Server, validate Capsule Server certificate input files:

   # katello-certs-check \
   -c /root/capsule_cert/capsule_cert.pem \ 

   1

   
   -k /root/capsule_cert/capsule_cert_key.pem \ 

   2

   
   -b /root/capsule_cert/ca_cert_bundle.pem 

   3

   1

   Capsule Server certificate file, provided by your Certificate Authority

   2

   Capsule Server’s private key that you used to sign the certificate

   3

   Certificate Authority bundle, provided by your Certificate Authority

   If you set the commonName= to a wildcard value *, you must add the -t capsule option to the katello-certs-check command.

   Retain a copy of the example capsule-certs-generate command that is output by the katello-certs-check command for creating the Certificate Archive File for this Capsule Server.

Procedure

1. Append the following option to the capsule-certs-generate command that you obtain from the output of the katello-certs-check command:

   --foreman-proxy-cname loadbalancer.example.com

2. On Satellite Server, enter the capsule-certs-generate command to generate Capsule certificates:

   # capsule-certs-generate \
   --certs-tar /root/capsule_cert/capsule.tar \
   --foreman-proxy-cname loadbalancer.example.com \
   --foreman-proxy-fqdn capsule.example.com \
   --server-ca-cert /root/capsule_cert/ca_cert_bundle.pem \
   --server-cert /root/capsule_cert/capsule.pem \
   --server-key /root/capsule_cert/capsule.pem

   Retain a copy of the example satellite-installer command from the output for installing Capsule Server certificates.

3. Copy the certificate archive file from Satellite Server to Capsule Server:

   # scp /root/capsule.example.com-certs.tar root@capsule.example.com:capsule.example.com-certs.tar

4. Append the following options to the satellite-installer command that you obtain from the output of the capsule-certs-generate command:

   --certs-cname "loadbalancer.example.com" \
   --enable-foreman-proxy-plugin-remote-execution-script

5. On Capsule Server, enter the satellite-installer command:

   # satellite-installer --scenario capsule \
   --certs-cname "loadbalancer.example.com" \
   --certs-tar-file "capsule.example.com-certs.tar" \
   --enable-foreman-proxy-plugin-remote-execution-script \
   --foreman-proxy-foreman-base-url "https://satellite.example.com" \
   --foreman-proxy-oauth-consumer-key "oauth key" \
   --foreman-proxy-oauth-consumer-secret "oauth secret" \
   --foreman-proxy-register-in-foreman "true" \
   --foreman-proxy-trusted-hosts "satellite.example.com" \
   --foreman-proxy-trusted-hosts "capsule.example.com"