Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 6. Configuring Capsule Servers with custom SSL certificates for load balancing (with Puppet)

You can configure one or more Capsule Servers that use custom SSL certificates for load balancing.

6.1. Prerequisites
Copy link

On each Capsule Server you want to configure for load balancing, create a configuration file for the Certificate Signing Request and include the load balancer and Capsule Server as Subject Alternative Names (SAN).

Procedure

  1. To store all the source certificate files, create a directory that is accessible only to the root user: 

    # mkdir /root/capsule_cert
    Copy to Clipboard Toggle word wrap

  2. Create a private key with which to sign the certificate signing request (CSR).

    Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.

    If you already have a private key for this Capsule Server, skip this step. 

    # openssl genrsa -out /root/capsule_cert/capsule_cert_key.pem 4096
    Copy to Clipboard Toggle word wrap

  3. Create the /root/capsule_cert/openssl.cnf configuration file for the CSR and include the following content: 

    [ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
prompt = no

[ req_distinguished_name ]
commonName = capsule.example.com
    1 
    

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[alt_names]
    2 
    
DNS.1 = loadbalancer.example.com
DNS.2 = capsule.example.com
    Copy to Clipboard Toggle word wrap
    1
    The certificate’s common name must match the FQDN of Capsule Server. Ensure to change this when running the command on each Capsule Server that you configure for load balancing. You can also set a wildcard value *. If you set a wildcard value, you must add the -t capsule option when you use the katello-certs-check command.
    2
    Under [alt_names], include the FQDN of the load balancer as DNS.1 and the FQDN of Capsule Server as DNS.2.

    For more information about the [ v3_req ] parameters and their purpose, see RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.

  4. Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the [ req_distinguished_name ] section: 

    [req_distinguished_name]
CN = capsule.example.com
countryName = My_Country_Name
    1 
    
stateOrProvinceName = My_State_Or_Province_Name
    2 
    
localityName = My_Locality_Name
    3 
    
organizationName = My_Organization_Or_Company_Name
organizationalUnitName = My_Organizational_Unit_Name
    4
    Copy to Clipboard Toggle word wrap
    1
    Two letter code
    2
    Full name
    3
    Full name (example: New York)
    4
    Division responsible for the certificate (example: IT department)

  5. Generate CSR: 

    # openssl req -new \
-key /root/capsule_cert/capsule_cert_key.pem \
    1 
    
-config /root/capsule_cert/openssl.cnf \
    2 
    
-out /root/capsule_cert/capsule_cert_csr.pem
    3
    Copy to Clipboard Toggle word wrap
    1
    Path to the private key
    2
    Path to the configuration file
    3
    Path to the CSR to generate

  6. Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for Satellite Server and Capsule Server.

    When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.

  7. Copy the Certificate Authority bundle and Capsule Server certificate file that you receive from the Certificate Authority, and Capsule Server private key to your Satellite Server.

  8. On Satellite Server, validate Capsule Server certificate input files: 

    # katello-certs-check \
-c /root/capsule_cert/capsule_cert.pem \
    1 
    
-k /root/capsule_cert/capsule_cert_key.pem \
    2 
    
-b /root/capsule_cert/ca_cert_bundle.pem
    3
    Copy to Clipboard Toggle word wrap
    1
    Capsule Server certificate file, provided by your Certificate Authority
    2
    Capsule Server’s private key that you used to sign the certificate
    3
    Certificate Authority bundle, provided by your Certificate Authority

    If you set the commonName= to a wildcard value *, you must add the -t capsule option to the katello-certs-check command.

    Retain a copy of the example capsule-certs-generate command that is output by the katello-certs-check command for creating the Certificate Archive File for this Capsule Server.

On the Capsule Server that will generate Puppet certificates for all other load-balancing Capsule Servers, configure Puppet certificate generation and signing.

Procedure

  1. Append the following option to the capsule-certs-generate command that you obtain from the output of the katello-certs-check command: 

    --foreman-proxy-cname loadbalancer.example.com
    Copy to Clipboard Toggle word wrap

  2. On Satellite Server, enter the capsule-certs-generate command to generate Capsule certificates: 

    # capsule-certs-generate \
--certs-tar /root/capsule_cert/capsule-ca.tar \
--foreman-proxy-cname loadbalancer.example.com \
--foreman-proxy-fqdn capsule-ca.example.com \
--server-ca-cert /root/capsule_cert/ca_cert_bundle.pem \
--server-cert /root/capsule_cert/capsule-ca.pem \
--server-key /root/capsule_cert/capsule-ca.pem
    Copy to Clipboard Toggle word wrap

    Retain a copy of the example satellite-installer command from the output for installing Capsule Server certificates.

  3. Copy the certificate archive file from Satellite Server to Capsule Server.

  4. Append the following options to the satellite-installer command that you obtain from the output of the capsule-certs-generate command: 

    --enable-foreman-proxy-plugin-remote-execution-script \
--foreman-proxy-puppetca "true" \
--puppet-ca-server "capsule-ca.example.com" \
--puppet-dns-alt-names "loadbalancer.example.com" \
--puppet-server-ca "true"
    Copy to Clipboard Toggle word wrap

  5. On Capsule Server, enter the satellite-installer command: 

    # satellite-installer --scenario capsule \
--certs-cname "loadbalancer.example.com" \
--certs-tar-file "certs.tgz" \
--enable-foreman-proxy-plugin-remote-execution-script \
--enable-puppet \
--foreman-proxy-foreman-base-url "https://satellite.example.com" \
--foreman-proxy-oauth-consumer-key "oauth key" \
--foreman-proxy-oauth-consumer-secret "oauth secret" \
--foreman-proxy-puppetca "true" \
--foreman-proxy-register-in-foreman "true" \
--foreman-proxy-trusted-hosts "satellite.example.com" \
--foreman-proxy-trusted-hosts "capsule-ca.example.com" \
--puppet-ca-server "capsule-ca.example.com" \
--puppet-dns-alt-names "loadbalancer.example.com" \
--puppet-server true \
--puppet-server-ca "true"
    Copy to Clipboard Toggle word wrap

  6. On Capsule Server that is the Puppetserver Certificate Authority, stop the Puppet server: 

    # systemctl stop puppetserver
    Copy to Clipboard Toggle word wrap

  7. Generate Puppet certificates for all other Capsule Servers that you configure for load balancing, except the system where you first configured Puppet certificate signing: 

    # puppetserver ca generate \
--ca-client \
--certname capsule.example.com \
--subject-alt-names loadbalancer.example.com
    Copy to Clipboard Toggle word wrap

    This command creates the following files:

    • /etc/puppetlabs/puppet/ssl/certs/capsule.example.com.pem
    • /etc/puppetlabs/puppet/ssl/private_keys/capsule.example.com.pem
    • /etc/puppetlabs/puppet/ssl/public_keys/capsule.example.com.pem
    • /etc/puppetlabs/puppetserver/ca/signed/capsule.example.com.pem

  8. Start the Puppet server: 

    # systemctl start puppetserver
    Copy to Clipboard Toggle word wrap

On each load-balancing Capsule Server, excluding the Capsule Server configured to sign Puppet certificates, configure the system to use Puppet certificates.

Procedure

  1. Append the following option to the capsule-certs-generate command that you obtain from the output of the katello-certs-check command: 

    --foreman-proxy-cname loadbalancer.example.com
    Copy to Clipboard Toggle word wrap

  2. On Satellite Server, enter the capsule-certs-generate command to generate Capsule certificates: 

    # capsule-certs-generate \
--certs-tar /root/capsule_cert/capsule.tar \
--foreman-proxy-cname loadbalancer.example.com \
--foreman-proxy-fqdn capsule.example.com \
--server-ca-cert /root/capsule_cert/ca_cert_bundle.pem \
--server-cert /root/capsule_cert/capsule.pem \
--server-key /root/capsule_cert/capsule.pem
    Copy to Clipboard Toggle word wrap

    Retain a copy of the example satellite-installer command from the output for installing Capsule Server certificates.

  3. Copy the certificate archive file from Satellite Server to Capsule Server. 

    # scp /root/capsule.example.com-certs.tar root@capsule.example.com:capsule.example.com-certs.tar
    Copy to Clipboard Toggle word wrap

  4. On Capsule Server, install the puppetserver package: 

    # satellite-maintain packages install puppetserver
    Copy to Clipboard Toggle word wrap

  5. On Capsule Server, create directories for puppet certificates: 

    # mkdir -p /etc/puppetlabs/puppet/ssl/certs/ \
/etc/puppetlabs/puppet/ssl/private_keys/ \
/etc/puppetlabs/puppet/ssl/public_keys/
    Copy to Clipboard Toggle word wrap

  6. On Capsule Server, copy the Puppet certificates for this Capsule Server from the system where you configure Capsule Server to sign Puppet certificates: 

    # scp root@capsule-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/capsule.example.com.pem /etc/puppetlabs/puppet/ssl/certs/capsule.example.com.pem
# scp root@capsule-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/ca.pem /etc/puppetlabs/puppet/ssl/certs/ca.pem
# scp root@capsule-ca.example.com:/etc/puppetlabs/puppet/ssl/private_keys/capsule.example.com.pem /etc/puppetlabs/puppet/ssl/private_keys/capsule.example.com.pem
# scp root@capsule-ca.example.com:/etc/puppetlabs/puppet/ssl/public_keys/capsule.example.com.pem /etc/puppetlabs/puppet/ssl/public_keys/capsule.example.com.pem
    Copy to Clipboard Toggle word wrap

  7. On Capsule Server, change the /etc/puppetlabs/puppet/ssl/ directory ownership to user puppet and group puppet: 

    # chown -R puppet:puppet /etc/puppetlabs/puppet/ssl/
    Copy to Clipboard Toggle word wrap

  8. On Capsule Server, set the SELinux context for the /etc/puppetlabs/puppet/ssl/ directory: 

    # restorecon -Rv /etc/puppetlabs/puppet/ssl/
    Copy to Clipboard Toggle word wrap

  9. Append the following options to the satellite-installer command that you obtain from the output of the capsule-certs-generate command: 

    --certs-cname "loadbalancer.example.com" \
--enable-foreman-proxy-plugin-remote-execution-script \
--foreman-proxy-puppetca "false" \
--puppet-ca-server "capsule-ca.example.com" \
--puppet-dns-alt-names "loadbalancer.example.com" \
--puppet-server-ca "false"
    Copy to Clipboard Toggle word wrap

  10. On Capsule Server, enter the satellite-installer command: 

    # satellite-installer --scenario capsule \
--certs-cname "loadbalancer.example.com" \
--certs-tar-file "capsule.example.com-certs.tar" \
--enable-foreman-proxy-plugin-remote-execution-script \
--foreman-proxy-foreman-base-url "https://satellite.example.com" \
--foreman-proxy-oauth-consumer-key "oauth key" \
--foreman-proxy-oauth-consumer-secret "oauth secret" \
--foreman-proxy-puppetca "false" \
--foreman-proxy-register-in-foreman "true" \
--foreman-proxy-trusted-hosts "satellite.example.com" \
--foreman-proxy-trusted-hosts "capsule.example.com" \
--puppet-ca-server "capsule-ca.example.com" \
--puppet-dns-alt-names "loadbalancer.example.com" \
--puppet-server-ca "false"
    Copy to Clipboard Toggle word wrap

If you use Puppet, Puppet certificate signing is assigned to the first Capsule that you configure. If the first Capsule is down, hosts cannot obtain Puppet content.

Puppet Certificate Authority (CA) management does not support certificate signing in a load-balanced setup. Puppet CA stores certificate information, such as the serial number counter and CRL, on the file system. Multiple writer processes that attempt to use the same data can corrupt it.

To manage this Puppet limitation, complete the following steps:

  1. Configure Puppet certificate signing on one Capsule Server, typically the first system where you configure Capsule Server for load balancing.
  2. Configure the clients to send CA requests to port 8141 on a load balancer.
  3. Configure a load balancer to redirect CA requests from port 8141 to port 8140 on the system where you configure Capsule Server to sign Puppet certificates.

To troubleshoot issues, reproduce the issue on each Capsule, bypassing the load balancer. This solution does not use Pacemaker or other similar HA tools to maintain one state across all Capsules.

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top