Chapter 4. Configuring Capsule Servers with custom SSL certificates for load balancing
You can configure one or more Capsule Servers that use custom SSL certificates for load balancing. To do this, configure and install certificates on each Capsule Server you want to use for load balancing.
If you use Puppet in your Satellite deployment, the configuration steps are different. See Chapter 6, Configuring Capsule Servers with custom SSL certificates for load balancing (with Puppet).
4.1. Prerequisites
- Prepare a new Capsule Server to use for load balancing. See Chapter 2, Preparing Capsule Servers for load balancing.
- Review Section 1.2, “Services and features supported in a load-balanced setup”.
4.2. Creating a custom SSL certificate for Capsule Server
On each Capsule Server you want to configure for load balancing, create a configuration file for the Certificate Signing Request and include the load balancer and Capsule Server as Subject Alternative Names (SAN).
Procedure
To store all the source certificate files, create a directory that is accessible only to the
root
user:# mkdir /root/capsule_cert
Create a private key with which to sign the certificate signing request (CSR).
Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.
If you already have a private key for this Capsule Server, skip this step.
# openssl genrsa -out
/root/capsule_cert/capsule_cert_key.pem
4096Create the
/root/capsule_cert/openssl.cnf
configuration file for the CSR and include the following content:[ req ] req_extensions = v3_req distinguished_name = req_distinguished_name x509_extensions = usr_cert prompt = no [ req_distinguished_name ] commonName = capsule.example.com 1 [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection subjectAltName = @alt_names [alt_names] 2 DNS.1 = loadbalancer.example.com DNS.2 = capsule.example.com
- 1
- The certificate’s common name must match the FQDN of Capsule Server. Ensure to change this when running the command on each Capsule Server that you configure for load balancing. You can also set a wildcard value
*
. If you set a wildcard value, you must add the-t capsule
option when you use thekatello-certs-check
command. - 2
- Under
[alt_names]
, include the FQDN of the load balancer asDNS.1
and the FQDN of Capsule Server asDNS.2
.
Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the
[ req_distinguished_name ]
section:[req_distinguished_name] CN = capsule.example.com countryName =My_Country_Name 1 stateOrProvinceName = My_State_Or_Province_Name 2 localityName = My_Locality_Name 3 organizationName = My_Organization_Or_Company_Name organizationalUnitName = My_Organizational_Unit_Name 4
Generate CSR:
# openssl req -new \ -key /root/capsule_cert/capsule_cert_key.pem \ 1 -config /root/capsule_cert/openssl.cnf \ 2 -out /root/capsule_cert/capsule_cert_csr.pem 3
Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for Satellite Server and Capsule Server.
When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.
- Copy the Certificate Authority bundle and Capsule Server certificate file that you receive from the Certificate Authority, and Capsule Server private key to your Satellite Server.
On Satellite Server, validate Capsule Server certificate input files:
# katello-certs-check \ -c /root/capsule_cert/capsule_cert.pem \ 1 -k /root/capsule_cert/capsule_cert_key.pem \ 2 -b /root/capsule_cert/ca_cert_bundle.pem 3
If you set the
commonName=
to a wildcard value*
, you must add the-t capsule
option to thekatello-certs-check
command.Retain a copy of the example
capsule-certs-generate
command that is output by thekatello-certs-check
command for creating the Certificate Archive File for this Capsule Server.
4.3. Configuring Capsule Server with custom SSL certificates for load balancing without Puppet
On each Capsule Server you want to configure for load balancing, install Katello certificates.
Procedure
Append the following option to the
capsule-certs-generate
command that you obtain from the output of thekatello-certs-check
command:--foreman-proxy-cname loadbalancer.example.com
On Satellite Server, enter the
capsule-certs-generate
command to generate Capsule certificates:# capsule-certs-generate \ --certs-tar /root/capsule_cert/capsule.tar \ --foreman-proxy-cname loadbalancer.example.com \ --foreman-proxy-fqdn capsule.example.com \ --server-ca-cert /root/capsule_cert/ca_cert_bundle.pem \ --server-cert /root/capsule_cert/capsule.pem \ --server-key /root/capsule_cert/capsule.pem
Retain a copy of the example
satellite-installer
command from the output for installing Capsule Server certificates.Copy the certificate archive file from Satellite Server to Capsule Server:
# scp /root/capsule.example.com-certs.tar root@capsule.example.com:capsule.example.com-certs.tar
Append the following options to the
satellite-installer
command that you obtain from the output of thecapsule-certs-generate
command:--certs-cname "loadbalancer.example.com" \ --enable-foreman-proxy-plugin-remote-execution-script
On Capsule Server, enter the
satellite-installer
command:# satellite-installer --scenario capsule \ --certs-cname "loadbalancer.example.com" \ --certs-tar-file "capsule.example.com-certs.tar" \ --enable-foreman-proxy-plugin-remote-execution-script \ --foreman-proxy-foreman-base-url "https://satellite.example.com" \ --foreman-proxy-oauth-consumer-key "oauth key" \ --foreman-proxy-oauth-consumer-secret "oauth secret" \ --foreman-proxy-register-in-foreman "true" \ --foreman-proxy-trusted-hosts "satellite.example.com" \ --foreman-proxy-trusted-hosts "capsule.example.com"