Chapter 6. Refreshing the self-signed CA certificate on hosts
When you change the CA certificate on your Satellite Server, you must refresh the CA certificate on your hosts.
Ensure that you use a temporary dual CA certificate file for uninterrupted operation. For more information, see Planning for self-signed CA certificate renewal in Administering Red Hat Satellite.
If you have already changed the CA certificate on Satellite Server without using the temporary dual CA certificate file, you must refresh the certificate on hosts manually because the scripted variant will not recognize Satellite Server.
You only must redeploy the CA certificate if you use a self-signed CA certificate.
6.1. Deploying the CA certificate on a host by using Script REX
You can use remote execution (REX) with the Script provider to deploy the CA certificate.
Prerequisites
- The host is registered to Satellite.
- Remote execution is enabled on the host.
- The CA certificate has been changed on Satellite Server. For more information, see Planning for self-signed CA certificate renewal in Administering Red Hat Satellite.
Procedure
- In the Satellite web UI, navigate to Monitor > Jobs.
- Click Run Job.
- From the Job category list, select Commands.
- From the Job template list, select Download and run a script.
- Click Next.
- Select hosts on which you want to execute the job.
In the url field, enter the following URL:
https://satellite.example.com/unattended/public/foreman_ca_refresh
Replace satellite.example.com with the FQDN of your Satellite Server.
You can use HTTP when the CA certificate is expired.
- Optional: Click Next and configure advanced fields and scheduling as you require.
- Click Run on selected hosts.
Verification
If the host can access Satellite Server, the following command succeeds on your host:
$ curl --head https://satellite.example.com
Replace satellite.example.com with the FQDN of your Satellite Server.
If the host can access Capsule Server, the following command succeeds on your host:
$ curl --head https://capsule.example.com:9090/features
Replace capsule.example.com with the FQDN of your Capsule Server.
Additional resources
6.2. Deploying the CA certificate on a host by using Ansible REX
You can use remote execution (REX) with the Ansible provider to deploy the CA certificate.
Prerequisites
- The host is registered to Satellite.
- Remote execution is enabled on the host.
- The CA certificate has been changed on Satellite Server. For more information, see Planning for self-signed CA certificate renewal in Administering Red Hat Satellite.
Procedure
- In the Satellite web UI, navigate to Monitor > Jobs.
- Click Run Job.
- From the Job category list, select Ansible Commands.
- From the Job template list, select Download and execute a script.
- Click Next.
- Select hosts on which you want to execute the job.
In the url field, enter the following URL:
https://satellite.example.com/unattended/public/foreman_ca_refresh
Replace satellite.example.com with the FQDN of your Satellite Server.
You can use HTTP when the CA certificate is expired.
- Optional: Click Next and configure advanced fields and scheduling as you require.
- Click Run on selected hosts.
Verification
If the host can access Satellite Server, the following command succeeds on your host:
$ curl --head https://satellite.example.com
Replace satellite.example.com with the FQDN of your Satellite Server.
If the host can access Capsule Server, the following command succeeds on your host:
$ curl --head https://capsule.example.com:9090/features
Replace capsule.example.com with the FQDN of your Capsule Server.
Additional resources
6.3. Deploying the CA certificate on a host manually
You can deploy the CA certificate on the host manually by rendering a public provisioning template, which provides the CA certificate.
Prerequisites
- You have root access on both your Satellite Server and your host.
Procedure
Download the certificate on your Satellite Server:
# curl -o "satellite_ca_cert.crt" https://satellite.example.com/unattended/public/foreman_raw_ca
Replace satellite.example.com with the FQDN of your Satellite Server.
-
Transfer the CA certificate to your host securely, for example by using
scp
. - Login to your host by using SSH.
Copy the certificate to the Subscription Manager configuration directory:
# cp -u satellite_ca_cert.crt /etc/rhsm/ca/katello-server-ca.pem
Copy the certificate to the truststore:
# cp satellite_ca_cert.crt /etc/pki/ca-trust/source/anchors
Update the truststore:
# update-ca-trust
Verification
If the host can access Satellite Server, the following command succeeds on your host:
$ curl --head https://satellite.example.com
Replace satellite.example.com with the FQDN of your Satellite Server.
If the host can access Capsule Server, the following command succeeds on your host:
$ curl --head https://capsule.example.com:9090/features
Replace capsule.example.com with the FQDN of your Capsule Server.