Search

Chapter 6. Refreshing the self-signed CA certificate on hosts

download PDF

When you change the CA certificate on your Satellite Server, you must refresh the CA certificate on your hosts.

Ensure that you use a temporary dual CA certificate file for uninterrupted operation. For more information, see Planning for self-signed CA certificate renewal in Administering Red Hat Satellite.

If you have already changed the CA certificate on Satellite Server without using the temporary dual CA certificate file, you must refresh the certificate on hosts manually because the scripted variant will not recognize Satellite Server.

Important

You only must redeploy the CA certificate if you use a self-signed CA certificate.

6.1. Deploying the CA certificate on a host by using Script REX

You can use remote execution (REX) with the Script provider to deploy the CA certificate.

Prerequisites

  • The host is registered to Satellite.
  • Remote execution is enabled on the host.
  • The CA certificate has been changed on Satellite Server. For more information, see Planning for self-signed CA certificate renewal in Administering Red Hat Satellite.

Procedure

  1. In the Satellite web UI, navigate to Monitor > Jobs.
  2. Click Run Job.
  3. From the Job category list, select Commands.
  4. From the Job template list, select Download and run a script.
  5. Click Next.
  6. Select hosts on which you want to execute the job.
  7. In the url field, enter the following URL:

    https://satellite.example.com/unattended/public/foreman_ca_refresh

    Replace satellite.example.com with the FQDN of your Satellite Server.

    You can use HTTP when the CA certificate is expired.

  8. Optional: Click Next and configure advanced fields and scheduling as you require.
  9. Click Run on selected hosts.

Verification

  • If the host can access Satellite Server, the following command succeeds on your host:

    $ curl --head https://satellite.example.com

    Replace satellite.example.com with the FQDN of your Satellite Server.

  • If the host can access Capsule Server, the following command succeeds on your host:

    $ curl --head https://capsule.example.com:9090/features

    Replace capsule.example.com with the FQDN of your Capsule Server.

6.2. Deploying the CA certificate on a host by using Ansible REX

You can use remote execution (REX) with the Ansible provider to deploy the CA certificate.

Prerequisites

  • The host is registered to Satellite.
  • Remote execution is enabled on the host.
  • The CA certificate has been changed on Satellite Server. For more information, see Planning for self-signed CA certificate renewal in Administering Red Hat Satellite.

Procedure

  1. In the Satellite web UI, navigate to Monitor > Jobs.
  2. Click Run Job.
  3. From the Job category list, select Ansible Commands.
  4. From the Job template list, select Download and execute a script.
  5. Click Next.
  6. Select hosts on which you want to execute the job.
  7. In the url field, enter the following URL:

    https://satellite.example.com/unattended/public/foreman_ca_refresh

    Replace satellite.example.com with the FQDN of your Satellite Server.

    You can use HTTP when the CA certificate is expired.

  8. Optional: Click Next and configure advanced fields and scheduling as you require.
  9. Click Run on selected hosts.

Verification

  • If the host can access Satellite Server, the following command succeeds on your host:

    $ curl --head https://satellite.example.com

    Replace satellite.example.com with the FQDN of your Satellite Server.

  • If the host can access Capsule Server, the following command succeeds on your host:

    $ curl --head https://capsule.example.com:9090/features

    Replace capsule.example.com with the FQDN of your Capsule Server.

6.3. Deploying the CA certificate on a host manually

You can deploy the CA certificate on the host manually by rendering a public provisioning template, which provides the CA certificate.

Prerequisites

  • You have root access on both your Satellite Server and your host.

Procedure

  1. Download the certificate on your Satellite Server:

    # curl -o "satellite_ca_cert.crt" https://satellite.example.com/unattended/public/foreman_raw_ca

    Replace satellite.example.com with the FQDN of your Satellite Server.

  2. Transfer the CA certificate to your host securely, for example by using scp.
  3. Login to your host by using SSH.
  4. Copy the certificate to the Subscription Manager configuration directory:

    # cp -u satellite_ca_cert.crt /etc/rhsm/ca/katello-server-ca.pem
  5. Copy the certificate to the truststore:

    # cp satellite_ca_cert.crt /etc/pki/ca-trust/source/anchors
  6. Update the truststore:

    # update-ca-trust

Verification

  • If the host can access Satellite Server, the following command succeeds on your host:

    $ curl --head https://satellite.example.com

    Replace satellite.example.com with the FQDN of your Satellite Server.

  • If the host can access Capsule Server, the following command succeeds on your host:

    $ curl --head https://capsule.example.com:9090/features

    Replace capsule.example.com with the FQDN of your Capsule Server.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.