红帽全球峰会此内容没有您所选择的语言版本。
Chapter 9. Refreshing the self-signed CA certificate on hosts
When you change the CA certificate on your Satellite Server, you must refresh the CA certificate on your hosts.
Ensure that you use a temporary dual CA certificate file for uninterrupted operation. For more information, see Planning for self-signed CA certificate renewal in Administering Red Hat Satellite.
If you have already changed the CA certificate on Satellite Server without using the temporary dual CA certificate file, you must refresh the certificate on hosts manually because the scripted variant will not recognize Satellite Server.
You only must redeploy the CA certificate if you use a self-signed CA certificate.
You can use remote execution (REX) with the Script provider to deploy the CA certificate.
Prerequisites
- The host is registered to Satellite. :_mod-docs-content-type: SNIPPET
- Remote execution is enabled on the host.
- The CA certificate has been changed on Satellite Server. For more information, see Planning for self-signed CA certificate renewal in Administering Red Hat Satellite.
Procedure
- In the Satellite web UI, navigate to Monitor > Jobs.
- Click Run Job.
- From the Job category list, select Commands.
- From the Job template list, select Download and run a script.
- Click Next.
- Select hosts on which you want to execute the job.
In the url field, enter the following URL:
https://satellite.example.com/unattended/public/foreman_ca_refreshYou can use HTTP when the CA certificate is expired.
- Optional: Click Next and configure advanced fields and scheduling as you require.
- Click Run on selected hosts.
Verification
If the host can access Satellite Server, the following command succeeds on your host:
$ curl --head https://satellite.example.comIf the host can access Capsule Server, the following command succeeds on your host:
$ curl --head https://capsule.example.com:9090/features
Additional resources
You can use remote execution (REX) with the Ansible provider to deploy the CA certificate.
Prerequisites
- The host is registered to Satellite. :_mod-docs-content-type: SNIPPET
- Remote execution is enabled on the host.
- The CA certificate has been changed on Satellite Server. For more information, see Planning for self-signed CA certificate renewal in Administering Red Hat Satellite.
Procedure
- In the Satellite web UI, navigate to Monitor > Jobs.
- Click Run Job.
- From the Job category list, select Ansible Commands.
- From the Job template list, select Download and execute a script.
- Click Next.
- Select hosts on which you want to execute the job.
In the url field, enter the following URL:
https://satellite.example.com/unattended/public/foreman_ca_refreshYou can use HTTP when the CA certificate is expired.
- Optional: Click Next and configure advanced fields and scheduling as you require.
- Click Run on selected hosts.
Verification
If the host can access Satellite Server, the following command succeeds on your host:
$ curl --head https://satellite.example.comIf the host can access Capsule Server, the following command succeeds on your host:
$ curl --head https://capsule.example.com:9090/features
Additional resources
9.3. Deploying the CA certificate on a host manually
You can deploy the CA certificate on the host manually by rendering a public provisioning template, which provides the CA certificate.
Prerequisites
- You have root access on both your Satellite Server and your host.
Procedure
Download the certificate on your Satellite Server:
# curl -o "satellite_ca_cert.crt" https://satellite.example.com/unattended/public/foreman_raw_ca-
Transfer the CA certificate to your host securely, for example by using
scp. - Login to your host by using SSH.
Copy the certificate to the Subscription Manager configuration directory:
# cp -u satellite_ca_cert.crt /etc/rhsm/ca/katello-server-ca.pemCopy the certificate to the truststore:
# cp satellite_ca_cert.crt /etc/pki/ca-trust/source/anchorsUpdate the truststore:
# update-ca-trust
Verification
If the host can access Satellite Server, the following command succeeds on your host:
$ curl --head https://satellite.example.comIf the host can access Capsule Server, the following command succeeds on your host:
$ curl --head https://capsule.example.com:9090/features
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}