Reset from Custom Certs to Self-Signed Satellite 6

= Reset from Custom Certs to Self-Signed =

1) Edit /etc/katello-installer/answers.katello-installer.yaml 

Examine the certs: section, it should look something like:

  certs: 
    server_key: /root/certs/example6.redhat.com.key
    ca_expiration: "36500"
    regenerate_ca: false
    generate: true
    node_fqdn: sat-perf-04.idm.lab.bos.redhat.com
    server_cert_req: /root/certs/example6.redhat.com.crt.req
    org: SomeOrg
    log_dir: /var/log/certs
...

Replace the entire "certs:" section with the following, ensure the indentation matches the existing file:

  certs:
    generate: true
    deploy: true
    group: foreman

remove all entries in that certs: section except for the above

2) Re-run katello-installer with the following flags:

# katello-installer -v -d --certs-update-all

When doing this, I got the following errors:
[ERROR  2014-12-08 13:08:48 verbose]   /Stage[main]/Certs::Candlepin/Exec[candlepin-add-client-cert-to-nss-db]:  Failed to call refresh: certutil -A -d '/etc/pki/katello/nssdb' -n  'amqp-client' -t ',,' -a -i '/etc/pki/katello/certs/java-client.crt'  returned 255 instead of one of [0]
[ERROR  2014-12-08 13:08:48 verbose]   /Stage[main]/Certs::Candlepin/Exec[candlepin-add-client-cert-to-nss-db]:  certutil -A -d '/etc/pki/katello/nssdb' -n 'amqp-client' -t ',,' -a -i  '/etc/pki/katello/certs/java-client.crt' returned 255 instead of one of  [0]

Tried then removing the "broker" and "amqp-client" certs from /etc/pki/katello/nssdb and re-run

katello-installer -v -d --certs-update-all --katello-proxy...

This time qpidd fails to re-start since it can't find it's certificate nick-named "broker". Which really  isn't present in nssdb

trying to manually add the "broker" cert and now run katello-installer without --certs-update-all

This time qpidd fails to start with the error message "Failed to retrieve private key from certificate"

And indeed, trying 
certutil  -K -d /etc/pki/katello/nssdb asks for a "password or pin" and the key  in /etc/pki/katello/nssdb/nss_password_file does not work

Resetting the password of the DB was dome by running
certutil -T -d /etc/pki/katello/nssdb
and then
certutil -W -d /etc/pki/katello/nssdb
and setting the password to the one specified in /etc/pki/katello/nssdb/nss_password_file
Finally, I impored the broker key using 
pk12util  -i /etc/pki/katello/sat6.rhcdev.volvo.net-qpid-broker.pfx -d  /etc/pki/katello/nssdb -w /etc/pki/katello/nssd b/nss_db_password_file  -k /etc/pki/katello/nssd b/nss_db_password_file


3) Restart all services

# katello-service restart 

4)  If you have remote Capsules not on the Satellite they need new  certificates as well, follow the "12.4. Configuring a Red Hat Satellite  Capsule Server" to regenerate and re-install the certificates:


Comments

Post a Comment

Popular posts from this blog

How to clean all the foreman task and locked task

1.- First make su to postgres user su -s /bin/bash - postgres  2.-Execute psql psql  3.- connect to the foreman database \c foreman;  4.- Delete all the foreman task and foreman task locks delete from foreman_tasks_tasks;  delete from foreman_tasks_locks;  5.- Quit from postgres and exit \q  exit  6. Restart all the services for s in {qpidd,pulp_celerybeat,pulp_ resource_manager,pulp_workers, httpd}; do sudo service $s restart; done  Update in todays foreman you can clean the task using the following command: foreman-rake foreman_tasks:cleanup
Read more

CentOS 7 Server Hardening Guide

CentOS 7 Server Hardening Guide 1. System Settings – Disk Partitioning and Post installation 1.1 Disk Encryption with Kickstart The easiest way to encrypt a partition is during Kickstart installation. This can be achieved by adding the –encrypted and –passphrase= options to the definition of a physical LVM volume. Our Kickstart template is provided below. Note that the template requires a 32GB disk. #version=CentOS7.5 # System authorisation information auth --enableshadow --passalgo=sha512 # Use CDROM installation media cdrom ignoredisk --only-use=sda # Keyboard layouts keyboard --vckeymap=gb --xlayouts='gb' # System language lang en_GB.UTF-8 # SELinux selinux --enforcing # Network information network --bootproto=dhcp --device=eth0 --onboot=on --activate network --hostname=ks-c7.example.com # Plaintext root password: PleaseChangeMe rootpw --iscrypted $6$nS0mBJyS$q/QgCof5unWrT9W3qngTISueSDhDHVNntDqd8sOcgmHp2lq4f/niUbjCmoEzaf3EWQ2x3z/k0eIZa
Read more

How to restrict users to send only mail to the local domain in Zimbra

How to restrict users to send only mail to the local domain in Zimbra 1. Open file /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf and add this line below reject_non_fqdn_recipient. This is example on my system permit_sasl_authenticated check_sender_access lmdb:/opt/zimbra/postfix/conf/restricted_senders permit_mynetworks 2. Open file /opt/zimbra/conf/zmconfigd.cf and add those lines before RESTART mta. This is example on my system POSTCONF smtpd_restriction_classes local_only POSTCONF local_only FILE postfix_check_recipient_access.cf RESTART mta 3. Create a file /opt/zimbra/conf/postfix_check_recipient_access.cf and add the following line.  check_recipient_access lmdb:/opt/zimbra/postfix/conf/local_domains, reject 4. Create a file "/opt/zimbra/postfix/conf/restricted_senders" and list all the users, whom you want to restrict. Follow this syntax: user@yourdomain.com local_only 5. Create a file "/opt/zimbra/postfix/con
Read more