Created
November 27, 2023 13:47
-
-
Save martinpitt/9ce33850b52d58276a6550d5521259b6 to your computer and use it in GitHub Desktop.
candlepin regenerate certificate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## works: clean reproducer without cert regen | |
| ```sh | |
| # setup candlepin server | |
| podman run -d --name candlepin -p 8080:8080 -p 8443:8443 --hostname candlepin.local --pull newer ghcr.io/ptoscano/candlepin-unofficial:latest | |
| podman cp candlepin:/etc/candlepin/certs/candlepin-ca.crt . | |
| cp ./candlepin-ca.crt /etc/rhsm/ca/candlepin-ca.pem | |
| cp ./candlepin-ca.crt /etc/pki/ca-trust/source/anchors/ | |
| update-ca-trust | |
| echo '127.0.0.1 candlepin.local' >> /etc/hosts | |
| # wait until it is up | |
| until curl --fail https://candlepin.local:8443/candlepin/status; do sleep 1; done | |
| # set up fake product | |
| rm -f /etc/pki/product-default/*.pem /etc/pki/product/*.pem | |
| mkdir -p /etc/pki/product/ | |
| podman cp candlepin:/home/candlepin/devel/candlepin/generated_certs/88888.pem /etc/pki/product/ | |
| # subscribe and verify | |
| subscription-manager config --server.hostname candlepin.local --server.port 8443 --server.prefix /candlepin | |
| subscription-manager register --org=admin --activationkey=awesome_os_pool --force | |
| subscription-manager attach --auto | |
| subscription-manager list | |
| ``` | |
| ## clean up | |
| subscription-manager unregister | |
| ## fails: with cert regeneration | |
| ```sh | |
| podman run -d --name candlepin -p 8080:8080 -p 8443:8443 --hostname candlepin.local --pull newer ghcr.io/ptoscano/candlepin-unofficial:4.2.15-1 | |
| # regenerate TLS certificate | |
| podman exec -i candlepin systemctl stop tomcat | |
| # used by gen_certs.sh | |
| podman exec -i candlepin dnf --setopt install_weak_deps=False -y install hostname | |
| podman exec -i candlepin /home/candlepin/devel/candlepin/bin/deployment/gen_certs.sh -f -H services.cockpit.lan | |
| podman exec -i candlepin systemctl start tomcat | |
| podman cp candlepin:/etc/candlepin/certs/candlepin-ca.crt . | |
| cp ./candlepin-ca.crt /etc/rhsm/ca/candlepin-ca.pem | |
| cp ./candlepin-ca.crt /etc/pki/ca-trust/source/anchors/ | |
| update-ca-trust | |
| echo '127.0.0.1 services.cockpit.lan' >> /etc/hosts | |
| # wait until it is up | |
| until curl --fail https://services.cockpit.lan:8443/candlepin/status; do sleep 1; done | |
| # set up fake product | |
| rm -f /etc/pki/product-default/*.pem /etc/pki/product/*.pem | |
| mkdir -p /etc/pki/product/ | |
| podman cp candlepin:/home/candlepin/devel/candlepin/generated_certs/88888.pem /etc/pki/product/ | |
| # subscribe and verify | |
| subscription-manager config --server.hostname services.cockpit.lan --server.port 8443 --server.prefix /candlepin | |
| subscription-manager register --org=admin --activationkey=awesome_os_pool --force | |
| # fails here on SSL/networking error | |
| subscription-manager attach --auto | |
| subscription-manager list | |
| ``` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment