From b366b61e3fd8fe1b10e841efe26c11378b18cb4d Mon Sep 17 00:00:00 2001 From: AkshayGadhaveRH <97217993+AkshayGadhaveRH@users.noreply.github.com> Date: Mon, 22 Apr 2024 16:11:21 +0530 Subject: [PATCH] Rectify differences in the custom SSL CSR for LB and Smart Proxy (#2832) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There are differences in the `openssl.cnf` files created for cert signing requests for LB and for Smart Proxy: - guides/common/modules/proc_creating-custom-ssl-certificates-for-smart-proxy-server.adoc > LB custom SSL CSR file - guides/common/modules/proc_creating-a-custom-ssl-certificate.adoc > Smart Proxy custom SSL CSR file BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2256021 * Additional changes suggested in PR - Dropped x509 section. - Separated DN infomation into separate "Optional" section. - Changed required extenstions to `v3_req`. * Merge both files into a single module Merge `proc_creating-a-custom-ssl-certificate.adoc` and `proc_creating-custom-ssl-certificates-for-smart-proxy-server.adoc` into a single file using attributes to differentiate the steps required by each. Co-authored-by: Zuzana Lena Ansorgová --- ...ing-capsule-custom-server-certificate.adoc | 4 + ...g-satellite-custom-server-certificate.adoc | 4 + ...roc_creating-a-custom-ssl-certificate.adoc | 87 +++++++++++++---- ...l-certificates-for-smart-proxy-server.adoc | 95 ------------------- .../doc-Configuring_Load_Balancer/master.adoc | 17 +++- 5 files changed, 90 insertions(+), 117 deletions(-) delete mode 100644 guides/common/modules/proc_creating-custom-ssl-certificates-for-smart-proxy-server.adoc diff --git a/guides/common/assembly_configuring-capsule-custom-server-certificate.adoc b/guides/common/assembly_configuring-capsule-custom-server-certificate.adoc index cac1b931c79..b24a553841c 100644 --- a/guides/common/assembly_configuring-capsule-custom-server-certificate.adoc +++ b/guides/common/assembly_configuring-capsule-custom-server-certificate.adoc @@ -11,8 +11,12 @@ To configure your {SmartProxyServer} with a custom certificate, complete the fol . xref:deploying-a-custom-ssl-certificate-to-{smart-proxy-context}-server_{smart-proxy-context}[] . xref:deploying-a-custom-ssl-certificate-to-hosts_{smart-proxy-context}[] +:ssl-common-name: {smartproxy-example-com} +:cert-name: {smart-proxy-context} //Creating a Custom SSL Certificate for {SmartProxyServer} include::modules/proc_creating-a-custom-ssl-certificate.adoc[leveloffset=+1] +:!cert-name: +:!ssl-common-name: include::modules/proc_deploying-a-custom-ssl-certificate-to-smart-proxy-server.adoc[leveloffset=+1] diff --git a/guides/common/assembly_configuring-satellite-custom-server-certificate.adoc b/guides/common/assembly_configuring-satellite-custom-server-certificate.adoc index 8c285fe37a6..12da13bc839 100644 --- a/guides/common/assembly_configuring-satellite-custom-server-certificate.adoc +++ b/guides/common/assembly_configuring-satellite-custom-server-certificate.adoc @@ -25,8 +25,12 @@ To configure your {ProjectServer} with a custom certificate, complete the follow . If you have external {SmartProxyServers} registered to {ProjectServer}, configure them with custom SSL certificates. For more information, see {InstallingSmartProxyDocURL}configuring-capsule-custom-server-certificate_{smart-proxy-context}[Configuring {SmartProxyServer} with a Custom SSL Certificate] in _{InstallingSmartProxyDocTitle}_. +:ssl-common-name: {foreman-example-com} +:cert-name: {project-context} //Creating a Custom SSL Certificate for {ProjectServer} include::modules/proc_creating-a-custom-ssl-certificate.adoc[leveloffset=+1] +:!cert-name: +:!ssl-common-name: //Deploying a Custom SSL Certificate to {ProjectServer} include::modules/proc_deploying-a-custom-ssl-certificate-to-satellite-server.adoc[leveloffset=+1] diff --git a/guides/common/modules/proc_creating-a-custom-ssl-certificate.adoc b/guides/common/modules/proc_creating-a-custom-ssl-certificate.adoc index 48744df276e..dc7f42fe5e8 100644 --- a/guides/common/modules/proc_creating-a-custom-ssl-certificate.adoc +++ b/guides/common/modules/proc_creating-a-custom-ssl-certificate.adoc @@ -11,12 +11,17 @@ On {ProjectServer}, create a custom certificate for your {ProductName}. If you already have a custom SSL certificate for {ProductName}, skip this procedure. endif::[] +ifdef::load-balancing[] +This procedure outlines how to create a configuration file for the Certificate Signing Request and include the load balancer and {SmartProxyServer} as Subject Alternative Names (SAN). +Complete this procedure on each {SmartProxyServer} that you want to configure for load balancing. +endif::[] + .Procedure . To store all the source certificate files, create a directory that is accessible only to the `root` user: + [options="nowrap", subs="+quotes,attributes"] ---- -# mkdir /root/{context}_cert +# mkdir /root/{cert-name}_cert ---- . Create a private key with which to sign the certificate signing request (CSR). + @@ -27,20 +32,21 @@ If you already have a private key for this {ProductName}, skip this step. + [options="nowrap", subs="+quotes,attributes"] ---- -# openssl genrsa -out `/root/{context}_cert/{context}_cert_key.pem` 4096 +# openssl genrsa -out `/root/{cert-name}_cert/{cert-name}_cert_key.pem` 4096 ---- -. Create the `/root/{context}_cert/openssl.cnf` configuration file for the CSR and include the following content: + +ifndef::load-balancing[] +. Create the `/root/{cert-name}_cert/openssl.cnf` configuration file for the CSR and include the following content: + [options="nowrap", subs="+quotes,attributes"] ---- [ req ] req_extensions = v3_req distinguished_name = req_distinguished_name -x509_extensions = usr_cert prompt = no [ req_distinguished_name ] -CN = _{context}.example.com_ +commonName = _{ssl-common-name}_ [ v3_req ] basicConstraints = CA:FALSE @@ -48,24 +54,47 @@ keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection subjectAltName = @alt_names -[ usr_cert ] -basicConstraints=CA:FALSE -nsCertType = client, server, email -keyUsage = nonRepudiation, digitalSignature, keyEncipherment +[ alt_names ] +DNS.1 = _{ssl-common-name}_ +---- +endif::[] + +ifdef::load-balancing[] +. Create the `/root/{cert-name}_cert/openssl.cnf` configuration file for the CSR and include the following content: ++ +[options="nowrap", subs="+quotes,attributes"] +---- +[ req ] +req_extensions = v3_req +distinguished_name = req_distinguished_name +x509_extensions = usr_cert +prompt = no + +[ req_distinguished_name ] +commonName = _{ssl-common-name}_ <1> + +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection -nsComment = "OpenSSL Generated Certificate" -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer +subjectAltName = @alt_names -[ alt_names ] -DNS.1 = _{context}.example.com_ +[alt_names] <2> +DNS.1 = _{loadbalancer-example-com}_ +DNS.2 = _{smartproxy-example-com}_ ---- -Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the `[ req_distinguished_name ]` section: +<1> The certificate's common name must match the FQDN of {SmartProxyServer}. +Ensure to change this when running the command on each {SmartProxyServer} that you configure for load balancing. +You can also set a wildcard value `*`. +If you set a wildcard value, you must add the `-t {certs-proxy-context}` option when you use the `katello-certs-check` command. +<2> Under `[alt_names]`, include the FQDN of the load balancer as `DNS.1` and the FQDN of {SmartProxyServer} as `DNS.2`. +endif::[] +. Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the `[ req_distinguished_name ]` section: + [options="nowrap", subs="+quotes,attributes"] ---- [req_distinguished_name] -CN = _{context}.example.com_ +CN = _{ssl-common-name}_ countryName =_My_Country_Name_ <1> stateOrProvinceName = _My_State_Or_Province_Name_ <2> localityName = _My_Locality_Name_ <3> @@ -81,17 +110,35 @@ organizationalUnitName = _My_Organizational_Unit_Name_ <4> [options="nowrap", subs="+quotes,attributes"] ---- # openssl req -new \ --key _/root/{context}_cert/{context}_cert_key.pem_ \ <1> --config _/root/{context}_cert/openssl.cnf_ \ <2> --out _/root/{context}_cert/{context}_cert_csr.pem_ <3> +-key _/root/{cert-name}_cert/{cert-name}_cert_key.pem_ \ <1> +-config _/root/{cert-name}_cert/openssl.cnf_ \ <2> +-out _/root/{cert-name}_cert/{cert-name}_cert_csr.pem_ <3> ---- <1> Path to the private key <2> Path to the configuration file <3> Path to the CSR to generate - . Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for {ProjectServer} and {SmartProxyServer}. + When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files. +ifdef::load-balancing[] +. Copy the Certificate Authority bundle and {SmartProxyServer} certificate file that you receive from the Certificate Authority, and {SmartProxyServer} private key to your {ProjectServer}. +. On {ProjectServer}, validate {SmartProxyServer} certificate input files: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# katello-certs-check \ +-c /root/{cert-name}_cert/{cert-name}_cert.pem \ <1> +-k /root/{cert-name}_cert/{cert-name}_cert_key.pem \ <2> +-b /root/{cert-name}_cert/ca_cert_bundle.pem <3> +---- +<1> {SmartProxyServer} certificate file, provided by your Certificate Authority +<2> {SmartProxyServer}’s private key that you used to sign the certificate +<3> Certificate Authority bundle, provided by your Certificate Authority ++ +If you set the `commonName=` to a wildcard value `*`, you must add the `-t {certs-proxy-context}` option to the `katello-certs-check` command. ++ +Retain a copy of the example `{certs-generate}` command that is output by the `katello-certs-check` command for creating the Certificate Archive File for this {SmartProxyServer}. +endif::[] diff --git a/guides/common/modules/proc_creating-custom-ssl-certificates-for-smart-proxy-server.adoc b/guides/common/modules/proc_creating-custom-ssl-certificates-for-smart-proxy-server.adoc deleted file mode 100644 index ae1c0037167..00000000000 --- a/guides/common/modules/proc_creating-custom-ssl-certificates-for-smart-proxy-server.adoc +++ /dev/null @@ -1,95 +0,0 @@ -[id="Creating_Custom_SSL_Certificates_for_{smart-proxy-context}_{context}"] -= Creating custom SSL certificates for {SmartProxyServer} - -This procedure outlines how to create a configuration file for the Certificate Signing Request and include the load balancer and {SmartProxyServer} as Subject Alternative Names (SAN). -Complete this procedure on each {SmartProxyServer} that you want to configure for load balancing. - -.Procedure -. On {SmartProxyServer}, create a directory to contain all the source certificate files, accessible to only the `root` user: -+ -[options="nowrap", subs="+quotes,attributes"] ----- -# mkdir /root/{smart-proxy-context}_cert -# cd /root/{smart-proxy-context}_cert ----- -. Create a private key with which to sign the Certificate Signing Request (CSR). -+ -Note that the private key must be unencrypted. -If you use a password-protected private key, remove the private key password. -+ -If you already have a private key for this {SmartProxyServer}, skip this step. -+ -[options="nowrap", subs="+quotes,attributes"] ----- -# openssl genrsa -out /root/{smart-proxy-context}_cert/{smart-proxy-context}_cert_key.pem 4096 ----- -. Create the certificate request configuration file with the following content: -+ -[options="nowrap", subs="+quotes,attributes"] ----- -[ req ] -default_bits = 4096 -distinguished_name = req_distinguished_name -req_extensions = req_ext -prompt = no - -[ req_distinguished_name ] -countryName=_2 Letter Country Code_ -stateOrProvinceName=_State or Province Full Name_ -localityName=_Locality Name_ -0.organizationName=_Organization Name_ -organizationalUnitName=_{SmartProxy} Organization Unit Name_ -commonName=_{smartproxy-example-com}_ <1> -emailAddress=_Email Address_ - -[ req_ext ] -#authorityKeyIdentifier=keyid,issuer -#basicConstraints=CA:FALSE -keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment -subjectAltName = @alt_names - -[alt_names] <2> -DNS.1 = _{loadbalancer-example-com}_ -DNS.2 = _{smartproxy-example-com}_ ----- -<1> The certificate's common name must match the FQDN of {SmartProxyServer}. -Ensure to change this when running the command on each {SmartProxyServer} that you configure for load balancing. -You can also set a wildcard value `*`. -If you set a wildcard value, you must add the `-t {certs-proxy-context}` option when you use the `katello-certs-check` command. -<2> Under `[alt_names]`, include the FQDN of the load balancer as `DNS.1` and the FQDN of {SmartProxyServer} as `DNS.2`. - -. Create a Certificate Signing Request (CSR) for the SAN certificate: -+ -[options="nowrap", subs="+quotes,attributes"] ----- -# openssl req -new \ --key /root/{smart-proxy-context}_cert/{smart-proxy-context}_cert_key.pem \ <1> --config SAN_config.cfg \ <2> --out /root/{smart-proxy-context}_cert/{smart-proxy-context}_cert_csr.pem <3> ----- -<1> {SmartProxyServer}’s private key, used to sign the certificate -<2> The certificate request configuration file -<3> Certificate Signing Request file - -. Send the certificate request to the Certificate Authority: -+ -When you submit the request, specify the lifespan of the certificate. -The method for sending the certificate request varies, so consult the Certificate Authority for the preferred method. -In response to the request, you can expect to receive a Certificate Authority bundle and a signed certificate, in separate files. -. Copy the Certificate Authority bundle and {SmartProxyServer} certificate file that you receive from the Certificate Authority, and {SmartProxyServer} private key to your {ProjectServer}. -. On {ProjectServer}, validate {SmartProxyServer} certificate input files: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# katello-certs-check \ --c /root/{smart-proxy-context}_cert/{smart-proxy-context}_cert.pem \ <1> --k /root/{smart-proxy-context}_cert/{smart-proxy-context}_cert_key.pem \ <2> --b /root/{smart-proxy-context}_cert/ca_cert_bundle.pem <3> ----- -<1> {SmartProxyServer} certificate file, provided by your Certificate Authority -<2> {SmartProxyServer}’s private key that you used to sign the certificate -<3> Certificate Authority bundle, provided by your Certificate Authority -+ -If you set the `commonName=` to a wildcard value `*`, you must add the `-t {certs-proxy-context}` option to the `katello-certs-check` command. -+ -Retain a copy of the example `{certs-generate}` command that is output by the `katello-certs-check` command for creating the Certificate Archive File for this {SmartProxyServer}. diff --git a/guides/doc-Configuring_Load_Balancer/master.adoc b/guides/doc-Configuring_Load_Balancer/master.adoc index 192420e5c7a..03998d6a879 100644 --- a/guides/doc-Configuring_Load_Balancer/master.adoc +++ b/guides/doc-Configuring_Load_Balancer/master.adoc @@ -1,5 +1,6 @@ include::common/attributes.adoc[] include::common/header.adoc[] +:load-balancing: :context: load-balancing = {ConfiguringLoadBalancerDocTitle} @@ -34,16 +35,28 @@ include::common/modules/proc_configuring-remaining-smart-proxy-servers-with-defa include::common/modules/con_configuring-smart-proxy-server-with-custom-ssl-certificates-for-load-balancing-without-puppet.adoc[leveloffset=+2] -include::common/modules/proc_creating-custom-ssl-certificates-for-smart-proxy-server.adoc[leveloffset=+3] +:ProductName: {SmartProxyServer} +:ssl-common-name: {smartproxy-example-com} +:cert-name: {smart-proxy-context} +include::common/modules/proc_creating-a-custom-ssl-certificate.adoc[leveloffset=+3] +:!cert-name: +:!ssl-common-name: +:!ProductName: include::common/modules/proc_configuring-smart-proxy-server-with-custom-ssl-certificates-for-load-balancing-without-puppet.adoc[leveloffset=+3] include::common/modules/con_configuring-smart-proxy-server-with-custom-ssl-certificates-for-load-balancing-with-puppet.adoc[leveloffset=+2] +:ProductName: {SmartProxyServer} +:ssl-common-name: {smartproxy-example-com} +:cert-name: {smart-proxy-context} :parent-context: {context} :context: load-balancing-with-custom-ssl-certificates-with-puppet -include::common/modules/proc_creating-custom-ssl-certificates-for-smart-proxy-server.adoc[leveloffset=+3] +include::common/modules/proc_creating-a-custom-ssl-certificate.adoc[leveloffset=+3] :context: {parent-context} +:!cert-name: +:!ssl-common-name: +:!ProductName: include::common/modules/proc_configuring-smart-proxy-server-with-custom-ssl-certificates-to-generate-and-sign-puppet-certificates.adoc[leveloffset=+3]