Refreshing the self-signed CA certificate on hosts

When you change the CA certificate on your orcharhino Server, you must refresh the CA certificate on your hosts.

Ensure that you use a temporary dual CA certificate file for uninterrupted operation.

If you have already changed the CA certificate on orcharhino Server without using the temporary dual CA certificate file, you must refresh the certificate on hosts manually because the scripted variant will not recognize orcharhino Server.

You only must redeploy the CA certificate if you use a self-signed CA certificate.

Deploying the CA certificate on a host by using Script REX

You can use remote execution (REX) with the Script provider to deploy the CA certificate.

Prerequisites

  • The host is registered to orcharhino.

  • Remote execution is enabled on the host.

  • The CA certificate has been changed on orcharhino Server.

Procedure

  1. In the orcharhino management UI, navigate to Monitor > Jobs.

  2. Click Run Job.

  3. From the Job category list, select Commands.

  4. From the Job template list, select Download and run a script.

  5. Click Next.

  6. Select hosts on which you want to execute the job.

  7. In the url field, enter the following URL:

    https://orcharhino.example.com/unattended/public/foreman_ca_refresh

    Replace orcharhino.example.com with the FQDN of your orcharhino Server.

    You can use HTTP when the CA certificate is expired.

  8. Optional: Click Next and configure advanced fields and scheduling as you require.

  9. Click Run on selected hosts.

Verification

  • If the host can access orcharhino Server, the following command succeeds on your host:

    $ curl --head https://orcharhino.example.com

    Replace orcharhino.example.com with the FQDN of your orcharhino Server.

  • If the host can access orcharhino Proxy Server, the following command succeeds on your host:

    $ curl --head https://orcharhino-proxy.network2.example.com:9090/features

    Replace orcharhino-proxy.network2.example.com with the FQDN of your orcharhino Proxy Server. Replace the port number with the port number you use.

Additional resources

Deploying the CA certificate on a host by using Ansible REX

You can use remote execution (REX) with the Ansible provider to deploy the CA certificate.

Prerequisites

  • The host is registered to orcharhino.

  • Remote execution is enabled on the host.

  • The CA certificate has been changed on orcharhino Server.

Procedure

  1. In the orcharhino management UI, navigate to Monitor > Jobs.

  2. Click Run Job.

  3. From the Job category list, select Ansible Commands.

  4. From the Job template list, select Download and execute a script.

  5. Click Next.

  6. Select hosts on which you want to execute the job.

  7. In the url field, enter the following URL:

    https://orcharhino.example.com/unattended/public/foreman_ca_refresh

    Replace orcharhino.example.com with the FQDN of your orcharhino Server.

    You can use HTTP when the CA certificate is expired.

  8. Optional: Click Next and configure advanced fields and scheduling as you require.

  9. Click Run on selected hosts.

Verification

  • If the host can access orcharhino Server, the following command succeeds on your host:

    $ curl --head https://orcharhino.example.com

    Replace orcharhino.example.com with the FQDN of your orcharhino Server.

  • If the host can access orcharhino Proxy Server, the following command succeeds on your host:

    $ curl --head https://orcharhino-proxy.network2.example.com:9090/features

    Replace orcharhino-proxy.network2.example.com with the FQDN of your orcharhino Proxy Server. Replace the port number with the port number you use.

Additional resources

Deploying the CA certificate on a host manually

You can deploy the CA certificate on the host manually by rendering a public provisioning template, which provides the CA certificate.

Prerequisites

  • You have root access on both your orcharhino Server and your host.

Procedure

  1. Download the certificate on your orcharhino Server:

    $ curl -o "orcharhino_ca_cert.crt" https://orcharhino.example.com/unattended/public/foreman_raw_ca

    Replace orcharhino.example.com with the FQDN of your orcharhino Server.

  2. Transfer the CA certificate to your host securely, for example by using scp.

  3. Login to your host by using SSH.

  4. Copy the certificate to the Subscription Manager configuration directory:

    $ cp -u orcharhino_ca_cert.crt /etc/rhsm/ca/katello-server-ca.pem

  5. Copy the certificate to the truststore:

    • On CentOS Stream:

      $ cp orcharhino_ca_cert.crt /etc/pki/ca-trust/source/anchors

  6. Update the truststore:

    • On CentOS Stream:

      $ update-ca-trust
Verification

  • If the host can access orcharhino Server, the following command succeeds on your host:

    $ curl --head https://orcharhino.example.com

    Replace orcharhino.example.com with the FQDN of your orcharhino Server.

  • If the host can access orcharhino Proxy Server, the following command succeeds on your host:

    $ curl --head https://orcharhino-proxy.network2.example.com:9090/features

    Replace orcharhino-proxy.network2.example.com with the FQDN of your orcharhino Proxy Server. Replace the port number with the port number you use.

The text and illustrations on this page are licensed by ATIX AG under a Creative Commons Attribution Share Alike 4.0 International ("CC BY-SA 4.0") license. This page also contains text from the official Foreman documentation which uses the same license ("CC BY-SA 4.0").