Clarify where to obtain the CA bundle for MCP server

[aneta-petrova]

What changes are you introducing?

Adding details on how to obtain the CA bundle for MCP server.

Why are you introducing these changes? (Explanation, links to references, issues, etc.)

https://issues.redhat.com/browse/SAT-39417#

Anything else to add? (Considerations, potential downsides, alternative solutions you have explored, etc.)

N/A

Contributor checklists

• I am okay with my commits getting squashed when you merge this PR.
• I am familiar with the contributing guidelines.

Please cherry-pick my commits into:

• Foreman 3.16/Katello 4.18 (Satellite 6.18)
• Foreman 3.15/Katello 4.17
• Foreman 3.14/Katello 4.16 (Satellite 6.17; orcharhino 7.4)
• Foreman 3.13/Katello 4.15 (EL9 only)
• Foreman 3.12/Katello 4.14 (Satellite 6.16; orcharhino 7.2 on EL9 only; orcharhino 7.3)
• Foreman 3.11/Katello 4.13 (orcharhino 6.11 on EL8 only; orcharhino 7.0 on EL8+EL9; orcharhino 7.1 with Leapp)
• Foreman 3.10/Katello 4.12
• Foreman 3.9/Katello 4.11 (Satellite 6.15; orcharhino 6.8/6.9/6.10)
• We do not accept PRs for Foreman older than 3.9.

[github-actions]

The PR preview for a314c70 is available at theforeman-foreman-documentation-preview-pr-4425.surge.sh

The following output files are affected by this PR:

• Managing_Hosts/index-foreman-deb.html
• Managing_Hosts/index-foreman-el.html
• Managing_Hosts/index-katello.html
• Managing_Hosts/index-satellite.html

show diff

show diff as HTML

[adamruzicka]

I thought we wanted to get rid of the ca cert being served under /pub. Or was it just katello-ca-consumer rpm?

[aneta-petrova]

All I can say is that this is where I found it 🙃

[maximiliankolb]

Would this template help? app/views/unattended/provisioning_templates/registration/foreman_raw_ca.erb in foreman.

[aneta-petrova]

Or is it /etc/rhsm/ca/katello-server-ca.pem?

Well, all I can say now is that I'm really happy we got that bug report. @adamruzicka What is the exact certificate required to start an MCP server and from where should an admin obtain it?

[ekohl]

The /pub location is only available in Katello so if anything, it needs to be hidden behind ifdef::katello,satellite,orcharhino[].

[Lennonka]

I wonder if it could be the same SSL CA file that users can find by navigating to Administer > Settings > Authentication and locating the value of the SSL CA file setting. But I'm not sure.
This SSL CA file is used to configure hosts for a secured registration call.

[adamruzicka]

What is the exact certificate required to start an MCP server

Broadly speaking, it should be the certificate of a certification authority which signed the cert that is used to secure Foreman's webui.

If admin access is available, then personally I would resort to this oneliner and grabbed whatever it gives me

# cat /etc/httpd/conf.d/05-foreman-ssl.conf | awk -F '"' '/SSLCACertificateFile/ { print $2 }'
/etc/pki/katello/certs/katello-default-ca.crt

On a default installation, this is the same thing (same content, but completely individual files with different ownership and permissions, no links or anything) that ends up in /pub as well as the thing pointed at by Administer > Settings > Authentication > SSL CA File

# diff /etc/pki/katello/certs/katello-default-ca.crt /var/www/html/pub/katello-server-ca.crt && echo same
same

# hammer setting info --name ssl_ca_file | grep Value
Value:         /etc/foreman/proxy_ca.pem

# diff /etc/pki/katello/certs/katello-default-ca.crt /etc/foreman/proxy_ca.pem && echo same
same

Would this template help? app/views/unattended/provisioning_templates/registration/foreman_raw_ca.erb in foreman.

Sort of. If we can have the user render it in a preview or something and then copy the result, then that would be probably the easies non-admin way of going about it.

I wonder if it could be the same SSL CA file that users can find

On a default installation that seems to be the one too, but I can't really vouch for it.

Or is it /etc/rhsm/ca/katello-server-ca.pem?

That would be on the managed host?