Issue a dedicated TLS certificate for the Candlepin container hostname

foreman-certs generates certificates only for localhost and the server
FQDN. Now that Foreman connects to Candlepin via the bridge DNS name
"candlepin", TLS hostname validation fails against those certificates.
A dedicated certificate with SAN=candlepin, signed by the installer
CA, is generated using the openssl CLI (consistent with the rest of
the codebase).

The certificate validity is set to 7300 days (20 years), matching the
default used by puppet-certs (theforeman/puppet-certs manifests/init.pp
$expiration parameter). The signing step runs on every deployment to
ensure the certificate is always freshly dated, consistent with how
foreman-certs handles the other installer certificates.

The localhost certificate previously used by Candlepin's Tomcat is now
unused and removed:

- "localhost" dropped from certificates_hostnames — the certificates
  role no longer generates the cert.
- localhost_key / localhost_certificate removed from
  default_certificates.yml and installer_certificates.yml.

The healthcheck is updated to validate the new certificate instead of
skipping verification with --insecure. --resolve candlepin:23443:127.0.0.1
forces the connection to the loopback so it works in both bridge
networking (where other containers reach Candlepin by DNS name) and
host networking (where "candlepin" would not resolve via container DNS).

Tests are updated to route connectivity checks through the foreman
container (which shares the same bridge network as candlepin), to verify
against the new certificate, and to check candlepin_certificate expiry
instead of the now-removed localhost_certificate.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: pablomh

development/roles/foreman_installer_certs/tasks/main.yml

@@ -14,3 +14,47 @@
 - name: Generate certs
   ansible.builtin.command: foreman-certs --apache true --foreman true --candlepin true
   changed_when: false
+
+# foreman-certs only generates certs for localhost and the server FQDN. Candlepin
+# runs in its own container and is reachable by other containers via the DNS name
+# "candlepin" on the bridge network. Foreman validates the TLS certificate hostname
+# when connecting to https://candlepin:23443, so a dedicated cert with SAN=candlepin
+# is required.
+- name: Create candlepin cert directory
+  ansible.builtin.file:
+    path: /root/ssl-build/candlepin
+    state: directory
+    mode: '0755'
+
+- name: Generate candlepin Tomcat private key
+  ansible.builtin.command: >
+    openssl genrsa
+      -out /root/ssl-build/candlepin/candlepin-tomcat.key
+      4096
+  args:
+    creates: /root/ssl-build/candlepin/candlepin-tomcat.key
+
+- name: Generate candlepin Tomcat certificate signing request
+  ansible.builtin.command: >
+    openssl req
+      -new
+      -key /root/ssl-build/candlepin/candlepin-tomcat.key
+      -subj "/CN=candlepin"
+      -addext "subjectAltName = DNS:candlepin"
+      -out /root/ssl-build/candlepin/candlepin-tomcat.csr
+  args:
+    creates: /root/ssl-build/candlepin/candlepin-tomcat.csr
+
+- name: Sign candlepin certificate with installer CA
+  ansible.builtin.command: >
+    openssl x509
+      -req
+      -in /root/ssl-build/candlepin/candlepin-tomcat.csr
+      -CA /root/ssl-build/katello-default-ca.crt
+      -CAkey /root/ssl-build/katello-default-ca.key
+      -CAcreateserial
+      -days 7300
+      -passin "file:/root/ssl-build/katello-default-ca.pwd"
+      -copy_extensions copy
+      -out /root/ssl-build/candlepin/candlepin-tomcat.crt
+  changed_when: true

src/roles/candlepin/tasks/main.yml

@@ -100,7 +100,7 @@
         After=foreman.target redis.service postgresql.service
         [Service]
         TimeoutStartSec=300
-    healthcheck: curl --fail --insecure https://localhost:23443/candlepin/status
+    healthcheck: curl --fail --cacert /etc/candlepin/certs/candlepin-ca.crt --resolve candlepin:23443:127.0.0.1 https://candlepin:23443/candlepin/status
     sdnotify: healthy
 
 - name: Run daemon reload to make Quadlet create the service files

src/vars/base.yaml

@@ -1,7 +1,7 @@
 ---
 certificates_hostnames:
   - "{{ ansible_facts['fqdn'] }}"
-  - localhost
+  - candlepin
 
 certificates_ca_password: "CHANGEME"
 candlepin_keystore_password: "CHANGEME"
@@ -10,8 +10,8 @@ candlepin_oauth_secret: "CHANGEME"
 candlepin_ca_key_password: "{{ ca_key_password }}"
 candlepin_ca_key: "{{ ca_key }}"
 candlepin_ca_certificate: "{{ ca_certificate }}"
-candlepin_tomcat_key: "{{ localhost_key }}"
-candlepin_tomcat_certificate: "{{ localhost_certificate }}"
+candlepin_tomcat_key: "{{ candlepin_key }}"
+candlepin_tomcat_certificate: "{{ candlepin_certificate }}"
 candlepin_client_key: "{{ client_key }}"
 candlepin_client_certificate: "{{ client_certificate }}"
 

src/vars/default_certificates.yml

@@ -9,5 +9,5 @@ server_ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
 client_certificate: "{{ certificates_ca_directory }}/certs/{{ ansible_facts['fqdn'] }}-client.crt"
 client_key: "{{ certificates_ca_directory }}/private/{{ ansible_facts['fqdn'] }}-client.key"
 client_ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
-localhost_key: "{{ certificates_ca_directory }}/private/localhost.key"
-localhost_certificate: "{{ certificates_ca_directory }}/certs/localhost.crt"
+candlepin_key: "{{ certificates_ca_directory }}/private/candlepin.key"
+candlepin_certificate: "{{ certificates_ca_directory }}/certs/candlepin.crt"

src/vars/installer_certificates.yml

@@ -8,5 +8,5 @@ server_ca_certificate: "/root/ssl-build/katello-server-ca.crt"
 client_certificate: "/root/ssl-build/{{ ansible_facts['fqdn'] }}/{{ ansible_facts['fqdn'] }}-foreman-client.crt"
 client_key: "/root/ssl-build/{{ ansible_facts['fqdn'] }}/{{ ansible_facts['fqdn'] }}-foreman-client.key"
 client_ca_certificate: "{{ ca_certificate }}"
-localhost_key: "/root/ssl-build/localhost/localhost-tomcat.key"
-localhost_certificate: "/root/ssl-build/localhost/localhost-tomcat.crt"
+candlepin_key: "/root/ssl-build/candlepin/candlepin-tomcat.key"
+candlepin_certificate: "/root/ssl-build/candlepin/candlepin-tomcat.crt"

tests/candlepin_test.py

@@ -1,5 +1,3 @@
-import re
-
 
 def assert_secret_content(server, secret_name, secret_value):
     secret = server.run(f'podman secret inspect --format {"{{.SecretData}}"} --showsecret {secret_name}')
@@ -12,24 +10,14 @@ def test_candlepin_service(server):
     assert candlepin.is_running
 
 
-def test_candlepin_port(server):
-    candlepin = server.addr("localhost")
-    assert candlepin.port("23443").is_reachable
-
-
-def test_candlepin_status(server, certificates):
-    status = server.run(f"curl --cacert {certificates['ca_certificate']} --resolve candlepin:23443:127.0.0.1 --silent --output /dev/null --write-out '%{{http_code}}' https://candlepin:23443/candlepin/status")
+def test_candlepin_status(server):
+    status = server.run("podman exec foreman curl --cacert /etc/foreman/katello-default-ca.crt --silent --output /dev/null --write-out '%{http_code}' https://candlepin:23443/candlepin/status")
     assert status.succeeded
     assert status.stdout == '200'
 
 
-def test_artemis_port(server):
-    candlepin = server.addr("localhost")
-    assert candlepin.port("61613").is_reachable
-
-
-def test_artemis_auth(server, certificates):
-    cmd = server.run(f'echo "" | openssl s_client -CAfile {certificates["ca_certificate"]} -cert {certificates["client_certificate"]} -key {certificates["client_key"]} -connect 127.0.0.1:61613 -servername candlepin')
+def test_artemis_auth(server):
+    cmd = server.run('podman exec foreman bash -c \'echo "" | openssl s_client -CAfile /etc/foreman/katello-default-ca.crt -cert /etc/foreman/client_cert.pem -key /etc/foreman/client_key.pem -connect candlepin:61613 -servername candlepin\'')
     assert cmd.succeeded, f"exit: {cmd.rc}\n\nstdout:\n{cmd.stdout}\n\nstderr:\n{cmd.stderr}"
 
 
@@ -40,21 +28,16 @@ def test_certs_users_file(server, certificates):
 
 
 def test_tls(server):
-    result = server.run('nmap -sT --script +ssl-enum-ciphers localhost -p 23443')
-    result = result.stdout
-    # We don't enable TLSv1.3 by default yet. TLSv1.3 support was added in tomcat 7.0.92
-    # But tomcat 7.0.76 is the latest version available on EL7
-    assert "TLSv1.3" not in result
-
-    # Test that TLSv1.2 is enabled
-    assert "TLSv1.2" in result
+    ca = '/etc/foreman/katello-default-ca.crt'
 
-    # Test that older TLS versions are disabled
-    assert "TLSv1.1" not in result
-    assert "TLSv1.0" not in result
+    # TLSv1.2 should be enabled
+    result = server.run(f'podman exec foreman bash -c "echo Q | openssl s_client -connect candlepin:23443 -tls1_2 -CAfile {ca} 2>&1"')
+    assert "Cipher is" in result.stdout, f"TLSv1.2 not available:\n{result.stdout}"
 
-    # Test that the least cipher strength is "strong" or "A"
-    assert "least strength: A" in result
+    # TLSv1.3, TLSv1.1 and TLSv1.0 should be disabled
+    for flag in ['-tls1_3', '-tls1_1', '-tls1']:
+        result = server.run(f'podman exec foreman bash -c "echo Q | openssl s_client -connect candlepin:23443 {flag} -CAfile {ca} 2>&1"')
+        assert result.rc != 0, f"TLS version ({flag}) should be disabled:\n{result.stdout}"
 
 
 def test_cert_roles(server):

tests/certificates_test.py

@@ -6,7 +6,7 @@ def certificate_info(server, certificate):
     openssl_result = server.run(f"openssl x509 -in {certificate} -noout -enddate -dateopt iso_8601 -subject -issuer")
     return dict([x.split('=', 1) for x in openssl_result.stdout.splitlines()])
 
-@pytest.mark.parametrize("certificate_type", ['ca_certificate', 'server_certificate', 'client_certificate', 'localhost_certificate'])
+@pytest.mark.parametrize("certificate_type", ['ca_certificate', 'server_certificate', 'client_certificate', 'candlepin_certificate'])
 def test_certificate_expiry(server, certificates, certificate_type):
     openssl_data = certificate_info(server, certificates[certificate_type])
     not_after = dateutil.parser.parse(openssl_data['notAfter'])