Applied 3.11.4 update to existing 3.11.2 install, now foreman-installer is erroring out

Support
1

Problem:

After applying the 3.11.4 update to an existing 3.11.2 install, foreman-installer is now failing.

[root@tsbmoforeman02q usr]# foreman-installer
2024-11-01 10:35:47 [NOTICE] [root] Loading installer configuration. This will take some time.
2024-11-01 10:35:50 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2024-11-01 10:35:50 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
Checking server certificate encoding:
[OK]

Checking expiration of certificate:
[OK]

Checking expiration of CA bundle:
[OK]

Checking if server certificate has CA:TRUE flag
[OK]

Checking for private key passphrase:
[OK]

Checking to see if the private key matches the certificate:
[OK]

Checking CA bundle against the certificate file:
[FAIL]

The /root/ssl-cert/foremanqa.jkhy.com/foremanqa.jkhy.com.cacrt does not verify the /root/ssl-cert/foremanqa.jkhy.com/foremanqa.jkhy.com.crt
verify: Option unknown option -no-CAstore
verify: Use -help for summary.

Checking CA bundle size: 2
[OK]

Checking if CA bundle has trust rules: 0
[OK]

Checking Subject Alt Name on certificate
[OK]

Checking if any Subject Alt Name on certificate matches the Subject CN
[OK]

Checking Key Usage extension on certificate for Key Encipherment
[OK]

Checking for use of shortname as CN
[OK]


2024-11-01 10:35:53 [ERROR ] [root] Checking server certificate encoding:
[OK]

Checking expiration of certificate:
[OK]

Checking expiration of CA bundle:
[OK]

Checking if server certificate has CA:TRUE flag
[OK]

Checking for private key passphrase:
[OK]

Checking to see if the private key matches the certificate:
[OK]

Checking CA bundle against the certificate file:
[FAIL]

The /root/ssl-cert/foremanqa.jkhy.com/foremanqa.jkhy.com.cacrt does not verify the /root/ssl-cert/foremanqa.jkhy.com/foremanqa.jkhy.com.crt
verify: Option unknown option -no-CAstore
verify: Use -help for summary.

Checking CA bundle size: 2
[OK]

Checking if CA bundle has trust rules: 0
[OK]

Checking Subject Alt Name on certificate
[OK]

Checking if any Subject Alt Name on certificate matches the Subject CN
[OK]

Checking Key Usage extension on certificate for Key Encipherment
[OK]

Checking for use of shortname as CN
[OK]

Expected outcome:

I expect foreman-installer to execute to successful completion

Foreman and Proxy versions:

Foreman version 3.11.4

Foreman and Proxy plugin versions:

foreman-tasks 9.1.1
foreman_ansible 14.0.0
foreman_puppet 7.0.0
foreman_remote_execution 13.1.0
katello 4.13.1

Distribution and version:

AlmaLinux 8.10

Other relevant data:
Noted that line 160 in /usr/sbin/katello-certs-check changed from

CHECK=$(openssl verify -CAfile $CA_BUNDLE_FILE -purpose sslserver -verbose $CERT_FILE 2>&1)

to

CHECK=$(openssl verify -no-CApath -no-CAstore -CAfile $CA_BUNDLE_FILE -purpose sslserver -verbose $CERT_FILE 2>&1)

2

I modified line 160 in /usr/sbin/katello-certs-check to

CHECK=$(openssl verify -no-CApath -CAfile $CA_BUNDLE_FILE -purpose sslserver -verbose $CERT_FILE 2>&1)

foreman-installer now runs as expected. I assume this issue needs to be reported as a bug.

4 Likes
3

I did some further research and I believe that the code change that occurred in the 3.11.4 change is expecting openssl v3 or higher which ships with EL9. EL8 Linux is still using openssl 1.1.1.

4

Thank you for sharing this. I had the same experience after updating. Removing that openssl option from katello-certs-check allowed foreman-installer to complete.

1 Like
5

Hi,

will a fix for this issue available ?

Thank you

6

Consider upgrading to EL9 now. EL8 support is deprecated, so I guess the problem will solve itself, soon, anyway.

7

Ok, but before upgrade to EL9 I should upgrade to latest version on EL8, shouldn’t I ? Which is not possible now.
After so much pain with upgrading from EL7 to EL8, I would wait a bit with upgrade to EL9 but I suspect that it is going to be necessary in near future anyway.

8

You should upgrade to the latest version of EL8 anyway and never keep it behind. What keeps you from updating to the latest 8.10?

9

I reported the bug to the github repo and the devs are working it.

10

This bug. When I run dnf upgrade and then foreman-installer, it ends with error.

11

Thank you very much

12

Just manually the option from the script after the update and then run foreman-installer. Then upgrade to el9.