We install certs from Let’s Encrypt on all of our servers. These certs are all encrypted with the ECDSA-with-SHA384 algorithm. I’m trying to use one of these certs in the Foreman install, but foreman-install fails with:
Checking to see if the private key matches the certificate:
140503473518400:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:crypto/evp/p_lib.c:469:
[FAIL]
The /etc/letsencrypt/<myhost.mydomain>_ecc/<myhost.mydomain>.key does not match the /etc/letsencrypt/<myhost.mydomain>/<myhost.mydomain>.cer
Checking CA bundle against the certificate file:
[FAIL]
The /etc/letsencrypt/chief.middlebury.edu_ecc/ca.cer does not verify the /etc/letsencrypt/chief.middlebury.edu_ecc/chief.middlebury.edu.cer
C = US, O = Let's Encrypt, CN = E5
error 2 at 1 depth lookup: unable to get issuer certificate
error /etc/letsencrypt/<myhost.mydomain>_ecc/<myhost.mydomain>.cer: verification failed
The “key does not match the cert” error puzzled me, since this a new, perfectly valid cert, until I saw the expecting an rsa key message. Does Foreman require RSA only? Can it be configured to work with ECDSA, or do I need to regenerate a special cert with RSA for our Foreman server?
There doesn’t seem to be a private key in the file.
It’s difficult to tell anything if you don’t post the exact foreman-installer command you are using.
It’s best to follow the docs, in particular the check with katello-certs-check before running foreman-installer. Run katello-certs-check and post the output.
That can’t be right. Either 3.11 with 4.13 or 3.12 with 4.14. If those are really your versions you are doomed anyway…
This is working now. I reinstalled the cert from Let’s Encrypt, specifying an RSA cert this time. If I need to do this again, I’ll try applying the patch for ECC.
Also, I’ve fixed the cert issues with katello-certs-check (actually opennssl verify). The cert is working correctly now. (And we are running Katello 4.13 – that was a typo.)
It was the persistent error that the CA file did not verify the cert. I finally fixed that by editing the ca file from Let’s Encrypt to include the system CA file. (The system CA file had 150+ entries, which katello-certs-check didn’t like, so I had to edit it further to figure out which entries solved the issue and which ones I could delete.)
what did ca.cer contain by before that?
Only C = US, O = Let's Encrypt, CN = E5 signed by C = US, O = Internet Security Research Group, CN = ISRG Root X1? But not the self-signed root x1, right?
Ok, according to openssl-verification-options(1ssl), OpenSSL accepts a cert as a trust anchor if it’s self-signed (which the E5 is not) or the “-partial_chain option is given (which corresponds to the X509_V_FLAG_PARTIAL_CHAIN flag being set)”.
