Certificate verification failed - debian/rpi repo

Support
1

Problem:
raspberry pi devices report: Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification.

Expected outcome:
updates download and process successfully

Foreman and Proxy versions:

Foreman and Proxy plugin versions:
3.10
Distribution and version:
rhel8.10

Other relevant data:
the rpi has been registered with foreman and puppet based on this topic. I have the repo created, downloaded and I can browse the content. the pi shows as a host under all hosts and is green, and checks in with puppet.

  • What background do you have with foreman? - I am very new to foreman, using this tool for ~6 months or so. I have ~30 RHEL assets under patch management with Katello.
  • What are you trying to achieve? - None of our rpi’s have internet access. I am trying to set up an offline repository that all of our rpis can reach and use.
  • What have you tried yet? - I’ve been working through apt-secure(8) (as suggested from debian). apt update barfs saying failed to fetch information. Could not handshake on apt update.
  • Where does your problem happen? - on raspberry pi devices
  • How can anyone reproduce the problem? - I’m not certain. creating the repo and trying to get the pi to update?
  • Which version of Foreman do you use? 3.10

At this point, I don’t know where to look to solve the problem. the pi says “The certificate issuer is unknown.” I’m not certain which certificate, as I have tried to import the raspbian certificate and export a gpg key based on step 2 here. I’ve been beating on this for a few days and don’t know where else to look to solve this.

2

After taking a quick look at the linked thread, your problem is most likely that the RPis are not trusting the Katello CA. The linked document only talks about Foreman without Katello from what I can see, so they never set up the necessary parts for getting repositories from Katello.

I am not super familiar with debian/rpiOS, but it should just be:

  • Download the CA Certificate from http://yourforeman/pub/katello-server-ca.crt
  • Put it somewhere under /usr/local/share/ca-certificates/
  • Run update-ca-certificates

Just a side note, but to save future you some manual work and trouble, you might want to take a look at global registration. This feature is supposed to make integration of already installed systems into Foreman much easier. I cannot tell if the default templates work out of the box for your use-cases, but they can easily be extended/altered if needed. Just make sure you do not directly modify the locked default templates since changes to those will get overridden during upgrades.

2 Likes
3

thank you for a concise answer. I sincerely appreciate it. I think I’m on the right path as I’m no longer getting errors about trust.

Once I can wrap my head around how I can use global registration, that will probably make life a lot easier for these RPis.