Commercial CA cert - verify fails during foreman-installer

CentOS 7.9, Foreman release 2.3 for el7.


For the running of foreman-installer, I provide a commercial CA (digicert) signed certificate. Near the end, the installer is failing a cert verification when trying to query(?) for a proxy server:

2021-01-28 06:16:19 [NOTICE] [configure] 1300 out of 1372 done.
2021-01-28 06:16:20 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[]: Could
not evaluate: Exception SSL_connect returned=1 errno=0 state=error:
certificate verify failed (unable to get local issuer certificate) in get request to:

Expected outcome:

The system ca store is updated with the latest ca/cacert.pem from cURL, and the DigiCert chain certificates for our certificate. After adding those updates, update-ca-trust is run.

I’ve also tried supplementing that by adding the chain certs in the same file as our cert, that I’m pointing foreman-installer to. No luck.

These are the arguments passed:

    --enable-foreman-cli-azure --enable-foreman-plugin-azure --enable-foreman-compute-ec2
    --enable-foreman-plugin-chef --enable-foreman-proxy-plugin-chef 
    --foreman-proxy-ssl-cert=<same as above>
    --foreman-proxy-ssl-key=<same as above>
    --foreman-websockets-ssl-cert=<same as above>
    --foreman-websockets-ssl-key=<same as above>

Run on the foreman host, the cURL command shown below behaves properly and finds the authority chain it needs to validate the certificate. It’s calling the same URL the installer attempts to call - making the problem something weird on the “client” (/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[]?) side of the http request?

Maybe Ruby(?) is using a different CA store than the one at /etc/pki/ca-trust/...?

[vagrant@foreman ~]$ curl
{ "error": {"message":"Unable to authenticate user "} } // expected error

I guess to be more direct, the expected outcome is that the cert verification would pass as it does for cURL here.

Foreman and Proxy versions:

Foreman 2.3. I honestly don’t know what the proxy version is. Nothing else beyond what is shown above is set up.

Foreman and Proxy plugin versions:

Sorry, I don’t know this.

Distribution and version:


Other relevant data:

  • /var/log/foreman/production.log - Except for the successful call from cURL, nothing obviously relevant
  • /var/log/foreman-installer/foreman.log - Shows the same SSL cert error as the console.
  • /var/log/foreman-proxy/proxy.log - Looks normal and healthy. Shows WEBrick starting up, reading proper SSL cert, then waiting for connections.

Maybe not relevant, but I’m building out a chef cookbook to do all that is described here, so it’s pretty easy to blow away a busted install and try a different approach.

Any suggestions would be appreciated.