Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)

kailash · November 28, 2021, 11:21am

Problem: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)

Expected outcome: Foreman installer should use custom certificate

Foreman and Proxy versions: foreman-3.1.0-0.1.rc1.el8.noarch & foreman-proxy-3.1.0-0.2.rc1.el8.noarch

Foreman and Proxy plugin versions:
foreman-selinux-3.1.0-0.1.rc1.el8.noarch
rubygem-foreman-tasks-5.2.0-1.fm3_1.el8.noarch
rubygem-foreman_maintain-0.9.2-1.el8.noarch
rubygem-foreman_remote_execution-4.8.0-1.fm3_1.el8.noarch
foreman-cli-3.1.0-0.1.rc1.el8.noarch
foreman-dynflow-sidekiq-3.1.0-0.1.rc1.el8.noarch
katello-ca-consumer-foreman.infra.spindices.com-1.0-7.noarch
foreman-release-3.1.0-0.2.rc1.el8.noarch
rubygem-hammer_cli_foreman_tasks-0.0.16-1.fm3_0.el8.noarch
foreman-debug-3.1.0-0.1.rc1.el8.noarch
foreman-postgresql-3.1.0-0.1.rc1.el8.noarch
foreman-client-release-3.0.1-1.el8.noarch
foreman-installer-3.1.0-0.1.rc1.el8.noarch
foreman-installer-katello-3.1.0-0.1.rc1.el8.noarch
foreman-proxy-3.1.0-0.2.rc1.el8.noarch
rubygem-hammer_cli_foreman-3.1.0-1.el8.noarch
rubygem-hammer_cli_foreman_remote_execution-0.2.2-1.fm3_0.el8.noarch
foreman-3.1.0-0.1.rc1.el8.noarch
foreman-service-3.1.0-0.1.rc1.el8.noarch

Distribution and version:
RHEL 8.5

Other relevant data:

katello-certs-check gets passed but while installing katello scenario with custom certificate it is getting failed

2021-11-28 10:51:16 [NOTICE] [configure] Starting system configuration.
2021-11-28 10:51:33 [NOTICE] [configure] 250 configuration steps out of 1690 steps complete.
2021-11-28 10:51:44 [NOTICE] [configure] 500 configuration steps out of 1690 steps complete.
2021-11-28 10:51:45 [NOTICE] [configure] 750 configuration steps out of 1694 steps complete.
2021-11-28 10:51:48 [NOTICE] [configure] 1000 configuration steps out of 1701 steps complete.
2021-11-28 10:51:49 [NOTICE] [configure] 1250 configuration steps out of 1702 steps complete.
2021-11-28 10:58:36 [NOTICE] [configure] 1500 configuration steps out of 1702 steps complete.
2021-11-28 10:59:31 [ERROR ] [configure] /Stage[main]/Foreman::Register/Foreman_host[foreman-frm.infra.spdji.spgi]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain) in get request to: https://frm.infra.spdji.spgi/api/v2/hosts?search=name%3D"frm.infra.spdji.spgi"
2021-11-28 10:59:31 [ERROR ] [configure] Wrapped exception:
2021-11-28 10:59:31 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
2021-11-28 11:00:26 [NOTICE] [configure] System configuration has finished.

There were errors detected during install.
Please address the errors and re-run the installer to ensure the system is properly configured.
Failing to do so is likely to result in broken functionality.

The full log is at /var/log/foreman-installer/katello.log

kailash · December 7, 2021, 7:46am

Can someone from Foreman suggest on this

metalcated · January 1, 2022, 2:21am

Having the same issue myself with a fresh install Foreman 3.1 and Katello 4.3.

metalcated · January 1, 2022, 5:17am

Heck I am even getting this issue with self signed certs.

amg1127 · January 8, 2022, 3:11am

It was not the best solution, however I managed to get the installer working after manually modifying a script file.

Under Foreman 3.1, Katello 4.3 and a custom Foreman server certificate signed by a local FreeIPA deployment, I was experiencing the below exception details, recorded in /var/log/foreman-installer/katello.log file:

2022-01-08 14:49:47 [DEBUG ] [configure] /Stage[main]/Foreman::Register/Foreman_host[foreman-foreman.corp.andersongomes.tech]: Starting to evaluate the resource (1795 of 1916)
2022-01-08 14:49:47 [DEBUG ] [configure] Foreman_host[foreman-foreman.corp.andersongomes.tech](provider=rest_v3): Making get request to https://foreman.corp.andersongomes.tech/api/v2/hosts?search=name%3D%22foreman.corp.andersongomes.tech%22
2022-01-08 14:49:47 [ERROR ] [configure] /Stage[main]/Foreman::Register/Foreman_host[foreman-foreman.corp.andersongomes.tech]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain) in get request to: https://foreman.corp.andersongomes.tech/api/v2/hosts?search=name%3D%22foreman.corp.andersongomes.tech%22
2022-01-08 14:49:47 [ERROR ] [configure] Wrapped exception:
2022-01-08 14:49:47 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
2022-01-08 14:49:47 [DEBUG ] [configure] /Stage[main]/Foreman::Register/Foreman_host[foreman-foreman.corp.andersongomes.tech]: Evaluated in 0.01 seconds

After inspecting the /usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_resource/rest_v3.rb file and noticing via introduced debugging messages that the oAuth call was being validated against the CA bundle located in /etc/pki/katello/certs/katello-default-ca.crt file, I manually modified the line #50 and explicitly referenced the /etc/pki/katello/certs/katello-server-ca.crt file, instead.

  def oauth_consumer
    @consumer ||= OAuth::Consumer.new(oauth_consumer_key, oauth_consumer_secret, {
      :site               => resource[:base_url],
      :request_token_path => '',
      :authorize_path     => '',
      :access_token_path  => '',
      :timeout            => resource[:timeout],
      :ca_file            => '/etc/pki/katello/certs/katello-server-ca.crt'
    })
  end

I don’t know the consequences introduced by the change, though. I am just trying to get Foreman working in my lab environment.

frostygresh · January 14, 2022, 3:10pm

Modifying this line fixed it for me as well. Going to report this as a bug.

bmagistro · July 1, 2022, 3:16pm

Do you happen to have a link to the bug ticket? This seems to still be present in 3.3.0 (just wrapped up our upgrade) and about to start digging into it when I found this thread

cps86 · February 28, 2024, 6:24am

Thanks.
I am using the self-signed certs and I had exactly the same issue. Your workaround works!

ochnerd · May 23, 2024, 8:09am

Hey there I know this is a very old issue. We searched and found which cert is loaded by resource[:ssl_ca].
It is the ‘–foreman-server-ssl-chain’. After we put the complete chain into the file the installer ran without a Problem.

ochnerd · May 23, 2024, 9:58am

But that wouldn’t be best Practice for apache.