Problem:
I have a trust issue with actions related to my local smart proxy,
when syncing or attempting to add new content to my smart proxy it returns the following error
Could not create the repository:
SSL_read: tlsv1 alert unknown ca
or
SSL_read: tlsv1 alert unknown caSSL_read: tlsv1 alert unknown caSSL_read: tlsv1 alert unknown ca
Expected outcome:
Ability to interact with pulp and create content and sync existing repositories.
Foreman and Proxy versions:
Replicated on 3.10 and 3.11, but will be providing examples on 3.10 only.
Foreman and Proxy plugin versions:
Version: 3.10.0
API Version: v2
Database:
Status: ok
Server Response: Duration: 1ms
Plugins:
- Name: foreman-tasks
Version: 9.1.1 - Name: foreman_ansible
Version: 14.0.0 - Name: foreman_remote_execution
Version: 13.0.0 - Name: katello
Version: 4.12.1
Smart Proxies: - Name: fm99.example.com
Version: 3.10.0
Status: ok
Features:- Name: dynflow
Version: 0.9.2 - Name: script
Version: 0.10.6 - Name: ansible
Version: 3.5.5 - Name: pulpcore
Version: 3.3.0 - Name: logs
Version: 3.10.0
- Name: dynflow
Distribution and version:
Operating System: Red Hat Enterprise Linux 8.7 (Ootpa)
CPE OS Name: cpe:/o:redhat:enterprise_linux:8::baseos
Kernel: Linux 4.18.0-425.19.2.el8_7.x86_64
Architecture: x86-64
Other relevant data:
I know the cause of my issues stems from the Foreman Proxy not using the IPA issued certificates, instead it is using the self generated Katello certificates.
I’d like to get some clarification on its requirement and the cleanest way to handle this
e.g. should i use a separate certificate for the smart proxy install on the foreman host?
Does Katello certificates have any role within a Foreman environment with an external CA?
My background with foreman is from 1.3 to 2.4 releases when i used it with puppet, so this is my first step into using Katello with custom certs and want to understand things better.
Configuring Server with a Custom SSL Certificate mentions “The same CA must sign certificates for Foreman Server and Smart Proxy server” and “You must not use the same SSL certificate for Foreman server and Smart Proxy server.”
Is this still relative for a single host?
The other question i have is where is the best place to update this for the smart proxy configuration
Deploying a custom SSL certificate to Smart Proxy server seems to be an example for a separate server. for a single host install is it only the following areas that need to have the certificate details provided?
--foreman-proxy-ssl-ca "/etc/pki/tls/certs/idx.bundle.pem" \
--foreman-proxy-ssl-cert "/etc/pki/tls/certs/foreman.crt" \
--foreman-proxy-ssl-key "/etc/pki/tls/private/foreman.key" \
--foreman-proxy-foreman-ssl-ca "/etc/pki/tls/certs/idx.bundle.pem" \
--foreman-proxy-foreman-ssl-cert "/etc/pki/tls/certs/foreman.crt" \
--foreman-proxy-foreman-ssl-key "/etc/pki/tls/private/foreman.key" \
currently my installation done using the following
sudo foreman-installer \
--scenario katello \
--foreman-initial-organization "Example Networks" \
--foreman-initial-location "Example" \
--foreman-server-ssl-cert "/etc/pki/tls/certs/foreman.crt" \
--foreman-server-ssl-key "/etc/pki/tls/private/foreman.key" \
--foreman-server-ssl-ca "/etc/pki/tls/certs/idx.bundle.pem" \
--foreman-server-ssl-chain "/etc/pki/tls/certs/idx.bundle.pem" \
--foreman-ipa-authentication=true \
--enable-foreman-plugin-ansible \
--enable-foreman-proxy-plugin-ansible --enable-foreman-cli-ansible