Custom IPA Issued Certificates in Foreman Katello 3.10/3.11

Support
1

Problem:
I have a trust issue with actions related to my local smart proxy,
when syncing or attempting to add new content to my smart proxy it returns the following error

Could not create the repository:
  SSL_read: tlsv1 alert unknown ca

or

SSL_read: tlsv1 alert unknown caSSL_read: tlsv1 alert unknown caSSL_read: tlsv1 alert unknown ca

Expected outcome:
Ability to interact with pulp and create content and sync existing repositories.

Foreman and Proxy versions:
Replicated on 3.10 and 3.11, but will be providing examples on 3.10 only.

Foreman and Proxy plugin versions:

Version: 3.10.0
API Version: v2
Database:
Status: ok
Server Response: Duration: 1ms
Plugins:

  1. Name: foreman-tasks
    Version: 9.1.1
  2. Name: foreman_ansible
    Version: 14.0.0
  3. Name: foreman_remote_execution
    Version: 13.0.0
  4. Name: katello
    Version: 4.12.1
    Smart Proxies:
  5. Name: fm99.example.com
    Version: 3.10.0
    Status: ok
    Features:
    1. Name: dynflow
      Version: 0.9.2
    2. Name: script
      Version: 0.10.6
    3. Name: ansible
      Version: 3.5.5
    4. Name: pulpcore
      Version: 3.3.0
    5. Name: logs
      Version: 3.10.0

Distribution and version:
Operating System: Red Hat Enterprise Linux 8.7 (Ootpa)
CPE OS Name: cpe:/o:redhat:enterprise_linux:8::baseos
Kernel: Linux 4.18.0-425.19.2.el8_7.x86_64
Architecture: x86-64

Other relevant data:

I know the cause of my issues stems from the Foreman Proxy not using the IPA issued certificates, instead it is using the self generated Katello certificates.
I’d like to get some clarification on its requirement and the cleanest way to handle this
e.g. should i use a separate certificate for the smart proxy install on the foreman host?

Does Katello certificates have any role within a Foreman environment with an external CA?
My background with foreman is from 1.3 to 2.4 releases when i used it with puppet, so this is my first step into using Katello with custom certs and want to understand things better.

Configuring Server with a Custom SSL Certificate mentions “The same CA must sign certificates for Foreman Server and Smart Proxy server” and “You must not use the same SSL certificate for Foreman server and Smart Proxy server.”
Is this still relative for a single host?

The other question i have is where is the best place to update this for the smart proxy configuration
Deploying a custom SSL certificate to Smart Proxy server seems to be an example for a separate server. for a single host install is it only the following areas that need to have the certificate details provided?

--foreman-proxy-ssl-ca "/etc/pki/tls/certs/idx.bundle.pem" \
--foreman-proxy-ssl-cert "/etc/pki/tls/certs/foreman.crt" \
--foreman-proxy-ssl-key "/etc/pki/tls/private/foreman.key" \
--foreman-proxy-foreman-ssl-ca "/etc/pki/tls/certs/idx.bundle.pem" \
--foreman-proxy-foreman-ssl-cert "/etc/pki/tls/certs/foreman.crt" \
--foreman-proxy-foreman-ssl-key "/etc/pki/tls/private/foreman.key" \

currently my installation done using the following

sudo foreman-installer \
--scenario katello \
--foreman-initial-organization "Example Networks" \
--foreman-initial-location "Example" \
--foreman-server-ssl-cert "/etc/pki/tls/certs/foreman.crt" \
--foreman-server-ssl-key "/etc/pki/tls/private/foreman.key" \
--foreman-server-ssl-ca "/etc/pki/tls/certs/idx.bundle.pem" \
--foreman-server-ssl-chain "/etc/pki/tls/certs/idx.bundle.pem" \
--foreman-ipa-authentication=true \
--enable-foreman-plugin-ansible \
--enable-foreman-proxy-plugin-ansible --enable-foreman-cli-ansible
2

I have exactly the same problem, however, I am not using the katello version, nor puppet. I am running Foreman 3.11 and Foreman Smart-Proxy on the same machines. They’re running on HA mode in a cluster.

There are no errors in the Infrastructure/Smart Proxies tab in Foreman Web Console. Smart proxies are trusted. Everything seems to work as expected.
However, I installed foreman remote execution plugin and I can’t execute any tasks because I am getting:

/usr/share/gems/gems/logging-2.3.1/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context’
2024-11-15T15:59:38 73121188 [E] OpenSSL::SSL::SSLError SSL_read: tlsv1 alert unknown ca

Which drives me crazy. Why this error generates if I don’t get any errors or warnings in the Infrastructure/Smart Proxies tab?

My configuration is as following:
Foreman

:ssl_certificate: /etc/certs/server1.crt
:ssl_ca_file: /etc/certs/Foreman_CA.crt
:ssl_priv_key: /etc/certs/server1.key

Foreman Smart Proxy
(they are pointing to the same files)

:ssl_ca_file: /etc/certs/Foreman_CA.crt
:ssl_certificate: /etc/certs/server1.crt
:ssl_private_key: /etc/certs/server1.key

Same certs are used for httpd.

Why ca is not trusted if I use the same CA for both?! It doesn’t make any sense. Can I use the same certs for smart proxy and foreman?

3

Updated to version 3.12 and the problem remains.
Can someone tell me how to verify if Foreman can communicate with Foreman Smart Proxy? In my case I did the following checks:

  1. Checked that Both smart proxies has green status in Infrastracture/ Smart proxies tab:
    image
    image1432×99 15.8 KB
  2. Executed from Foreman server (and smart proxy server) following curl command:
curl -v --cacert /etc/certs/Foreman_CA.crt https://server1.infra.net:8443/features

* TLSv1.2 (OUT), TLS header, Unknown (23):
> GET /features HTTP/1.1
> User-Agent: curl/7.76.1
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Unknown (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: application/json
< Content-Length: 37
< X-Content-Type-Options: nosniff
< Server: foreman-proxy/3.12.0
< Date: Mon, 18 Nov 2024 05:48:10 GMT
< Connection: Keep-Alive
<
* TLSv1.2 (IN), TLS header, Unknown (23):
* Connection #0 to host server1.infra.net left intact
["ansible","dynflow","logs","script"]
  1. SSL verification with OpenSSL OK:
CONNECTED(00000003)
(REMOVED)
verify return:1
(REMOVED)
verify return:1
(REMOVED)
verify return:1
SSL handshake has read 5136 bytes and written 440 bytes
Verification: OK
Verify return code: 0 (ok)

Any idea why I get Unknown CA error ?

image
image781×156 9.58 KB

Is there an another way to verify if Foreman can talk with Foreman SmartProxy?

4

Ok, the only way to get it work on 3.12 is to have self-generated certs by Foreman’s puppet for Foremans Smart proxy & foreman.
I left only the web frontend to use custom certs.