ERF12-2530: Unable to detect features

Support
,
#1

Hi,

I am trying to install a new foreman content proxy, and every time I run the installer I see the following error:

  • Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch)) for proxy https://hostname-1.domain.net:9090/v2/features
  • Please check the proxy is configured and running on the host.

I see this when running the installer, and trying to add the new proxy from the GUI.

I have tried looking for a hostname mismatch, but struggling to find anything. Are there any commands I can run to troublehsoot this problem. I have tried outputting some of the details of the certs which look good to me.

Current running Version 3.5.1 with Katello version 4.70 on Rocky 8.

Many Thanks,
Tania

#2

It’s hard to tell, if you don’t post the commands you have used to generate the foreman-installer command and the exact foreman-installer command (with the key and secret removed). Which docs did you use?

Do you use default certificates or custom ones?

#3

Hi,

Apologies, I am using custom certs.

On the main foreman server I ran:
foreman-proxy-certs-generate --foreman-proxy-fqdn .
–certs-tar /root/smart-proxy_cert/._certs.tar
–server-cert /etc/httpd/certs/default.crt
–server-key /etc/httpd/certs/default.key
–server-ca-cert /etc/httpd/certs/ca.crt --certs-update-server

I copied the tar over to the new foreman proxy

On the new foreman proxy I ran:
foreman-installer --scenario foreman-proxy-content
–certs-tar-file “/root/._certs.tar”
–foreman-proxy-register-in-foreman “true”
–foreman-proxy-foreman-base-url “https://.”
–foreman-proxy-trusted-hosts “.”
–foreman-proxy-trusted-hosts “.”
–foreman-proxy-oauth-consumer-key “”
–foreman-proxy-oauth-consumer-secret “”

Many Thanks,
Tania

#4

You don’t mentioned which docs you have followed and from what you post it seems you did not follow Installing an External Smart Proxy Server 3.5 and you did not run katello-certs-check.

Either way:

That absolutely doesn’t make any sense. You need to generate a new certificate for the new proxy and use the certificate and key and chain for the new proxy. You are generating a tar containing the the certificate of your main server (I guess, whatever is in default.crt) and deploy it to your proxy. Obviously, that will fail because the proxy has a different hostname from your foreman server and you shouldn’t use the same certificate for both proxy and server anyway…

I suggest you follow the docs…

#5

Thank you so much, I had thought I needed the custom certs I already created. I have created new certs, and it worked a treat.