Hi all
Similar issue:
Foreman: v3.3
Katello: 4.5
OS: Rocky 8.6
# katello-certs-check -c "/root/<cert_directory>/ServerCertificate.crt" -k "/root/<cert_directory>/<filename>.key" -b "/root/<cert_directory>/<filename>.pem"
Checking server certificate encoding:
[OK]
Checking expiration of certificate:
[OK]
Checking expiration of CA bundle:
[OK]
Checking if server certificate has CA:TRUE flag
[OK]
Checking for private key passphrase:
[OK]
Checking to see if the private key matches the certificate:
[OK]
Checking CA bundle against the certificate file:
[OK]
Checking CA bundle size: 4
[OK]
Checking Subject Alt Name on certificate
[OK]
Checking if any Subject Alt Name on certificate matches the Subject CN
[OK]
Checking Key Usage extension on certificate for Key Encipherment
[OK]
Checking for use of shortname as CN
[OK]
Validation succeeded
foreman-installer \
--scenario katello \
--foreman-initial-organization "<my_org>" \
--foreman-initial-location "<my_location>" \
--foreman-initial-admin-username admin \
--foreman-initial-admin-password admin \
--certs-server-cert /root//<cert_directory>ServerCertificate.crt \
--certs-server-key /root//<cert_directory>/<filename>.key \
--certs-server-ca-cert /root//<cert_directory>/<filename>.pem \
--enable-foreman-plugin-ansible \
--enable-foreman-proxy-plugin-ansible
- The installation to, says “finished” but with errors:
Validation succeeded
To install the Katello server with the custom certificates, run:
foreman-installer --scenario katello \
--certs-server-cert "/root/<cert_directory>/ServerCertificate.crt" \
--certs-server-key "/root/<cert_directory>/<filename>.key" \
--certs-server-ca-cert "/root/<cert_directory>/<filename>.pem"
To update the certificates on a currently running Katello installation, run:
foreman-installer --scenario katello \
--certs-server-cert "/root/<cert_directory>/ServerCertificate.crt" \
--certs-server-key "/root/<cert_directory>/<filename>.key" \
--certs-server-ca-cert "/root/<cert_directory>/<filename>.pem" \
--certs-update-server --certs-update-server-ca
To use them inside a NEW $FOREMAN_PROXY, rerun this command with -t foreman-proxy
2022-07-27 15:42:41 [NOTICE] [configure] Starting system configuration.
2022-07-27 15:44:21 [NOTICE] [configure] 250 configuration steps out of 1411 steps complete.
2022-07-27 15:45:15 [NOTICE] [configure] 500 configuration steps out of 1413 steps complete.
2022-07-27 15:46:11 [NOTICE] [configure] 750 configuration steps out of 1418 steps complete.
2022-07-27 15:46:30 [NOTICE] [configure] 1000 configuration steps out of 1441 steps complete.
2022-07-27 15:50:21 [NOTICE] [configure] 1250 configuration steps out of 1441 steps complete.
2022-07-27 15:52:49 [ERROR ] [configure] Error making POST request to Foreman at https://forekat-master01-stage-bry.platform.is/api/v2/smart_proxies: Response: 500 Internal Server Error: Check /var/log/foreman/production.log on <server_FQDN> for detailed information
2022-07-27 15:52:49 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[f<server_FQDN>]/ensure: change from 'absent' to 'present' failed: Error making POST request to Foreman at https://<server_FQDN>/api/v2/smart_proxies: Response: 500 Internal Server Error: Check /var/log/foreman/production.log on <server_FQDN> for detailed information
2022-07-27 15:52:49 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[<server_FQDN>]: Failed to call refresh: Error making GET request to Foreman at https://f<server_FQDN>/api/v2/smart_proxies: Response: 500 Internal Server Error: Check /var/log/foreman/production.log on <server_FQDN> for detailed information
2022-07-27 15:52:49 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[<server_FQDN>]: Error making GET request to Foreman at https://<server_FQDN>/api/v2/smart_proxies: Response: 500 Internal Server Error: Check /var/log/foreman/production.log on <server_FQDN> for detailed information
2022-07-27 15:52:52 [NOTICE] [configure] System configuration has finished.
There were errors detected during install.
Please address the errors and re-run the installer to ensure the system is properly configured.
Failing to do so is likely to result in broken functionality.
The full log is at /var/log/foreman-installer/katello.log
-
Checking the log file (/var/log/foreman/production.log):
2022-07-27T15:52:49 [I|app|26ccb6f8] Backtrace for 'Action failed' error (ActionView::Template::Error): ERF12-9411 [ProxyAPI::ProxyException]: Unable to fetch public key ([RestClient::InternalServerError]: 500 Internal Server Error) for proxy https://f<server_FQDN>:9090/ssh
-
At this point, a foreman-maintain service status
shows all daemons running and the web interface is accessible, I can log in, create products etc without issue.
-
I confirm that the certificate in use is indeed my custom cert (against my servers FQDN on ports 443, 9090:
# openssl s_client -connect <my_server_FQDN>:443
CONNECTED(00000003)
depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
verify return:1
depth=0 C = ZA, L = <correct_information>, O = I<correct_information>, CN = *.<correct_information>
verify return:1
---
Certificate chain
0 s:C = ZA, L = <correct_information>, O = <correct_information>, CN = *.<correct_information>
i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
1 s:C = ZA, L = <correct_information>, O = <correct_information>, CN = *.<correct_information>
i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
2 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
3 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
---
# ll /var/lib/foreman-proxy/ssh/
total 0
# ll /var/lib/foreman-proxy/ssh/
total 8
-rw-------. 1 foreman-proxy foreman-proxy 2655 Jul 27 15:57 id_rsa_foreman_proxy
-rw-r--r--. 1 foreman-proxy foreman-proxy 606 Jul 27 15:57 id_rsa_foreman_proxy.pub
- Then I re-run installation command exactly as above and:
Validation succeeded
To install the Katello server with the custom certificates, run:
foreman-installer --scenario katello \
--certs-server-cert "/root/<cert_directory>/ServerCertificate.crt" \
--certs-server-key "/root/<cert_directory><filename>.key" \
--certs-server-ca-cert "/root/<cert_directory>/<filename>.pem"
To update the certificates on a currently running Katello installation, run:
foreman-installer --scenario katello \
--certs-server-cert "/root/<cert_directory>/ServerCertificate.crt" \
--certs-server-key "/root/<cert_directory>/<filename>.key" \
--certs-server-ca-cert "/root/<cert_directory>/<filename>.pem" \
--certs-update-server --certs-update-server-ca
To use them inside a NEW $FOREMAN_PROXY, rerun this command with -t foreman-proxy
2022-07-27 15:58:16 [NOTICE] [configure] Starting system configuration.
2022-07-27 15:58:26 [NOTICE] [configure] 250 configuration steps out of 1411 steps complete.
2022-07-27 15:58:28 [NOTICE] [configure] 500 configuration steps out of 1413 steps complete.
2022-07-27 15:58:31 [NOTICE] [configure] 750 configuration steps out of 1418 steps complete.
2022-07-27 15:58:32 [NOTICE] [configure] 1000 configuration steps out of 1422 steps complete.
2022-07-27 15:59:02 [NOTICE] [configure] 1250 configuration steps out of 1422 steps complete.
2022-07-27 15:59:13 [NOTICE] [configure] System configuration has finished.
Executing: foreman-rake upgrade:run
=============================================
Upgrade Step 1/8: katello:correct_repositories. This may take a long while.
=============================================
Upgrade Step 2/8: katello:clean_backend_objects. This may take a long while.
0 orphaned consumer id(s) found in candlepin.
Candlepin orphaned consumers: []
=============================================
Upgrade Step 3/8: katello:upgrades:4.0:remove_ostree_puppet_content. =============================================
Upgrade Step 4/8: katello:upgrades:4.1:sync_noarch_content. =============================================
Upgrade Step 5/8: katello:upgrades:4.1:fix_invalid_pools. I, [2022-07-27T15:59:25.178254 #24151] INFO -- : Corrected 0 invalid pools
I, [2022-07-27T15:59:25.178294 #24151] INFO -- : Removed 0 orphaned pools
=============================================
Upgrade Step 6/8: katello:upgrades:4.1:reupdate_content_import_export_perms. =============================================
Upgrade Step 7/8: katello:upgrades:4.2:remove_checksum_values. =============================================
Upgrade Step 8/8: katello:upgrades:4.4:publish_import_cvvs. Success!
* Foreman is running at https://<my_server_FQDN>
Initial credentials are admin / admin
* To install an additional Foreman proxy on separate machine continue by running:
foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY" --certs-tar "/root/$FOREMAN_PROXY-certs.tar"
* Foreman Proxy is running at https://<my_server_FQDN>:9090
The full log is at /var/log/foreman-installer/katello.log
- On previous runs, when running without the ssh key-pair creation, I would repeatedly get the same error as above, but the key-pair creation seems to remedy that.
I hope this is relevant information and my thanks to @pkamp!!