Foreman 3.1.0-rc2 self signed error when setting up smart proxy

I’ve tried just about everything I can think of…

Using foreman 3.1.0-rc2, I’m attempting to set up a standalone freeipa smart proxy and don’t want it to serve any pulp content, I just want it to be a simple freeipa smart proxy… When attempting to run foreman-installer with the below flags, I’m getting the below errors complaining about the foreman server having a self signed certificate. I know I can just get around this by turning SSL off on the smart proxy, but I’d prefer to have the connections encrypted. Can someone help me understand what I’m doing wrong and why I can’t get it to ignore that the server’s CA is self-signed?

Distro:

RockyLinux 8

installer flags:

foreman-installer
–enable-foreman-proxy
–no-enable-foreman-plugin-bootdisk
–no-enable-foreman-plugin-setup
–no-enable-foreman
–no-enable-foreman-cli
–foreman-proxy-realm=true
–foreman-proxy-register-in-foreman “true”
–foreman-proxy-foreman-base-url “https://foreman.example.com
–foreman-proxy-trusted-hosts “foreman.example.com
–foreman-proxy-oauth-consumer-key “…”
–foreman-proxy-oauth-consumer-secret “…”
–puppet-server-foreman-url “https://foreman.example.com
–no-enable-foreman-plugin-puppet
–no-enable-foreman-cli-puppet
–foreman-proxy-ssl-port=7443
–puppet-server-ca=false
–puppet-server=false

installer error … ignore that there are no hyperlinks, it won’t let me add more than 5 links because I’m a new user:

2021-12-07 12:17:55 [NOTICE] [root] Loading installer configuration. This will take some time.
2021-12-07 12:18:04 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2021-12-07 12:18:04 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
2021-12-07 12:18:07 [NOTICE] [configure] Starting system configuration.
2021-12-07 12:18:15 [NOTICE] [configure] 250 configuration steps out of 493 steps complete.
2021-12-07 12:18:19 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_host[foremanhost]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain) in get request to: foremanhost/api/v2/hosts?search=name%3D%22foremanhost%22
2021-12-07 12:18:19 [ERROR ] [configure] Wrapped exception:
2021-12-07 12:18:19 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
2021-12-07 12:18:19 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foremanhost]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain) in get request to: foremanhost/api/v2/smart_proxies?search=name%3D%22foremanhost%22
2021-12-07 12:18:19 [ERROR ] [configure] Wrapped exception:
2021-12-07 12:18:19 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
2021-12-07 12:18:19 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foremanhost]: Failed to call refresh: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (self
signed certificate in certificate chain) in get request to: foremanhost/api/v2/smart_proxies?search=name%3D%22foremanhost%22
2021-12-07 12:18:19 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foremanhost]: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain) in get request to: foremanhost/api/v2/smart_proxies?search=name%3D%22foremanhost%22
2021-12-07 12:18:19 [ERROR ] [configure] Wrapped exception:
2021-12-07 12:18:19 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
2021-12-07 12:18:20 [NOTICE] [configure] System configuration has finished.

There were errors detected during install.
Please address the errors and re-run the installer to ensure the system is properly configured.
Failing to do so is likely to result in broken functionality.

The full log is at /var/log/foreman-installer/foreman.log

installed foreman / katello packages:

$ rpm -qa | egrep ‘foreman|katello’
foreman-installer-3.1.0-0.1.rc2.el8.noarch
foreman.example.com-foreman-proxy-client-1.0-1.noarch
foreman-debug-3.1.0-0.1.rc2.el8.noarch
foreman.example.com-foreman-proxy-1.0-1.noarch
foreman-proxy-3.1.0-0.2.rc2.el8.noarch
katello-ca-consumer-foreman.example.com-1.0-1.noarch

Driving me crazy… can anyone lend a helping hand please?

This happens in the installer itself: it tries to connect to Foreman’s API and fails because the certificate is not trusted. It uses either --foreman-proxy-foreman-ssl-ca or falls back to --foreman-proxy-ssl-ca. I would try to manually connect:

openssl s_client -CAfile /path/to/ca -connect foreman.example.com:443

This is a non-standard port. Is it a typo?

Thanks for the quick reply… the result of the openssl command is below. The reason why I’m using 7433 on this particular proxy is because freeipa requires that 8443 is open and usable for it. So no, not a typo.

openssl s_client -cert /etc/pki/katello/private/proxy.example.com-foreman-proxy-client-bundle.pem foreman:443
CONNECTED(00000003)
depth=1 C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = foreman
verify return:1
depth=0 C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = foreman
verify return:1
---
Certificate chain
 0 s:C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = foreman
   i:C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = foreman
 1 s:C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = foreman
   i:C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = foreman
---
Server certificate
-----BEGIN CERTIFICATE-----
snip
-----END CERTIFICATE-----
subject=C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = foreman

issuer=C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = foreman

---
Acceptable client certificate CA names
C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = foreman
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4683 bytes and written 4635 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 6E310252165720FC25ED9AA95747EA995A31F457B86E1FA9A57620854FF7286B
    Session-ID-ctx:
    Resumption PSK: 06E54BB0DACDEFC3BCA9C669AB18D9DD8A2526A237995ADBDA1F7DB0DF1CF713296329030A15A42ABE1A16DCD4EF8B48
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
--snip
    Start Time: 1638899371
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 15E436591282327F64322B94AEF2F51600172C1A8B59293AA107A77EAB3B3881
    Session-ID-ctx:
    Resumption PSK: 519C121375C6576C46A8BFFC2E95D29B70BE80500BC9F1943C4F5000E27A7EFCA607B7B197B2349A32B169551481CFB7
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
--snip 
    Start Time: 1638899371
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

unable to edit… IPA reqires 443 not 8443. But still, not a typo.

That all looks OK. Is there some HTTP proxy in place that breaks things? I think we should purge the env var before calling Puppet but perhaps we’re missing something?

This host is not particularly important yet because I haven’t finished installing IPA yet… so whatever you’d like to try just shoot it my way and I can test it. I plan to use a http proxy at some point, but currently there’s no proxy between the client and server.

Is there anyone that can assist me with this? I’m now on 3.1.0 and still can’t figure out how to let the proxy allow self signed certs from Foreman.

I had this problem after the upgrade from foreman 3.3 to 3.4

In my case the solution was:
vim /etc/foreman-installer/scenarios.d/katello-answers.yaml

foreman:

#server_ssl_ca: “/etc/pki/katello/certs/katello-default-ca.crt”
server_ssl_ca: “/etc/pki/katello/certs/katello-server-ca.crt”

The file /etc/pki/katello/certs/katello-server-ca.crt , contains the intermediary certificate and the root.

1 Like