Problem:
I’m trying to run foreman-installer on our existing Foreman server to add a new config option (Ansible if that matters), and the installer fails checking the SSL cert. We recently changed the location of our Let’s Encrypt certs, so I’ve gone back and am trying to tell foreman-installer the location of the cert. Here’s the command:
foreman-installer \
–foreman-server-ssl-cert /etc/letsencrypt/host.domain_ecc/host.domain.cer \
–foreman-server-ssl-chain /etc/letsencrypt/host.domain_ecc/fullchain.cer \
–foreman-server-ssl-key /etc/letsencrypt/host.domain_ecc/host.domain.key
This fails with the following errors:
Checking server certificate encoding:
[OK]Checking expiration of certificate:
[OK]Checking expiration of CA bundle:
[OK]Checking if server certificate has CA:TRUE flag
[OK]Checking for private key passphrase:
[OK]Checking to see if the private key matches the certificate: 140653394163520:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:crypto/evp/p_lib.c:469:
[FAIL]
The /etc/letsencrypt/host.domain_ecc/host.domain.key does not match the /etc/letsencrypt/host.domain_ecc/host.domain.cer
Checking CA bundle against the certificate file:
[FAIL]The /etc/letsencrypt/host.domain_ecc/ca.cer does not verify the /etc/letsencrypt/host.domain_ecc/host.domain.cer
C = US, O = Let’s Encrypt, CN = E6
error 2 at 1 depth lookup: unable to get issuer certificate
error /etc/letsencrypt/host.domain_ecc/host.domain.cer: verification failed
I understand what the error is saying, but I don’t believe that the keys are mismatched. It’s the same key we use for the web service, and that is working fine with the same keypair. Also, the process is automated with Ansible, and it installs the certs correctly on every host we’ve used it. But just to be sure, I reinstalled the cert, and I still get the same error.
So why is Foreman reporting that the keys are not matched?
Foreman and Proxy versions:
3.7.1
Distribution and version:
Alma Linux 8.9