Hello,

I am new toForeman/Katello and this is the first request for help that I
have made, so I'm sure that I won't give all the needed info on the first
try, so please let me know what else you need and I'll get it to you as
quick as I can. That said, here is what I need help with. . .

Overview:
I updated my certs to a set that was signed by my company's CA.
Unfortunately, our internal CA can only sign using SHA1, but I didn't know
that until after I had updated the certs. This was causing minor issues
with my browser not accepting the certs, though Katello was working fine.
The browser issue was annoying, so I purchased a cert from GlobalSign and
updated to it. Since that update, I've been having issues with Katello
itself. For example, I cannot delete a host and I cannot rebuild a host.
There may be other issues that I haven't run into yet.

Details:

For both certs, the Company CA signed one and the GlobalSign one, I did the
following to update the certs on an existing Katello server.

I used katello-certs-check to verify the certs and it gave me the ok:
Validating the certificate subject=<snip>
Check private key matches the certificate: [OK]
Check ca bundle verifies the cert file: [OK]

Validation succeeded.

So, I followed its instructions to update the certificates on a currently
running Katello installation:
katello-installer --certs-server-cert
"/etc/pki/tls/certs/uldcd-katello01.pem"
–certs-server-cert-req
"/etc/pki/tls/certs/uldcd-katello01.csr"
–certs-server-key
"/etc/pki/tls/certs/uldcd-katello01.key"
–certs-server-ca-cert
"/etc/pki/tls/certs/globalsign_ca.pem"
–certs-update-server --certs-update-server-ca

Both times, katello-installer exited successfully.

After the second update however, I am seeing this in
/var/log/foreman-proxy/proxy.log:

E, [2016-06-21T15:32:30.670518 #2824] ERROR – : OpenSSL::SSL::SSLError:
SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1
alert unknown ca

In addition to that, if I cat the entire proxy.log, it shows the contents
of the first internally signed SHA1 signed cert. It looks like it failed
to update to the new GlobalSign cert.

cat /var/log/foreman-proxy/proxy.log | egrep -A6 'Certificate:'

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1b:bf:b7:28:00:00:00:0b:48:17
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=com, DC=teletech, CN=TeleTech Internal Issuing CA01

I expect the see this, from the GlobalSign cert:

openssl x509 -in uldcd-katello01.pem -text -noout | head -n7

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
20:c7:0f:1d:5c:40:ed:99:95:f8:a2:99
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization
Validation CA - SHA256 - G2

I tried to rerun the katello-installer to update the certs again, hoping it
would fix the bad one, but the installer now gives me this error:
[ERROR 2016-06-21 13:32:17 verbose]
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[uldcd-katello01.teletech.com]:
Proxy uldcd-katello01.teletech.com cannot be registered (422 Unprocessable
Entity): Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verif…) for proxy
https://uldcd-katello01.teletech.com:9090/features Please check the proxy
is configured and running on the host.

Thanks in advance for your help!

Anthony

Hi Anthony,

It seems to me like this issue:

https://bugzilla.redhat.com/show_bug.cgi?id=1218251#c0

I'm planning to get more deeper to it really soon. For now, could you try
the workaround
described there if it helps you with your setup?

– Ivan

Ivan,

Thank you very much! The workaround worked for me.

A note for others finding this in the future, the workaround suggested in
the bug report has a typo in the directory name.

The command to remove the old certs should be:

for i in $(ls /etc/pki/katello-certs-tools/certs/*)
do
rpm -e $(rpm -qf $i)
done