Foreman-proxy 1.6 ssl CA signed certificate verification failures


I'm really struggling with an issue regarding the foreman-proxy module. I'm
really stumped. Installed through katello-installer, but had to use the no
register flag for success. I am using a custom wildcard cert which was
signed properly and verifies successfully.

When attempting to register a new proxy (katello-installer, or hammer), I
am getting an error:

Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verif…)
I see other bug reports about this, but most of the resolutions involve
people who didn't have the proxy accessible.

My proxy url is https://<FQDN>:9090
No proxies configured currently.
The proxy is running and I can reach it from that URL/features on a browser
or wget and the Certificate is verified. I can pull the page of the
features this way without flagging insecure.
openssl s_client calls succeed. Hostname resolve fine to eth0 ip. But when
I do it through hammer or foreman UI… I get the error.

Traffic is going over interface lo for some reason, but preventing this, I
still get the problem. Decrypting the conversation, I see the response to
verifying is that the CA is not trusted, but the certificate it's passing
is the correct one. Further, using SSL verify on the certs show otherwise,
and the CA is in the trust store. No firewall, no selinux. Turning up
logging doesn't really reveal anything else.

So where I'm at is, SSL works just fine outside of foreman->foreman-proxy,
like wget->foreman-proxy.
However, katello-installer generated certs seem to work fine when I do it
that way.

Any ideas?

Much appreciated.

  • John

> Any ideas?


check the foreman-proxy configuration :trusted_hosts: setting - it is
possible to configure proxy to always trust particular IPs/hostnames.
Maybe you are trying from the correct/wrong hosts.

··· -- Later, Lukas #lzap Zapletal