Foreman-Proxy - certificate verify failed (self signed certificate in certificate chain)

ikonia · September 24, 2024, 1:57pm

I’m still experiencing this problem

I’ve done a Foreman 3.11.2 install on Rocky 9 with puppet 8. (no Katello, basic foreman only)

the puppet master itself checks into itself without issue.

Any puppet client fails to check in

[root@p8c ~]# puppet agent -t
Info: Refreshing CA certificate
Error: certificate verify failed [self-signed certificate in certificate chain for CN=Puppet Root CA: c6fb6e07caad2d]
Error: certificate verify failed [self-signed certificate in certificate chain for CN=Puppet Root CA: c6fb6e07caad2d]

I’ve just done a 3.12 upgrade, re-run the foreman-installer, and I’m having the same problem

(I can provide full details of the installer options/setup) but it feels as if this more common than I’d thought.

I don’t see how the katello issue is linked (apart from symptoms) as the packages being referenced in not in use in Foreman without Katello.

tomzellner · October 10, 2024, 8:25am

…found a resolution for the behavior. Open the file /usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_resource/rest_v3.rb and change line 64 “ca_file => resource[:ssl_ca]” to the exact path of your CA-Chain file. For my environment:
ca_file => ‘/etc/pki/ca-trust/source/anchors/katello-server-ca.pem’

After this change I can register the Foreman-Proxy to the Main Server.

ochnerd · November 6, 2024, 11:49am

Hi,

did you try yo set --foreman-proxy-foreman-ssl-ca to the correct value?
We had the same problem and after some testing I found this flag.