Hey,
Im having an issue using proxy custom certificate, I have set foreman main server to use custom certificate which works fine
but then I have an issue adding a proxy in the UI saying “there is a self sign certificate in chain” so I added also a custom certificate (my organization certificate) to proxy and now im able to add proxy in the UI but cannot connect a client to it.
Im using:
Foreman version - 3.14
Katello version – 4.16
OS – RHEL 9.5
I had 2 ways which I tried adding the proxy certificate, the first is manually changing the file /etc/foreman-proxy/settings.yml:
:ssl_ca_file: /etc/pki/tls/certs/ca_cert_bundle.pem
:ssl_certificate: /etc/pki/tls/certs/ForemanCert.crt
:ssl_private_key: /etc/pki/tls/private/ForemanCertKey.key
:foreman_ssl_ca: /etc/pki/tls/certs/ca_cert_bundle.pem
:foreman_ssl_cert: /etc/pki/tls/certs/ForemanCert.crt
:foreman_ssl_key: /etc/pki/tls/private/ForemanCertKey.key
And restarting proxy
Then tried to connect from client:
root@MY_CLIENT_SERVER:~# set -o pipefail && curl -vvv --show-error 'https://MY_PROXY_SERVER:9090/register?activation_keys=Ubuntu24&download_utility=curl&force=true&ignore_subman_errors=true&location_id=4&operatingsystem_id=2&organization_id=1&update_packages=false' --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjo0LCJpYXQiOjE3NDk2NDXXXXXXXXXXXXXXXXXXjOGY2MDg3NmZkZjNlZjFiOGI2ZWNhNjkzZmFjMTc1NzUiLCJzY29wZSI6InJlZ2lzdHJhdGlvbiNnbG9iYWwgcmVnaXN0cmF0aW9uI2hvc3QifQ.iR0MWsDAIChpBQfcpCyya3RLQyCZ7GUFErpCuCBw-x8' | bash
But got the internal error:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Host MY_PROXY_SERVER:9090 was resolved.
* IPv6: (none)
* IPv4: 10.x.x.x
* Trying 10.x.x.x:9090...
* Connected to MY_PROXY_SERVER (10.x.x.x) port 9090
* ALPN: curl offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [10 bytes data]
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
{ [52 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [4905 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
} [8 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / RSASSA-PSS
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
* subject: C=DE; O=MYORG; OU=IES; CN=MY_PROXY_SERVER
* start date: Jun 11 06:25:10 2025 GMT
* expire date: Jun 11 06:25:10 2026 GMT
* subjectAltName: host "MY_PROXY_SERVER" matched cert's "MY_PROXY_SERVER"
* issuer: C=DE; L=xx; O=MYORG; CN=MYORGNET_CA
* SSL certificate verify ok.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 1: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
} [5 bytes data]
> GET /register?activation_keys=Ubuntu24&download_utility=curl&force=true&ignore_subman_errors=true&location_id=4&operatingsystem_id=2&organization_id=1&update_packages=false HTTP/1.1
> Host: MY_PROXY_SERVER:9090
> User-Agent: curl/8.5.0
> Accept: */*
> Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjo0LCJpYXQiOjE3NDk2NDM5MjIsImp0aSI6IjAxxxxxxxxxxxxxxxxxxx9uI2hvc3QifQ.iR0MWsDAIChpBQfcpCyya3RLQyCZ7GUFErpCuCBw-x8
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [297 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [297 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
< HTTP/1.1 500 Internal Server Error
< Content-Type: text/html;charset=utf-8
< Content-Length: 36
< X-Xss-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< Server: foreman-proxy/3.14.0
< Date: Thu, 12 Jun 2025 11:10:22 GMT
< Connection: Keep-Alive
<
{ [5 bytes data]
100 36 100 36 0 0 52 0 --:--:-- --:--:-- --:--:-- 53
* Connection #0 to host MY_PROXY_SERVER left intact
Internal Server Error
Second try was running this on proxy server :
katello-certs-check -t foreman-proxy -c /etc/pki/tls/certs/ForemanCert.crt -k /etc/pki/tls/private/ForemanCertKey.key -b /etc/pki/tls/certs/ca_cert_bundle.pem
And when it verified all certs are valid and ok I run the command of its output:
foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY" \
--certs-tar "~/$FOREMAN_PROXY-certs.tar" \
--server-cert "/etc/pki/tls/certs/ForemanCert.crt" \
--server-key "/etc/pki/tls/private/ForemanCertKey.key" \
--server-ca-cert "/etc/pki/tls/certs/ca_cert_bundle.pem" \
--certs-update-server
And moved the tar to proxy and did the steps it said there.
But im still getting an “internal error” trying to connect client to proxy.
can someone help me figure out what to do?
Thanks