Foreman reporting Pulp failed with SSL certificate expired

**Problem: Foreman reporting the Pulp status as “fail”. Last week, We have renewed the foreman certificate that was set to expire 21st May (today). It went well with no issues and active certificate is valid till 2026, but got this issue with pulp on day the foreman cert originally meant for expiry. Not sure if this has any link or just coincidence.

pulp- FAIL - SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)
pulp_auth - FAIL - Skipped pulp_auth check after failed pulp check

**Expected outcome: Pulp and Pulp_auth to be reported as OK

**Foreman and Proxy versions: v 1.24.3, we have a standalone Foreman with in-built proxy and no other connected proxy servers.

**Foreman and Proxy plugin versions: - pulp - 1.5.0

Distribution and version:

Other relevant data:

It might be hard to get help on this since Foreman 1.24 each end of life quite a few years ago and our application has changed a good bit.

Your best best might be to find on the filesystem what certificate is being used to talk to Pulp and try updating it manually.

1 Like

How did you renew the certs?

1 Like

Hi Chris, Thanks for your response.

we have upgraded the certs with below command and then the command that we would get in the output of katello-certs-check. One thing i am curious is that do we need to update foreman-proxy certs as well with same certs or different set, considering we have only one foreman as standalone that acts as foreman proxy with no external proxy servers configured.

katello-certs-check -t foreman -c /root/certs/foreman.cert -k /root/certs/foreman.key -b /root/certs/deluxe-root.cert

1 Like

Thanks Iballou for response and your inputs.

Yeah. we have explored all cert files from foreman directories and all certs have expiry date as 2034 etc, which is too far from now.

1 Like

That command should have updated all the certs even the foreman-proxy ones. Even though the Foreman instance is standalone it has it’s own foreman-proxy service running to handle content and handle provisioning. Did the installer complete ok when you did the certs change or did it fail for any reason? It would be interesting to see the /var/log/foreman-installer/katello.log file dated from when you did the certs change.

1 Like