Foreman smart-proxy "sslv3 alert unsupported certificate"

ayyoladi · February 6, 2019, 1:59pm

Problem:
“Create Proxy” failed on foreman server.
Error: sslv3 alert unsupported certificate for proxy https://xxxxx:8443/features

I have foreman, smart-proxy and ansible running on the same server.
I use foreman without puppet and we have a private CA.

I create certificates with.
TLS Web Server Authentication, TLS Web Client Authentication

The certificates are located -> /etc/ssl/certs and /etc/ssl/private. Permisions root.root
Foreman and smart-proxy share the same certificate.

Expected outcome:
Successfull creation off smart proxy

Foreman and Proxy versions:
foreman 1.21.0~rc4-1
foreman-proxy 1.21.0~rc4-1

Foreman and Proxy plugin versions:
ruby-foreman-ansible 2.2.9-1

Other relevant data:
ansible 2.7.1

logs
/var/log/foreman-proxy/proxy.log
019-02-06T13:55:20 [E] OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=error: certificate verify failed
/usr/lib/ruby/2.3.0/openssl/ssl.rb:401:in `accept’

/var/log/foreman/production.log
Failed to save: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert unsupported certificate) for proxy https://xxxxx:8443/features, Please check the proxy is configured and running on the host.

/etc/foreman-proxy/settings.yml
:ssl_certificate: /etc/ssl/certs/ansible-foreman.crt
:ssl_ca_file: /etc/ssl/certs/Root-Test-2017.pem
:ssl_private_key: /etc/ssl/private/privkey-ansible-foreman.pem

Any Ideas?
Please help

mobios

ayyoladi · February 7, 2019, 9:19am

Problem is solved.
I have too generate new certifcate with correct CN (Commonname = hostname).
Extensions -> TLS Web Server Authentication, TLS Web Client Authentication
Keylength i took 2048 instead 4096.

Best regards
mobios

gislaved · February 17, 2019, 4:05pm

Hi,

Did you use a public certificate for this ? I’m running into the same with Lets Encrypt wildcards.

Thanks!

Uknown · February 18, 2019, 7:37am

Hallo gislaved,

no we dont use a public certificate. Please note the Commonname must be the same and the extensions
TLS Web Server Authentication, TLS Web Client Authentication.

Best regards
mobios

gislaved · February 18, 2019, 8:59am

Hi Mobias,

Thanks a lot! So wildcards won’t work in this case ?

Thanks!

Uknown · February 18, 2019, 9:27am

I dont know. Before i had a different commonname and use off alternative names dont work.
But in the dokumentation off foreman is described to use hostname as commonname.

Best regards
mobios

gislaved · February 18, 2019, 9:58am

OK, very good to have this clarified, I will test it out and report back as soon as I know anything!

Cheers

ekohl · February 18, 2019, 11:37am

Looks like the code indeed does not support this.

github.com

theforeman/smart-proxy/blob/a39e5d60be09310af3cc6c1f5976fd3d629bef58/lib/proxy/helpers.rb#L26-L41


# read the HTTPS client certificate from the environment and extract its CN
def https_cert_cn
  certificate_raw = request.env['SSL_CLIENT_CERT'].to_s
  log_halt 403, 'could not read client cert from environment' if certificate_raw.empty?


  begin
    certificate = OpenSSL::X509::Certificate.new certificate_raw
    if certificate.subject && certificate.subject.to_s =~ /CN=([^\s\/,]+)/i
      $1
    else
      log_halt 403, 'could not read CN from the client certificate'
    end
  rescue OpenSSL::X509::CertificateError => e
      log_halt 403, "could not parse the client certificate\n\n#{e.message}"
  end
end

In general I’d avoid using public certificates for the internal communication. Using your own CA and only allowing that is the first level of security. The second is checking names (trusted_hosts in the settings). A third party CA removes one layer of security.

Note that the Foreman server can serve (and use) different certificates from those it uses for connecting to smart proxies.

gislaved · February 18, 2019, 2:53pm

HI Ewoud,

You are right about the layer of security you remove in this way, I was wondering because I can simply deploy public certs as proxiest that don’t do Puppet Server related stuff don’t have a puppet user anymore since puppet 4 aio so you cannot relax the puppet certs easily for proxy usage and a public cert would have fixed that but indeed removes a layer of security.

Or should the foreman-installer be used for this (puppet user creation) ?

ekohl · February 19, 2019, 2:16pm

If you already have a puppet infrastructure, then you can still use those certificates on the server. Even if the proxy isn’t a puppet server. When you pass in --foreman-proxy-puppet false --foreman-proxy-puppetca false it doesn’t install the puppet and puppet ca modules. By default it will then create a puppet group and change the permissions on the certificates so the foreman-proxy user can read them. If you pass in --foreman-proxy-manage-puppet-group false you’re on your own.

gislaved · February 19, 2019, 2:28pm

Hi Ewoud, OK thanks clear!