Foreman smart-proxy "sslv3 alert unsupported certificate"


#1

Problem:
“Create Proxy” failed on foreman server.
Error: sslv3 alert unsupported certificate for proxy https://xxxxx:8443/features

I have foreman, smart-proxy and ansible running on the same server.
I use foreman without puppet and we have a private CA.

I create certificates with.
TLS Web Server Authentication, TLS Web Client Authentication

The certificates are located -> /etc/ssl/certs and /etc/ssl/private. Permisions root.root
Foreman and smart-proxy share the same certificate.

Expected outcome:
Successfull creation off smart proxy

Foreman and Proxy versions:
foreman 1.21.0~rc4-1
foreman-proxy 1.21.0~rc4-1

Foreman and Proxy plugin versions:
ruby-foreman-ansible 2.2.9-1

Other relevant data:
ansible 2.7.1

logs
/var/log/foreman-proxy/proxy.log
019-02-06T13:55:20 [E] OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=error: certificate verify failed
/usr/lib/ruby/2.3.0/openssl/ssl.rb:401:in `accept’

/var/log/foreman/production.log
Failed to save: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert unsupported certificate) for proxy https://xxxxx:8443/features, Please check the proxy is configured and running on the host.

/etc/foreman-proxy/settings.yml
:ssl_certificate: /etc/ssl/certs/ansible-foreman.crt
:ssl_ca_file: /etc/ssl/certs/Root-Test-2017.pem
:ssl_private_key: /etc/ssl/private/privkey-ansible-foreman.pem

Any Ideas?
Please help

mobios


#2

Problem is solved.
I have too generate new certifcate with correct CN (Commonname = hostname).
Extensions -> TLS Web Server Authentication, TLS Web Client Authentication
Keylength i took 2048 instead 4096.

Best regards
mobios


#3

Hi,

Did you use a public certificate for this ? I’m running into the same with Lets Encrypt wildcards.

Thanks!


#4

Hallo gislaved,

no we dont use a public certificate. Please note the Commonname must be the same and the extensions
TLS Web Server Authentication, TLS Web Client Authentication.

Best regards
mobios


#5

Hi Mobias,

Thanks a lot! So wildcards won’t work in this case ?

Thanks!


#6

I dont know. Before i had a different commonname and use off alternative names dont work.
But in the dokumentation off foreman is described to use hostname as commonname.

Best regards
mobios


#7

OK, very good to have this clarified, I will test it out and report back as soon as I know anything!

Cheers


#8

Looks like the code indeed does not support this.

In general I’d avoid using public certificates for the internal communication. Using your own CA and only allowing that is the first level of security. The second is checking names (trusted_hosts in the settings). A third party CA removes one layer of security.

Note that the Foreman server can serve (and use) different certificates from those it uses for connecting to smart proxies.


#9

HI Ewoud,

You are right about the layer of security you remove in this way, I was wondering because I can simply deploy public certs as proxiest that don’t do Puppet Server related stuff don’t have a puppet user anymore since puppet 4 aio so you cannot relax the puppet certs easily for proxy usage and a public cert would have fixed that but indeed removes a layer of security.

Or should the foreman-installer be used for this (puppet user creation) ?


#10

If you already have a puppet infrastructure, then you can still use those certificates on the server. Even if the proxy isn’t a puppet server. When you pass in --foreman-proxy-puppet false --foreman-proxy-puppetca false it doesn’t install the puppet and puppet ca modules. By default it will then create a puppet group and change the permissions on the certificates so the foreman-proxy user can read them. If you pass in --foreman-proxy-manage-puppet-group false you’re on your own.


#11

Hi Ewoud, OK thanks clear!