Problem:
I am trying to connect my secondary Foreman to Primary Foreman for CDN.
Primary foreman is connected to Internet, while secondary is only connected to Foreman via internal network.
I am using the custom SSL provided by our internal team, I followed the steps provided in Managing Content - configuring-server-to-synchronize-content-over-a-network*********; and getting the below error.
Could not update CDN configuration.:
SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
Expected outcome:
As per the below instruction, we should be able to connect the secondary disconnected foreman to Primary(connected) Foreman for Contents.
https://docs.theforeman.org/3.3/Managing_Content/index-katello.html#configuring-server-to-synchronize-content-over-a-network_content-management
Foreman and Proxy versions:
foreman-3.3.0-1.el8.noarch
foreman-proxy-3.3.0-1.el8.noarch
katello-4.5.0-1.el8.noarch
Foreman and Proxy plugin versions:
Distribution and version:
Foreman 3.3 Server with Katello 4.5 Plugin
Other relevant data:
Logs during the time I am trying to add CDN 
022-11-03T17:00:23 [I|app|e1d05182] Started PUT “/katello/api/v2/organizations/1/cdn_configuration” for 10.66.196.19 at 2022-11-03 17:00:23 +0000
2022-11-03T17:00:23 [I|app|e1d05182] Processing by Katello::Api::V2::OrganizationsController#cdn_configuration as JSON
2022-11-03T17:00:23 [I|app|e1d05182] Parameters: {“url”=>"https://", “username”=>"", “password”=>"[FILTERED]", “upstream_organization_label”=>“Default_Organization”, “ssl_ca_credential_id”=>“8”, “upstream_content_view_label”=>“Default_Organization_View”, “upstream_lifecycle_environment_label”=>“Library”, “type”=>“network_sync”, “api_version”=>“v2”, “id”=>“1”, “organization”=>{“type”=>“network_sync”}}
2022-11-03T17:00:23 [I|bac|e1d05182] Task {label: , execution_plan_id: ea15b529-d62f-49a7-9991-180014762855} state changed: pending
2022-11-03T17:00:24 [I|bac|e1d05182] Task {label: Actions::Katello::CdnConfiguration::Update, id: b60b3f4d-8acb-4a56-92e5-a375b0ab1399, execution_plan_id: ea15b529-d62f-49a7-9991-180014762855} state changed: planning
2022-11-03T17:00:24 [I|app|e1d05182] CDN: Requesting path https://*******:443/api/v2/organizations?search=label+%3D+Default_Organization
2022-11-03T17:00:24 [E|app|e1d05182] Couldn’t load upstream organization with label=Default_Organization error=SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
2022-11-03T17:00:24 [E|bac|e1d05182] SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain) (OpenSSL::SSL::SSLError)
e1d05182 | /usr/share/ruby/net/protocol.rb:44:in connect_nonblock' e1d05182 | /usr/share/ruby/net/protocol.rb:44:in ssl_socket_connect’
e1d05182 | /usr/share/ruby/net/http.rb:1009:in connect' e1d05182 | /usr/share/ruby/net/http.rb:943:in do_start’
e1d05182 | /usr/share/ruby/net/http.rb:932:in start' e1d05182 | /usr/share/gems/gems/katello-4.5.1/app/lib/katello/resources/cdn.rb:135:in get’
e1d05182 | /usr/share/gems/gems/katello-4.5.1/app/lib/katello/resources/cdn/katello_cdn.rb:120:in find_organization' e1d05182 | /usr/share/gems/gems/katello-4.5.1/app/lib/katello/resources/cdn/katello_cdn.rb:116:in organization’
e1d05182 | /usr/share/gems/gems/katello-4.5.1/app/lib/katello/resources/cdn/katello_cdn.rb:57:in validate!' e1d05182 | /usr/share/gems/gems/katello-4.5.1/app/lib/actions/katello/cdn_configuration/update.rb:10:in plan’
e1d05182 | /usr/share/gems/gems/dynflow-1.6.4/lib/dynflow/action.rb:525:in block (3 levels) in execute_plan' e1d05182 | /usr/share/gems/gems/dynflow-1.6.4/lib/dynflow/middleware/stack.rb:27:in pass’
e1d05182 | /usr/share/gems/gems/dynflow-1.6.4/lib/dynflow/middleware.rb:19:in `pass’
Hi @sandeepkumar
The CA you are using on the disconnected Foreman is that the root CA or an intermediate? Usually that error comes from the cert being verified by the CA, but the CA is not complete.
Hi @cintrix84
Thanks for looking into that.
the CA is root, combination of CA and RA from our PKI team.
and I am using the https:/****/pub/katello-server-ca.crt as the SSL CA Content Credential (as per the guide).
Unfortunately as new account, i can’t upload the screen shot of error from web ui. I’ll try to list the details below:
Content → Subscriptions → Manage Manifest → CDN Configuration → Network Sync:
URL: https://**.net
Username: *****
Password: ****
Organization label: ***
Lifecycle Environment Label: Library
Content View label: Default_Organization_view
SSL CA Content credential: <downloaded from primary foreman https://pub/katello-server-ca.crt and created a SSL content credential named Foreman12a).
Click Update, gets below error:
SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
ps: both the connected and disconnected foreman are using custom certificates generated by PKI team
Please do help out if you have seen or encountered this issue.
Sandeep,
Can you try creating a Content Credential with the following certificates concatenated (you can use a new line to separate em)
- https:/****/pub/katello-server-ca.crt
- CA
- Intermediate CA
We have added a better workflow for your situation in 4.7 but the above setup should work.
1 Like
Thank you @Partha_Aji , I’ll give it a try and get back.
Hi Partha,
Thanks for the help, issue was resolved. It turned out the ca bundle we got from pki team, had root ca embedded in it. When we removed the root cert and changed the order (CA cert + Intermediate CA cert) - the credentials worked. Also it turned out the order of certs was also important, If i reveresed the order it didn’t work.
