Help with SSL cert renewal

devopper · June 2, 2023, 2:58pm

Problem:
The /etc/pki/katello/certs/katello-apache.crt cert is expiring.
I created a .csr using the …/private/katello-apache.key and got a new cert from DigiCert.
When I used the new cert the web interface showed the new valid cert but when I run “yum check-updates” I get cert errors:

[Errno 14] curl#60 - “Peer’s Certificate issuer is not recognized.”

Expected outcome:
I expect to run yum with no cert errors.

Foreman and Proxy versions:
v 3.21

Foreman and Proxy plugin versions:

Distribution and version:

Other relevant data:

[Errno 14] curl#60 - “Peer’s Certificate issuer is not recognized.”

gvde · June 2, 2023, 3:27pm

Sounds to me as if you didn’t follow the docs to update the certificate.

https://docs.theforeman.org/3.2/Installing_Server/index-katello.html#Configuring_Server_with_a_Custom_SSL_Certificate_foreman

devopper · June 2, 2023, 3:49pm

When I do katello-certs-check I get this failure:

Checking CA bundle against the certificate file:
[FAIL]

I’m used to configuring apache certs manually, is the proxy ssl configured differently?

gvde · June 2, 2023, 4:08pm

Then it won’t work. You need to fix that. The purpose of that step is to make sure that the certificates will work.

So you didn’t follow the docs, you broke it and now it’s not working.

Why don’t you follow the docs?

Manual changes will be overwritten by foreman-installer, i.e. even if you replace all the right files it may just break with the next upgrade. foreman-installer installs the certificates in all the right places and with the new consumer rpm all the clients will learn about them, too…