How can I find out which root cert to combine in my root_ca.pem

Support
1

Problem:
When I run:
katello-certs-check -c ./cbs.com_ssl_certificate.cer -k ./cbs.com_private_key.key -b ./ca.pem

I get the error:
The /root/certs/ca.pem does not verify the /root/certs/cbs.com_ssl_certificate.cer
C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust TLS RSA CA G1
error 2 at 1 depth lookup: unable to get issuer certificate
error /root/certs/cbs.com_ssl_certificate.cer: verification failed

Expected outcome:
My site: https://foreman.cbs.com/hosts is trusted
Foreman and Proxy versions:

  • ansible-collection-theforeman-foreman-3.13.0-1.el8.noarch
  • ansiblerole-foreman_scap_client-0.2.0-2.el8.noarch
  • candlepin-4.3.1-1.el8.noarch
  • candlepin-selinux-4.3.1-1.el8.noarch
  • foreman-3.7.1-1.el8.noarch
  • foreman-bootloaders-redhat-202102220000-1.el8.noarch
  • foreman-bootloaders-redhat-tftpboot-202102220000-1.el8.noarch
  • foreman-cli-3.7.1-1.el8.noarch
  • foreman-client-release-3.7.1-1.el8.noarch
  • foreman-console-3.7.1-1.el8.noarch
  • foreman-debug-3.7.1-1.el8.noarch
  • foreman-dynflow-sidekiq-3.7.1-1.el8.noarch
  • foreman-ec2-3.7.1-1.el8.noarch
  • foreman-installer-3.7.1-1.el8.noarch
  • foreman-installer-katello-3.7.1-1.el8.noarch
  • foreman-libvirt-3.7.1-1.el8.noarch
  • foreman-postgresql-3.7.1-1.el8.noarch
  • foreman-proxy-3.7.1-1.el8.noarch
  • foreman-release-3.7.1-1.el8.noarch
  • foreman-selinux-3.7.1-1.el8.noarch
  • foreman-service-3.7.1-1.el8.noarch
  • katello-4.9.2-1.el8.noarch
  • katello-certs-tools-2.9.0-2.el8.noarch
  • katello-client-bootstrap-1.7.9-2.el8.noarch
  • katello-common-4.9.2-1.el8.noarch
  • katello-debug-4.9.2-1.el8.noarch
  • katello-repos-4.9.2-1.el8.noarch
  • katello-selinux-5.0.2-1.el8.noarch
  • pulpcore-selinux-1.3.2-1.el8.x86_64
  • python39-pulp-ansible-0.16.0-1.el8.noarch
  • python39-pulp-certguard-1.5.6-1.el8.noarch
  • python39-pulp-cli-0.14.0-4.el8.noarch
  • python39-pulp-container-2.14.7-1.el8.noarch
  • python39-pulp-deb-2.20.4-1.el8.noarch
  • python39-pulp-file-1.12.0-1.el8.noarch
  • python39-pulp-python-3.8.0-1.el8.noarch
  • python39-pulp-rpm-3.19.9-1.el8.noarch
  • python39-pulpcore-3.22.15-1.el8.noarch
    Foreman and Proxy plugin versions:

Distribution and version:
AlmaLinux release 8.9 (Midnight Oncilla)
Other relevant data:
The certificate was provided by Ionos

2

Here is the extract from the proxy log:

2023-11-29 19:13:46 [DEBUG ] [root] Executing: katello-certs-check -c “/root/certs/cbs.com_ssl_certificate.cer” -k “/root/certs/cbs.com_private_key.key” -b “/root/certs/ca.pem”
2023-11-29 19:13:46 [DEBUG ] [root] Checking server certificate encoding:
2023-11-29 19:13:46 [DEBUG ] [root] Checking expiration of certificate:
2023-11-29 19:13:46 [DEBUG ] [root] Checking if server certificate has CA:TRUE flag
2023-11-29 19:13:46 [DEBUG ] [root] Checking to see if the private key matches the certificate:
2023-11-29 19:13:46 [DEBUG ] [root] Checking CA bundle against the certificate file:
2023-11-29 19:13:46 [DEBUG ] [root] The /root/certs/ca.pem does not verify the /root/certs/cloudboxservices.com_ssl_certificate.cer
2023-11-29 19:13:46 [DEBUG ] [root] C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust TLS RSA CA G1
2023-11-29 19:13:46 [DEBUG ] [root] error 2 at 1 depth lookup: unable to get issuer certificate
2023-11-29 19:13:46 [DEBUG ] [root] error /root/certs/cbs.com_ssl_certificate.cer: verification failed
2023-11-29 19:13:46 [DEBUG ] [root] Checking Subject Alt Name on certificate
2023-11-29 19:13:46 [DEBUG ] [root] Checking if any Subject Alt Name on certificate matches the Subject CN
2023-11-29 19:13:46 [DEBUG ] [root] Checking Key Usage extension on certificate for Key Encipherment
Checking server certificate encoding:
Checking expiration of certificate:
Checking if server certificate has CA:TRUE flag
Checking to see if the private key matches the certificate:
Checking CA bundle against the certificate file:
The /root/certs/ca.pem does not verify the /root/certs/cbs.com_ssl_certificate.cer
C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust TLS RSA CA G1
error 2 at 1 depth lookup: unable to get issuer certificate
error /root/certs/cbs.com_ssl_certificate.cer: verification failed
Checking Subject Alt Name on certificate
Checking if any Subject Alt Name on certificate matches the Subject CN
Checking Key Usage extension on certificate for Key Encipherment
2023-11-29 19:13:46 [DEBUG ] [pre_exit] Hook /usr/share/foreman-installer/hooks/pre_exit/20-certs_regenerate.rb returned nil

3

This is the CA Cert chain I am trying to use:

cat ca.pem

-----BEGIN CERTIFICATE-----
MIIEjTCCA3WgAwIBAgIQDQd4KhM/xvmlcpbhMf/ReTANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
MjAeFw0xNzExMDIxMjIzMzdaFw0yNzExMDIxMjIzMzdaMGAxCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xHzAdBgNVBAMTFkdlb1RydXN0IFRMUyBSU0EgQ0EgRzEwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC+F+jsvikKy/65LWEx/TMkCDIuWegh1Ngwvm4Q
yISgP7oU5d79eoySG3vOhC3w/3jEMuipoH1fBtp7m0tTpsYbAhch4XA7rfuD6whU
gajeErLVxoiWMPkC/DnUvbgi74BJmdBiuGHQSd7LwsuXpTEGG9fYXcbTVN5SATYq
DfbexbYxTMwVJWoVb6lrBEgM3gBBqiiAiy800xu1Nq07JdCIQkBsNpFtZbIZhsDS
fzlGWP4wEmBQ3O67c+ZXkFr2DcrXBEtHam80Gp2SNhou2U5U7UesDL/xgLK6/0d7
6TnEVMSUVJkZ8VeZr+IUIlvoLrtjLbqugb0T3OYXW+CQU0kBAgMBAAGjggFAMIIB
PDAdBgNVHQ4EFgQUlE/UXYvkpOKmgP792PkA76O+AlcwHwYDVR0jBBgwFoAUTiJU
IBiV5uNu5g/6+rkS7QYXjzkwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMDQGCCsGAQUFBwEB
BCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEIGA1Ud
HwQ7MDkwN6A1oDOGMWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEds
b2JhbFJvb3RHMi5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEW
HGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDQYJKoZIhvcNAQELBQADggEB
AIIcBDqC6cWpyGUSXAjjAcYwsK4iiGF7KweG97i1RJz1kwZhRoo6orU1JtBYnjzB
c4+/sXmnHJk3mlPyL1xuIAt9sMeC7+vreRIF5wFBC0MCN5sbHwhNN1JzKbifNeP5
ozpZdQFmkCo+neBiKR6HqIA+LMTMCMMuv2khGGuPHmtDze4GmEGZtYLyF8EQpa5Y
jPuV6k2Cr/N3XxFpT3hRpt/3usU/Zb9wfKPtWpoznZ4/44c1p9rzFcZYrWkj3A+7
TNBJE0GmP2fhXhP1D/XVfIW/h0yCJGEiV9Glm/uGOa3DXHlmbAcxSyCRraG+ZBkA
7h4SeM6Y8l/7MBRpPCz6l8Y=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEqjCCA5KgAwIBAgIQAnmsRYvBskWr+YBTzSybsTANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xNzExMjcxMjQ2MTBaFw0yNzExMjcxMjQ2MTBaMG4xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xLTArBgNVBAMTJEVuY3J5cHRpb24gRXZlcnl3aGVyZSBEViBUTFMgQ0EgLSBH
MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPeP6wkab41dyQh6mKc
oHqt3jRIxW5MDvf9QyiOR7VfFwK656es0UFiIb74N9pRntzF1UgYzDGu3ppZVMdo
lbxhm6dWS9OK/lFehKNT0OYI9aqk6F+U7cA6jxSC+iDBPXwdF4rs3KRyp3aQn6pj
pp1yr7IB6Y4zv72Ee/PlZ/6rK6InC6WpK0nPVOYR7n9iDuPe1E4IxUMBH/T33+3h
yuH3dvfgiWUOUkjdpMbyxX+XNle5uEIiyBsi4IvbcTCh8ruifCIi5mDXkZrnMT8n
wfYCV6v6kDdXkbgGRLKsR4pucbJtbKqIkUGxuZI2t7pfewKRc5nWecvDBZf3+p1M
pA8CAwEAAaOCAU8wggFLMB0GA1UdDgQWBBRVdE+yck/1YLpQ0dfmUVyaAYca1zAf
BgNVHSMEGDAWgBQD3lA1VtFMu2bwo+IbG8OXsj3RVTAOBgNVHQ8BAf8EBAMCAYYw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8C
AQAwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
Y2VydC5jb20wQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQu
Y29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG
/WwBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT
MAgGBmeBDAECATANBgkqhkiG9w0BAQsFAAOCAQEAK3Gp6/aGq7aBZsxf/oQ+TD/B
SwW3AU4ETK+GQf2kFzYZkby5SFrHdPomunx2HBzViUchGoofGgg7gHW0W3MlQAXW
M0r5LUvStcr82QDWYNPaUy4taCQmyaJ+VB+6wxHstSigOlSNF2a6vg4rgexixeiV
4YSB03Yqp2t3TeZHM9ESfkus74nQyW7pRGezj+TC44xCagCQQOzzNmzEAP2SnCrJ
sNE2DpRVMnL8J6xBRdjmOsC3N6cQuKuRXbzByVBjCqAA8t1L0I+9wXJerLPyErjy
rMKWaBFLmfK/AHNF4ZihwPGOc7w6UHczBZXH5RFzJNnww+WnKuTPI0HfnVH8lg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----

4

Solved!

I downloaded the correct root cert DigiCert Global Root G2 from https://www.digicert.com/kb/digicert-root-certificates.htm and concatenated it with the Intermediate cert from Ionos. Now everything works again. Happy days!

1 Like