I'm trying to install the latest Katello using freeipa as external SSL CA.
The certificates were generate using ipa-getcert and stored at
/etc/pki/katelli-ipa.
I've used the following installer options:
and I get the following error
Proxy <hostname-fqdn> cannot be registered: Unable to communicate with the
proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read
server session ticket A: tlsv1 alert un…) for proxy
https://<hostname-fqdn>:9090/features Please check the proxy is configured
and running on the host.
The foreman proxy is running:
systemctl status foreman-proxy.service
● foreman-proxy.service - Foreman Proxy
Loaded: loaded (/usr/lib/systemd/system/foreman-proxy.service; enabled;
vendor preset: disabled)
Active: active (running) since Fri 2017-05-19 11:53:44 CEST; 3min 14s ago
Main PID: 11223 (ruby)
CGroup: /system.slice/foreman-proxy.service
└─11223 ruby /usr/share/foreman-proxy/bin/smart-proxy
May 19 11:53:44 spfy-tfm systemd[1]: Starting Foreman Proxy…
May 19 11:53:44 spfy-tfm systemd[1]: PID file
/run/foreman-proxy/foreman-proxy.pid not readable (yet?) after start.
May 19 11:53:44 spfy-tfm systemd[1]: Started Foreman Proxy.
The external Root CA are distributed systemwide and also
in /etc/pki/katello-ipa/certs/ca-certs.pem
#not sure if the following three steps are really needed/why I did them
sudo cp /etc/pki/katello/certs/katello-default-ca.crt
/etc/pki/ca-trust/source/anchors/
sudo update-ca-trust force-enable
sudo update-ca-trust extract
Thanks for your answer, I've tried that too, this works great for replacing
Katello/Foreman Web SSL certificate and also for the smart proxy but not
for puppet. I wanted to disable the puppet ca and use the one provided by
freeIPA. I've tried to replace the puppet certificate by hand as specified
in the doc but I do still have SSL authentication problems.
Best regards,
Arsène
···
On Friday, May 19, 2017 at 10:38:14 PM UTC+2, pascalp wrote:
>
> Hello,
>
> when I installed Katello to use my FreeIPA CA I had to install in two
> steps to get it to work (this was a couple versions ago). Here are my notes:
>
> sudo foreman-installer --scenario katello \
> --foreman-admin-username admin \
> --foreman-admin-password "" \
> --foreman-initial-organization "" \
> --foreman-initial-location "" \
> --katello-cdn-ssl-version "TLSv1" \
> --foreman-http-keytab "/etc/http.keytab" \
> --foreman-ipa-authentication true \
> --foreman-pam-service "foreman" \
> --foreman-ipa-manage-sssd true \
> --foreman-proxy-realm true \
> --foreman-proxy-realm-keytab "/etc/foreman-proxy/freeipa.keytab" \
> --foreman-proxy-realm-principal "@IPA.MYDOMAIN.COM"
>
> #not sure if the following three steps are really needed/why I did them
> sudo cp /etc/pki/katello/certs/katello-default-ca.crt
> /etc/pki/ca-trust/source/anchors/
> sudo update-ca-trust force-enable
> sudo update-ca-trust extract
>
> sudo foreman-installer --scenario katello \
> --certs-server-cert "/etc/pki/tls/certs/katello01.ipa.mydomain.com.crt" \
> --certs-server-cert-req "/etc/pki/tls/misc/katello01.ipa.mydomain.com.csr"
> \
> --certs-server-key "/etc/pki/tls/private/katello01.ipa.mydomain.com.key" \
> --certs-server-ca-cert "/etc/ipa/ca.crt" \
> --certs-update-server --certs-update-server-ca
>
> Hope this helps.
> Kind regards
> Pascal
>
> On Friday, May 19, 2017 at 12:01:56 PM UTC+2, Arsène Gschwind wrote:
>>
>> Hi,
>>
>> I'm trying to install the latest Katello using freeipa as external SSL CA.
>> The certificates were generate using ipa-getcert and stored at
>> /etc/pki/katelli-ipa.
>> I've used the following installer options:
>>
>> foreman-installer --scenario katello \
>> --certs-server-cert='/etc/pki/katello-ipa/certs/katello.pem' \
>> --certs-server-cert-req='/etc/pki/katello-ipa/certs/katello.req' \
>> --certs-server-key='/etc/pki/katello-ipa/private/katello.key' \
>> --certs-server-ca-cert='/etc/pki/katello-ipa/certs/ca-certs.pem' \
>> --certs-update-server \
>> --certs-update-server-ca \
>> --certs-update-all \
>> --enable-foreman-plugin-ansible \
>> --enable-foreman-plugin-hooks \
>> --enable-foreman-plugin-remote-execution \
>> --enable-foreman-plugin-tasks \
>> --enable-foreman-proxy-plugin-ansible \
>> --enable-foreman-proxy-plugin-remote-execution-ssh \
>> --foreman-email-delivery-method='smtp' \
>> --foreman-email-smtp-address='localhost' \
>> --foreman-email-smtp-domain='' \
>> --foreman-ipa-authentication=true \
>> --foreman-proxy-dhcp=true \
>> --foreman-proxy-dhcp-gateway='xx.xx.xx.xx \
>> --foreman-proxy-dhcp-nameservers='xx.xx.xx.xx,yy.yy.yy.yy' \
>> --foreman-proxy-dhcp-option-domain='xxxxxx' \
>> --foreman-proxy-dhcp-search-domains='xxxxxx' \
>> --foreman-proxy-dhcp-subnets='yy.yy.yy.yy/255.255.255.0' \
>> --foreman-proxy-puppet-ssl-ca='/etc/pki/katello-ipa/certs/ca-certs.pem' \
>> --foreman-proxy-puppet-ssl-cert='/etc/pki/katello-ipa/certs/puppetmaster.pem'
>> \
>> --foreman-proxy-puppet-ssl-key='/etc/pki/katello-ipa/private/puppetmaster.key'
>> \
>> --foreman-proxy-puppetca=false \
>> --foreman-proxy-realm=true \
>> --foreman-proxy-realm-keytab='/etc/foreman-proxy/freeipa.keytab' \
>> --foreman-proxy-realm-principal='@' \
>> --foreman-proxy-realm-provider=freeipa \
>> --foreman-proxy-ssl=true \
>> --foreman-proxy-ssl-ca='/etc/pki/katello-ipa/certs/ca-certs.pem' \
>> --foreman-proxy-ssl-cert='/etc/pki/katello-ipa/certs/foreman-proxy.pem' \
>> --foreman-proxy-ssl-key='/etc/pki/katello-ipa/private/foreman-proxy.key' \
>> --foreman-proxy-tftp-listen-on=both \
>> --enable-foreman-plugin-discovery \
>> --foreman-proxy-freeipa-remove-dns
>>
>> and I get the following error
>> Proxy cannot be registered: Unable to communicate with
>> the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features
>> ([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read
>> server session ticket A: tlsv1 alert un...) for proxy
>> https://:9090/features Please check the proxy is configured
>> and running on the host.
>>
>> The foreman proxy is running:
>> systemctl status foreman-proxy.service
>> ● foreman-proxy.service - Foreman Proxy
>> Loaded: loaded (/usr/lib/systemd/system/foreman-proxy.service;
>> enabled; vendor preset: disabled)
>> Active: active (running) since Fri 2017-05-19 11:53:44 CEST; 3min 14s
>> ago
>> Main PID: 11223 (ruby)
>> CGroup: /system.slice/foreman-proxy.service
>> └─11223 ruby /usr/share/foreman-proxy/bin/smart-proxy
>>
>> May 19 11:53:44 spfy-tfm systemd[1]: Starting Foreman Proxy...
>> May 19 11:53:44 spfy-tfm systemd[1]: PID file
>> /run/foreman-proxy/foreman-proxy.pid not readable (yet?) after start.
>> May 19 11:53:44 spfy-tfm systemd[1]: Started Foreman Proxy.
>>
>> The external Root CA are distributed systemwide and also
>> in /etc/pki/katello-ipa/certs/ca-certs.pem
>>
>> Any Idea what I did wrong or missing?
>>
>> Thanks for any help/hint
>> Rgds, Arsène
>>
>>
