–
Best Regards,

Stephen Benjamin
Red Hat Engineering

Is there a corresponding error on the Katello when you get the
disconnected message?

You can enable debug logging on qpid dispatch router, which might help:
https://gist.github.com/stbenjam/226f6939e981f1bca156

On Tue, Aug 18, 2015 at 05:29:10AM -0700, JC wrote:

Is anyone able to help?

Having got the Katello server to the brink of deployment into production,
it’s frustrating to not be able to proceed.

On Thursday, 13 August 2015 13:35:59 UTC+1, JC wrote:

The katello-agent and subscription manager install on a the (CentOS6)
client, and the client can use yum to update itself from Katello, but
tasks

triggered from Katello fail.

Host did not respond within 20 seconds. Is katello-agent installed and
goferd running on the Host?

I’ve implemented:

Bug #10350: qpid-dispatch-0.4-4 runs under non-root account and has no access to PKI files - Katello - Foreman /
https://bugzilla.redhat.com/show_bug.cgi?id=1217828

ll /etc/pki/katello/qpid_router*

-rw-r-----. 1 qdrouterd qdrouterd 5579 Jul 28 15:32
/etc/pki/katello/qpid_router_client.crt
-rw-r-----. 1 qdrouterd qdrouterd 1679 Jul 28 15:31
/etc/pki/katello/qpid_router_client.key
-rw-r-----. 1 qdrouterd qdrouterd 5579 Jul 28 15:31
/etc/pki/katello/qpid_router_server.crt
-rw-r-----. 1 qdrouterd qdrouterd 1675 Jul 28 15:31
/etc/pki/katello/qpid_router_server.key

But don’t see an improvement. I’m also not using ipv6*, so haven’t
modified /etc/qpid-dispatch/qdrouterd.conf (as David LeVene did).

*Well the ‘advanced’ section for the content host within Katello shows
::1

(localhost).

Of course I do see, on the Katello server, 5647 being listened to and
the

firewall is open (and turned off for testing on the client):

netstat -pntl|grep 5647

tcp 0 0 0.0.0.0:5647 0.0.0.0:*
LISTEN 48646/qdrouterd

iptables -nL | grep 5647

ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 multiport
dports 22,80,443,5647,5671,8140

tcpdump shows a short conversation between server and client:

IP myserver.50035 > mytestclient.5647: tcp 0
IP mytestclient.5647 > myserver.50035: tcp 0
IP myserver.50035 > mytestclient.5647: tcp 0
IP myserver.50035 > mytestclient.5647: tcp 304
IP mytestclient.5647 > myserver.50035: tcp 0
IP mytestclient.5647 > myserver.50035: tcp 3665
IP myserver.50035 > mytestclient.5647: tcp 0

Aug 13 12:50:20 mytestclient goferd: [INFO][Thread-1]
gofer.messaging.adapter.proton.connection:100 - connecting: URL:
amqps://myserver.mydomain:5647|SSL: ca:
/etc/rhsm/ca/katello-server-ca.pem|key: None|certificate:
/etc/pki/consumer/bundle.pem|host-validation: None

Aug 13 12:50:20 mytestclient goferd: [INFO][Thread-1] root:481 -
connecting to myserver.mydomain:5647…

Aug 13 12:50:20 mytestclient goferd: [INFO][Thread-1] root:521 -
Disconnected

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
amqps://myserver.mydomain:5647

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - Traceback (most recent
call

last):

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File

“/usr/lib/python2.6/site-packages/gofer/messaging/adapter/proton/connection.py”,

line 102, in open

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - self._impl =
BlockingConnection(url, ssl_domain=domain)

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/utils.py", line 200, in
init

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - msg=“Opening
connection”)

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/utils.py", line 231, in wait

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
self.container.process()

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/init.py", line 3729, in
dispatch

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
ev.dispatch(self.handler)

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/init.py", line 3654, in
dispatch

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - result =
dispatch(handler, type.method, self)

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/init.py", line 3543, in
dispatch

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - return m(*args)

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/utils.py", line 257, in
on_transport_tail_closed

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
self.on_transport_closed(event)

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/utils.py", line 261, in
on_transport_closed

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - raise
ConnectionException(“Connection %s disconnected” % self.url);

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - ConnectionException:
Connection amqps://myserver.mydomain:5647 disconnected

Aug 13 12:50:20 mytestclient goferd: [INFO][Thread-1]
gofer.messaging.adapter.proton.connection:108 - retry in 29 seconds

Can anyone help? Many thanks.

–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
Best Regards,

Stephen Benjamin
Red Hat Engineering

–
You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/foreman-users/rXbUvcCTuf0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

On 18 August 2015 at 15:07, Stephen Benjamin stephen@redhat.com wrote:

Is there a corresponding error on the Katello when you get the
disconnected message?

You can enable debug logging on qpid dispatch router, which might help:
https://gist.github.com/stbenjam/226f6939e981f1bca156

On Tue, Aug 18, 2015 at 05:29:10AM -0700, JC wrote:

Is anyone able to help?

Having got the Katello server to the brink of deployment into production,
it’s frustrating to not be able to proceed.

On Thursday, 13 August 2015 13:35:59 UTC+1, JC wrote:

The katello-agent and subscription manager install on a the (CentOS6)
client, and the client can use yum to update itself from Katello, but
tasks

triggered from Katello fail.

Host did not respond within 20 seconds. Is katello-agent installed and
goferd running on the Host?

I’ve implemented:

Bug #10350: qpid-dispatch-0.4-4 runs under non-root account and has no access to PKI files - Katello - Foreman /
https://bugzilla.redhat.com/show_bug.cgi?id=1217828

ll /etc/pki/katello/qpid_router*

-rw-r-----. 1 qdrouterd qdrouterd 5579 Jul 28 15:32
/etc/pki/katello/qpid_router_client.crt
-rw-r-----. 1 qdrouterd qdrouterd 1679 Jul 28 15:31
/etc/pki/katello/qpid_router_client.key
-rw-r-----. 1 qdrouterd qdrouterd 5579 Jul 28 15:31
/etc/pki/katello/qpid_router_server.crt
-rw-r-----. 1 qdrouterd qdrouterd 1675 Jul 28 15:31
/etc/pki/katello/qpid_router_server.key

But don’t see an improvement. I’m also not using ipv6*, so haven’t
modified /etc/qpid-dispatch/qdrouterd.conf (as David LeVene did).

*Well the ‘advanced’ section for the content host within Katello shows
::1

(localhost).

Of course I do see, on the Katello server, 5647 being listened to and
the

firewall is open (and turned off for testing on the client):

netstat -pntl|grep 5647

tcp 0 0 0.0.0.0:5647 0.0.0.0:*
LISTEN 48646/qdrouterd

iptables -nL | grep 5647

ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 multiport
dports 22,80,443,5647,5671,8140

tcpdump shows a short conversation between server and client:

IP myserver.50035 > mytestclient.5647: tcp 0
IP mytestclient.5647 > myserver.50035: tcp 0
IP myserver.50035 > mytestclient.5647: tcp 0
IP myserver.50035 > mytestclient.5647: tcp 304
IP mytestclient.5647 > myserver.50035: tcp 0
IP mytestclient.5647 > myserver.50035: tcp 3665
IP myserver.50035 > mytestclient.5647: tcp 0

Aug 13 12:50:20 mytestclient goferd: [INFO][Thread-1]
gofer.messaging.adapter.proton.connection:100 - connecting: URL:
amqps://myserver.mydomain:5647|SSL: ca:
/etc/rhsm/ca/katello-server-ca.pem|key: None|certificate:
/etc/pki/consumer/bundle.pem|host-validation: None

Aug 13 12:50:20 mytestclient goferd: [INFO][Thread-1] root:481 -
connecting to myserver.mydomain:5647…

Aug 13 12:50:20 mytestclient goferd: [INFO][Thread-1] root:521 -
Disconnected

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
amqps://myserver.mydomain:5647

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - Traceback (most recent
call

last):

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File

“/usr/lib/python2.6/site-packages/gofer/messaging/adapter/proton/connection.py”,

line 102, in open

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - self._impl =
BlockingConnection(url, ssl_domain=domain)

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/utils.py", line 200, in
init

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - msg=“Opening
connection”)

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/utils.py", line 231, in wait

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
self.container.process()

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/init.py", line 3729, in
dispatch

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
ev.dispatch(self.handler)

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/init.py", line 3654, in
dispatch

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - result =
dispatch(handler, type.method, self)

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/init.py", line 3543, in
dispatch

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - return m(*args)

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/utils.py", line 257, in
on_transport_tail_closed

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
self.on_transport_closed(event)

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/utils.py", line 261, in
on_transport_closed

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - raise
ConnectionException(“Connection %s disconnected” % self.url);

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - ConnectionException:
Connection amqps://myserver.mydomain:5647 disconnected

Aug 13 12:50:20 mytestclient goferd: [INFO][Thread-1]
gofer.messaging.adapter.proton.connection:108 - retry in 29 seconds

Can anyone help? Many thanks.

–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
Best Regards,

Stephen Benjamin
Red Hat Engineering

–
You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/foreman-users/rXbUvcCTuf0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to the Google Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
Best Regards,

Stephen Benjamin
Red Hat Engineering

On Tue, Aug 18, 2015 at 03:21:28PM +0100, Jamie Caldwell wrote:

Thanks for getting back to me Stephen and the suggestion.

So that configuration is appended to the end of
/etc/qpidd-dispatch/qdrouterd.conf?

Yup, I should’ve mentioned where to put it.

And restart qdrouterd after.

On 18 August 2015 at 15:07, Stephen Benjamin stephen@redhat.com wrote:

Is there a corresponding error on the Katello when you get the
disconnected message?

You can enable debug logging on qpid dispatch router, which might help:
https://gist.github.com/stbenjam/226f6939e981f1bca156

On Tue, Aug 18, 2015 at 05:29:10AM -0700, JC wrote:

Is anyone able to help?

Having got the Katello server to the brink of deployment into
production,

it’s frustrating to not be able to proceed.

On Thursday, 13 August 2015 13:35:59 UTC+1, JC wrote:

The katello-agent and subscription manager install on a the
(CentOS6)

client, and the client can use yum to update itself from Katello,
but

tasks

triggered from Katello fail.

Host did not respond within 20 seconds. Is katello-agent installed
and

goferd running on the Host?

I’ve implemented:

Bug #10350: qpid-dispatch-0.4-4 runs under non-root account and has no access to PKI files - Katello - Foreman /
https://bugzilla.redhat.com/show_bug.cgi?id=1217828

ll /etc/pki/katello/qpid_router*

-rw-r-----. 1 qdrouterd qdrouterd 5579 Jul 28 15:32
/etc/pki/katello/qpid_router_client.crt
-rw-r-----. 1 qdrouterd qdrouterd 1679 Jul 28 15:31
/etc/pki/katello/qpid_router_client.key
-rw-r-----. 1 qdrouterd qdrouterd 5579 Jul 28 15:31
/etc/pki/katello/qpid_router_server.crt
-rw-r-----. 1 qdrouterd qdrouterd 1675 Jul 28 15:31
/etc/pki/katello/qpid_router_server.key

But don’t see an improvement. I’m also not using ipv6*, so haven’t
modified /etc/qpid-dispatch/qdrouterd.conf (as David LeVene did).

*Well the ‘advanced’ section for the content host within Katello
shows

::1

(localhost).

Of course I do see, on the Katello server, 5647 being listened to
and

the

firewall is open (and turned off for testing on the client):

netstat -pntl|grep 5647

tcp 0 0 0.0.0.0:5647 0.0.0.0:*
LISTEN 48646/qdrouterd

iptables -nL | grep 5647

ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0
multiport

dports 22,80,443,5647,5671,8140

tcpdump shows a short conversation between server and client:

IP myserver.50035 > mytestclient.5647: tcp 0
IP mytestclient.5647 > myserver.50035: tcp 0
IP myserver.50035 > mytestclient.5647: tcp 0
IP myserver.50035 > mytestclient.5647: tcp 304
IP mytestclient.5647 > myserver.50035: tcp 0
IP mytestclient.5647 > myserver.50035: tcp 3665
IP myserver.50035 > mytestclient.5647: tcp 0

Aug 13 12:50:20 mytestclient goferd: [INFO][Thread-1]
gofer.messaging.adapter.proton.connection:100 - connecting: URL:
amqps://myserver.mydomain:5647|SSL: ca:
/etc/rhsm/ca/katello-server-ca.pem|key: None|certificate:
/etc/pki/consumer/bundle.pem|host-validation: None

Aug 13 12:50:20 mytestclient goferd: [INFO][Thread-1] root:481 -
connecting to myserver.mydomain:5647…

Aug 13 12:50:20 mytestclient goferd: [INFO][Thread-1] root:521 -
Disconnected

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
amqps://myserver.mydomain:5647

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - Traceback (most
recent

call

last):

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File

“/usr/lib/python2.6/site-packages/gofer/messaging/adapter/proton/connection.py”,

line 102, in open

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - self._impl =
BlockingConnection(url, ssl_domain=domain)

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/utils.py", line 200, in
init

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - msg=“Opening
connection”)

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/utils.py", line 231, in
wait

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
self.container.process()

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/init.py", line
3729, in

dispatch

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
ev.dispatch(self.handler)

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/init.py", line
3654, in

dispatch

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - result =
dispatch(handler, type.method, self)

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/init.py", line
3543, in

dispatch

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - return m(*args)

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/utils.py", line 257, in
on_transport_tail_closed

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
self.on_transport_closed(event)

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/utils.py", line 261, in
on_transport_closed

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - raise
ConnectionException(“Connection %s disconnected” % self.url);

Aug 13 12:50:20 mytestclient goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
ConnectionException:

Connection amqps://myserver.mydomain:5647 disconnected

Aug 13 12:50:20 mytestclient goferd: [INFO][Thread-1]
gofer.messaging.adapter.proton.connection:108 - retry in 29 seconds

Can anyone help? Many thanks.

–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it,
send

an email to foreman-users+unsubscribe@googlegroups.com.

To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
Best Regards,

Stephen Benjamin
Red Hat Engineering

–
You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit

https://groups.google.com/d/topic/foreman-users/rXbUvcCTuf0/unsubscribe.

To unsubscribe from this group and all its topics, send an email to
foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
Best Regards,

Stephen Benjamin
Red Hat Engineering

–
You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/foreman-users/rXbUvcCTuf0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

On Wednesday, 19 August 2015 13:49:54 UTC+1, JC wrote:

Sorry for all the postings, but perhaps I’m getting somewhere…

# grep “cert=” /etc/gofer/plugins/katelloplugin.conf
cacert=/etc/rhsm/ca/candlepin-local.pem
clientcert=/etc/pki/consumer/bundle.pem
# file /etc/rhsm/ca/candlepin-local.pem
/etc/rhsm/ca/candlepin-local.pem: cannot open
`/etc/rhsm/ca/candlepin-local.pem’ (No such file or directory)
# file /etc/pki/consumer/bundle.pem
/etc/pki/consumer/bundle.pem: ASCII text

$ openssl x509 -in /etc/pki/consumer/bundle.pem -noout -text

shows a cert for katello.server signed by RH, rather than my CA.

Is that relevant? Can you tell that I don’t really understand how the
certs are used?

On Wednesday, 19 August 2015 13:35:52 UTC+1, JC wrote:

Ahhh, right, on the client (/var/log/messages) I see:

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - amqps://katello.server:5647

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - Traceback (most recent call
last):

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib/python2.6/site-packages/gofer/messaging/adapter/proton/connection.py",
line 101, in open

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - domain =
self.ssl_domain(connector)

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib/python2.6/site-packages/gofer/messaging/adapter/proton/connection.py",
line 57, in ssl_domain

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
domain.set_trusted_ca_db(connector.ssl.ca_certificate)

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/init.py", line 3386, in
set_trusted_ca_db

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - certificate_db) )

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/init.py", line 3376, in
_check

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - raise exc(“SSL
failure.”)

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - SSLException: SSL
failure.

Aug 19 13:18:02 ptnoc61 goferd: [INFO][Thread-1]
gofer.messaging.adapter.proton.connection:108 - retry in 106 seconds

Aug 19 13:19:49 ptnoc61 goferd: [INFO][Thread-1]
gofer.messaging.adapter.proton.connection:100 - connecting: URL:
amqps://katello.server:5647|SSL: ca:
/etc/rhsm/ca/katello-server-ca.pem|key: None|certificate:
/etc/pki/consumer/bundle.pem|host-validation: None

And on the server I see (ignore the times, grabbed from later in
/var/log/qdrouterd.log):

Wed Aug 19 13:32:23 2015 SERVER (debug) Accepting incoming connection from
katello.client:44791 to 0.0.0.0:5647

I’ve previously updated the Foreman UI cert using:

$ katello-installer --certs-server-cert “katello.cer”
–certs-server-cert-req “katello.csr” --certs-server-key “katello.key”
–certs-server-ca-cert “RootAll.cer” --certs-update-server
–certs-update-server-ca

Did I miss something then? The UI looks happy…

OK, anyone know the solution?

On Wednesday, 19 August 2015 12:57:20 UTC+1, JC wrote:

OK, strace showed a problem writing to the log file. Perms changed and
now we have some output…

cat /var/log/qdrouterd.log

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/ROUTER_LS, identity=log/ROUTER_LS,
type=org.apache.qpid.dispatch.log, enable=default, module=ROUTER_LS)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/ROUTER_MA, identity=log/ROUTER_MA,
type=org.apache.qpid.dispatch.log, enable=default, module=ROUTER_MA)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/DISPATCH, identity=log/DISPATCH,
type=org.apache.qpid.dispatch.log, enable=default, module=DISPATCH)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/ROUTER_HELLO, identity=log/ROUTER_HELLO,
type=org.apache.qpid.dispatch.log, enable=default, module=ROUTER_HELLO)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity: Entity(name=log/SERVER,
identity=log/SERVER, type=org.apache.qpid.dispatch.log, enable=default,
module=SERVER)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/CONTAINER, identity=log/CONTAINER,
type=org.apache.qpid.dispatch.log, enable=default, module=CONTAINER)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity: Entity(name=log/AGENT,
identity=log/AGENT, type=org.apache.qpid.dispatch.log, enable=default,
module=AGENT)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity: Entity(name=log/ERROR,
identity=log/ERROR, type=org.apache.qpid.dispatch.log, enable=default,
module=ERROR)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity: Entity(name=log/ROUTER,
identity=log/ROUTER, type=org.apache.qpid.dispatch.log, enable=default,
module=ROUTER)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/MESSAGE, identity=log/MESSAGE,
type=org.apache.qpid.dispatch.log, enable=default, module=MESSAGE)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity: Entity(name=log/CONFIG,
identity=log/CONFIG, type=org.apache.qpid.dispatch.log, enable=default,
module=CONFIG)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=container/katello.server, identity=container/katello.server,
type=org.apache.qpid.dispatch.container, containerName=katello.server,
workerThreads=2)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.router, raIntervalFlux=4,
helloInterval=1, area=0, helloMaxAge=3, remoteLsMaxAge=60,
routerId=katello.server, raInterval=30, mode=interior, mobileAddrMaxAge=60)

Wed Aug 19 12:32:43 2015 SERVER (info) Container Name: katello.server

Wed Aug 19 12:32:43 2015 ROUTER (info) Router started in Interior mode,
area=0 id=katello.server

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=16,
typeSize=2104, transferBatchSize=16, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_log_entry_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0, totalAllocFromHeap=16,
localFreeListMax=32)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=88, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_field_iterator_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0, totalAllocFromHeap=64,
localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=32, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_hash_item_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0, totalAllocFromHeap=64,
localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=56, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_node_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0, totalAllocFromHeap=64,
localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=136, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_bitmask_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0, totalAllocFromHeap=64,
localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=56, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_timer_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0, totalAllocFromHeap=64,
localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=216, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_address_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0, totalAllocFromHeap=64,
localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=16, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_hash_handle_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0, totalAllocFromHeap=64,
localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.router.address, subscriberCount=0,
deliveriesEgress=0, deliveriesIngress=0, remoteCount=0, inProcess=False,
deliveriesFromContainer=0, deliveriesTransit=0, key=Lqdrouter,
deliveriesToContainer=0)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.router.address, subscriberCount=0,
deliveriesEgress=0, deliveriesIngress=0, remoteCount=0, inProcess=False,
deliveriesFromContainer=0, deliveriesTransit=0, key=Lqdrouter.ma,
deliveriesToContainer=0)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.router.address, subscriberCount=0,
deliveriesEgress=0, deliveriesIngress=0, remoteCount=0, inProcess=False,
deliveriesFromContainer=0, deliveriesTransit=0, key=Lqdhello,
deliveriesToContainer=0)

Wed Aug 19 12:32:43 2015 AGENT (info) Activating management agent on
$management

Wed Aug 19 12:32:43 2015 ROUTER (info) In-Process Address Registered:
$management

Wed Aug 19 12:32:43 2015 ROUTER (info) In-Process Address Registered:
$management

Wed Aug 19 12:32:43 2015 ROUTER (info) In-Process Address Registered:
qdrouter

Wed Aug 19 12:32:43 2015 ROUTER (info) In-Process Address Registered:
qdrouter.ma

Wed Aug 19 12:32:43 2015 ROUTER (info) In-Process Address Registered:
qdhello

Wed Aug 19 12:32:43 2015 ROUTER (info) Router Engine Instantiated:
id=katello.server instance=1439983963 max_routers=1024

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=fixedAddress/0, identity=fixedAddress/0,
type=org.apache.qpid.dispatch.fixedAddress, fanout=single, prefix=/closest,
bias=closest)

Wed Aug 19 12:32:43 2015 ROUTER (info) Configured Address: prefix=/closest
phase=0 fanout=QD_SCHEMA_FIXEDADDRESS_FANOUT_SINGLE
bias=QD_SCHEMA_FIXEDADDRESS_BIAS_CLOSEST

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=fixedAddress/1, identity=fixedAddress/1,
type=org.apache.qpid.dispatch.fixedAddress, fanout=single, prefix=/unicast,
bias=closest)

Wed Aug 19 12:32:43 2015 ROUTER (info) Configured Address: prefix=/unicast
phase=0 fanout=QD_SCHEMA_FIXEDADDRESS_FANOUT_SINGLE
bias=QD_SCHEMA_FIXEDADDRESS_BIAS_CLOSEST

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=fixedAddress/2, identity=fixedAddress/2,
type=org.apache.qpid.dispatch.fixedAddress, fanout=single,
prefix=/exclusive, bias=closest)

Wed Aug 19 12:32:43 2015 ROUTER (info) Configured Address:
prefix=/exclusive phase=0 fanout=QD_SCHEMA_FIXEDADDRESS_FANOUT_SINGLE
bias=QD_SCHEMA_FIXEDADDRESS_BIAS_CLOSEST

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=fixedAddress/3, identity=fixedAddress/3,
type=org.apache.qpid.dispatch.fixedAddress, fanout=multiple,
prefix=/multicast, bias=closest)

Wed Aug 19 12:32:43 2015 ROUTER (info) Configured Address:
prefix=/multicast phase=0 fanout=QD_SCHEMA_FIXEDADDRESS_FANOUT_MULTIPLE

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=fixedAddress/4, identity=fixedAddress/4,
type=org.apache.qpid.dispatch.fixedAddress, fanout=multiple,
prefix=/broadcast, bias=closest)

Wed Aug 19 12:32:43 2015 ROUTER (info) Configured Address:
prefix=/broadcast phase=0 fanout=QD_SCHEMA_FIXEDADDRESS_FANOUT_MULTIPLE

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=fixedAddress/5, identity=fixedAddress/5,
type=org.apache.qpid.dispatch.fixedAddress, fanout=multiple, prefix=/,
bias=closest)

Wed Aug 19 12:32:43 2015 ROUTER (info) Configured Address: prefix=/
phase=0 fanout=QD_SCHEMA_FIXEDADDRESS_FANOUT_MULTIPLE

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity: Entity(name=listener/
0.0.0.0:5647, identity=listener/0.0.0.0:5647,
type=org.apache.qpid.dispatch.listener, requirePeerAuth=True,
allowNoSasl=False, addr=0.0.0.0, saslMechanisms=ANONYMOUS,
maxFrameSize=65536, role=normal,
certDb=/etc/pki/katello/certs/katello-default-ca.crt, allowUnsecured=False,
certFile=/etc/pki/katello/qpid_router_server.crt,
keyFile=/etc/pki/katello/qpid_router_server.key, port=5647)

Wed Aug 19 12:32:43 2015 CONN_MGR (info) Configured Listener: 0.0.0.0:5647
role=normal

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity: Entity(name=listener/
0.0.0.0:5646, identity=listener/0.0.0.0:5646,
type=org.apache.qpid.dispatch.listener,
certFile=/etc/pki/katello/qpid_router_server.crt, addr=0.0.0.0,
saslMechanisms=ANONYMOUS, maxFrameSize=65536, requirePeerAuth=True,
certDb=/etc/pki/katello/certs/katello-default-ca.crt, allowUnsecured=False,
allowNoSasl=False, role=inter-router,
keyFile=/etc/pki/katello/qpid_route

Examining this cert shows it to be issued by our internal CA.

On Wednesday, 19 August 2015 17:43:42 UTC+1, stephen wrote:

On Wed, Aug 19, 2015 at 06:33:59AM -0700, JC wrote:

Correction, the issuer is katello.server (with some RH text to fill in
the
cert), and it is for my client!

Certificate:

•    Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello,
  

OU=SomeOrgUnit, CN=katello.server*

    Validity

        Not Before: Aug 18 14:25:23 2015 GMT

        Not After : Aug 18 14:25:23 2031 GMT

            Exponent: 65257 (0x10001)

    X509v3 extensions:

        Netscape Cert Type:

            SSL Client, S/MIME

        X509v3 Key Usage:

            Digital Signature, Key Encipherment, Data Encipherment

        X509v3 Authority Key Identifier:

            keyid:EA:37:47:…..2E:71:EC:91

•            DirName:/C=US/ST=North
  

Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=katello.server*

            serial:A7:A2:3C:……….:65:B1

        X509v3 Subject Key Identifier:

            FB:A7:9C:E6:7……………………………..0E:78:B8:C8

        X509v3 Extended Key Usage:

            TLS Web Client Authentication

•        X509v3 Subject Alternative Name:*
  

•            URI:CN=katello.client*
  

  Signature Algorithm: sha1WithRSAEncryption

     7d:80:dd:6f:d5:b……………….2d:a8:a2:86:07:
  
     <snip>
  

Now, from the client:

# openssl s_client -connect katello.server:5647 -showcerts ## same for
port 5446
CONNECTED(00000003)
depth=1 C = US, ST = North Carolina, L = Raleigh, O = Katello, OU =
SomeOrgUnit, CN = katello.server
verify error:num=19:self signed certificate in certificate chain
verify return:0
140220054890312:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure:s3_pkt.c:1259:SSL alert number 40
140220054890312:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:184:

That’s expected, we don’t use the UI cert for qpid.

You have the latest katello-ca-consumer-latest from the Katello server
installed on the client? (it’s in /pub on the web server)

On Wednesday, 19 August 2015 13:49:54 UTC+1, JC wrote:

Sorry for all the postings, but perhaps I’m getting somewhere…

# grep “cert=” /etc/gofer/plugins/katelloplugin.conf
cacert=/etc/rhsm/ca/candlepin-local.pem
clientcert=/etc/pki/consumer/bundle.pem
# file /etc/rhsm/ca/candlepin-local.pem
/etc/rhsm/ca/candlepin-local.pem: cannot open
`/etc/rhsm/ca/candlepin-local.pem’ (No such file or directory)
# file /etc/pki/consumer/bundle.pem
/etc/pki/consumer/bundle.pem: ASCII text

$ openssl x509 -in /etc/pki/consumer/bundle.pem -noout -text

shows a cert for katello.server signed by RH, rather than my CA.

Is that relevant? Can you tell that I don’t really understand how the
certs are used?

On Wednesday, 19 August 2015 13:35:52 UTC+1, JC wrote:

Ahhh, right, on the client (/var/log/messages) I see:

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
amqps://katello.server:5647

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - Traceback (most recent
call

last):

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File

“/usr/lib/python2.6/site-packages/gofer/messaging/adapter/proton/connection.py”,

line 101, in open

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - domain =
self.ssl_domain(connector)

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File

“/usr/lib/python2.6/site-packages/gofer/messaging/adapter/proton/connection.py”,

line 57, in ssl_domain

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
domain.set_trusted_ca_db(connector.ssl.ca_certificate)

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/init.py", line 3386, in
set_trusted_ca_db

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - certificate_db) )

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/init.py", line 3376, in
_check

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - raise exc(“SSL
failure.”)

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - SSLException: SSL
failure.

Aug 19 13:18:02 ptnoc61 goferd: [INFO][Thread-1]
gofer.messaging.adapter.proton.connection:108 - retry in 106 seconds

Aug 19 13:19:49 ptnoc61 goferd: [INFO][Thread-1]
gofer.messaging.adapter.proton.connection:100 - connecting: URL:
amqps://katello.server:5647|SSL: ca:
/etc/rhsm/ca/katello-server-ca.pem|key: None|certificate:
/etc/pki/consumer/bundle.pem|host-validation: None

And on the server I see (ignore the times, grabbed from later in
/var/log/qdrouterd.log):

Wed Aug 19 13:32:23 2015 SERVER (debug) Accepting incoming connection
from

katello.client:44791 to 0.0.0.0:5647

I’ve previously updated the Foreman UI cert using:

$ katello-installer --certs-server-cert “katello.cer”
–certs-server-cert-req “katello.csr” --certs-server-key “katello.key”
–certs-server-ca-cert “RootAll.cer” --certs-update-server
–certs-update-server-ca

Did I miss something then? The UI looks happy…

OK, anyone know the solution?

On Wednesday, 19 August 2015 12:57:20 UTC+1, JC wrote:

OK, strace showed a problem writing to the log file. Perms changed
and

now we have some output…

cat /var/log/qdrouterd.log

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/ROUTER_LS, identity=log/ROUTER_LS,
type=org.apache.qpid.dispatch.log, enable=default, module=ROUTER_LS)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/ROUTER_MA, identity=log/ROUTER_MA,
type=org.apache.qpid.dispatch.log, enable=default, module=ROUTER_MA)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/DISPATCH, identity=log/DISPATCH,
type=org.apache.qpid.dispatch.log, enable=default, module=DISPATCH)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/ROUTER_HELLO, identity=log/ROUTER_HELLO,
type=org.apache.qpid.dispatch.log, enable=default,
module=ROUTER_HELLO)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/SERVER,

identity=log/SERVER, type=org.apache.qpid.dispatch.log,
enable=default,

module=SERVER)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/CONTAINER, identity=log/CONTAINER,
type=org.apache.qpid.dispatch.log, enable=default, module=CONTAINER)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/AGENT,

identity=log/AGENT, type=org.apache.qpid.dispatch.log, enable=default,
module=AGENT)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/ERROR,

identity=log/ERROR, type=org.apache.qpid.dispatch.log, enable=default,
module=ERROR)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/ROUTER,

identity=log/ROUTER, type=org.apache.qpid.dispatch.log,
enable=default,

module=ROUTER)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/MESSAGE, identity=log/MESSAGE,
type=org.apache.qpid.dispatch.log, enable=default, module=MESSAGE)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/CONFIG,

identity=log/CONFIG, type=org.apache.qpid.dispatch.log,
enable=default,

module=CONFIG)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=container/katello.server,
identity=container/katello.server,

type=org.apache.qpid.dispatch.container, containerName=katello.server,
workerThreads=2)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.router, raIntervalFlux=4,
helloInterval=1, area=0, helloMaxAge=3, remoteLsMaxAge=60,
routerId=katello.server, raInterval=30, mode=interior,
mobileAddrMaxAge=60)

Wed Aug 19 12:32:43 2015 SERVER (info) Container Name: katello.server

Wed Aug 19 12:32:43 2015 ROUTER (info) Router started in Interior
mode,

area=0 id=katello.server

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=16,
typeSize=2104, transferBatchSize=16, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_log_entry_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=16,

localFreeListMax=32)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=88, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_field_iterator_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=64,

localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=32, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_hash_item_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=64,

localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=56, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_node_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=64,

localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=136, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_bitmask_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=64,

localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=56, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_timer_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=64,

localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=216, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_address_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=64,

localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=16, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_hash_handle_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=64,

localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.router.address,
subscriberCount=0,

deliveriesEgress=0, deliveriesIngress=0, remoteCount=0,
inProcess=False,

deliveriesFromContainer=0, deliveriesTransit=0, key=Lqdrouter,
deliveriesToContainer=0)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.router.address,
subscriberCount=0,

deliveriesEgress=0, deliveriesIngress=0, remoteCount=0,
inProcess=False,

deliveriesFromContainer=0, deliveriesTransit=0, key=Lqdrouter.ma,
deliveriesToContainer=0)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.router.address,
subscriberCount=0,

deliveriesEgress=0, deliveriesIngress=0, remoteCount=0,
inProcess=False,

deliveriesFromContainer=0, deliveriesTransit=0, key=Lqdhello,
deliveriesToContainer=0)

Wed Aug 19 12:32:43 2015 AGENT (info) Activating management agent on
$management

Wed Aug 19 12:32:43 2015 ROUTER (info) In-Process Address Registered:
$management

Wed Aug 19 12:32:43 2015 ROUTER (info) In-Process Address Registered:
$management

Wed Aug 19 12:32:43 2015 ROUTER (info) In-Process Address Registered:
qdrouter

Wed Aug 19 12:32:43 2015 ROUTER (info) In-Process Address Registered:
qdrouter.ma

Wed Aug 19 12:32:43 2015 ROUTER (info) In-Process Address Registered:
qdhello

Wed Aug 19 12:32:43 2015 ROUTER (info) Router Engine Instantiated:
id=katello.server instance=1439983963 max_routers=1024

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=fixedAddress/0, identity=fixedAddress/0,
type=org.apache.qpid.dispatch.fixedAddress, fanout=single,
prefix=/closest,

bias=closest)

Wed Aug 19 12:32:43 2015 ROUTER (info) Configured Address:
prefix=/closest

phase=0 fanout=QD_SCHEMA_FIXEDADDRESS_FANOUT_SINGLE
bias=QD_SCHEMA_FIXEDADDRESS_BIAS_CLOSEST

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=fixedAddress/1, identity=fixedAddress/1,
type=org.apache.qpid.dispatch.fixedAddress, fanout=single,
prefix=/unicast,

bias=closest)

Wed Aug 19 12:32:43 2015 ROUTER (info) Configured Address:
prefix=/unicast

phase=0 fanout=QD_SCHEMA_FIXEDADDRESS_FANOUT_SINGLE
bias=QD_SCHEMA_FIXEDADDRESS_BIAS_CLOSEST

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=fixedAddress/2, identity=fixedAddress/2,
type=org.apache.qpid.dispatch.fixedAddress, fanout=single,
prefix=/exclusive, bias=closest)

Wed Aug 19 12:32:43 2015 ROUTER (info) Configured Address:
prefix=/exclusive phase=0 fanout=

On Thu, Aug 20, 2015 at 12:36:37AM -0700, JC wrote:

Morning Stephen,

Yes, they match. I have checked the date/time stamps on

https://katello.server/pub/katello-ca-consumer-katello.server-1.0-2.noarch.rpm

with that on the client (using rpm to review the build date).

Installed on the client, it provides:

/etc/rhsm/ca/katello-server-ca.pem

It doesn’t provide katello-default-ca.pem?

That is the one from the self-signed cert and the one that katello-agent
needs to use to connect to qpid.

Examining this cert shows it to be issued by our internal CA.

On Wednesday, 19 August 2015 17:43:42 UTC+1, stephen wrote:

On Wed, Aug 19, 2015 at 06:33:59AM -0700, JC wrote:

Correction, the issuer is katello.server (with some RH text to fill
in

the

cert), and it is for my client!

Certificate:

•    Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello,
  

OU=SomeOrgUnit, CN=katello.server*

    Validity

        Not Before: Aug 18 14:25:23 2015 GMT

        Not After : Aug 18 14:25:23 2031 GMT

            Exponent: 65257 (0x10001)

    X509v3 extensions:

        Netscape Cert Type:

            SSL Client, S/MIME

        X509v3 Key Usage:

            Digital Signature, Key Encipherment, Data

Encipherment

        X509v3 Authority Key Identifier:

            keyid:EA:37:47:…..2E:71:EC:91

•            DirName:/C=US/ST=North
  

Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=katello.server*

            serial:A7:A2:3C:……….:65:B1

        X509v3 Subject Key Identifier:

            FB:A7:9C:E6:7……………………………..0E:78:B8:C8

        X509v3 Extended Key Usage:

            TLS Web Client Authentication

•        X509v3 Subject Alternative Name:*
  

•            URI:CN=katello.client*
  

  Signature Algorithm: sha1WithRSAEncryption

     7d:80:dd:6f:d5:b……………….2d:a8:a2:86:07:
  
     <snip>
  

Now, from the client:

*# openssl s_client -connect katello.server:5647 -showcerts ## same
for

port 5446*
CONNECTED(00000003)
depth=1 C = US, ST = North Carolina, L = Raleigh, O = Katello, OU =
SomeOrgUnit, CN = katello.server
verify error:num=19:self signed certificate in certificate chain
verify return:0
140220054890312:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert

handshake failure:s3_pkt.c:1259:SSL alert number 40
140220054890312:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:184:

That’s expected, we don’t use the UI cert for qpid.

You have the latest katello-ca-consumer-latest from the Katello server
installed on the client? (it’s in /pub on the web server)

On Wednesday, 19 August 2015 13:49:54 UTC+1, JC wrote:

Sorry for all the postings, but perhaps I’m getting somewhere…

# grep “cert=” /etc/gofer/plugins/katelloplugin.conf
cacert=/etc/rhsm/ca/candlepin-local.pem
clientcert=/etc/pki/consumer/bundle.pem
# file /etc/rhsm/ca/candlepin-local.pem
/etc/rhsm/ca/candlepin-local.pem: cannot open
`/etc/rhsm/ca/candlepin-local.pem’ (No such file or directory)
# file /etc/pki/consumer/bundle.pem
/etc/pki/consumer/bundle.pem: ASCII text

$ openssl x509 -in /etc/pki/consumer/bundle.pem -noout -text

shows a cert for katello.server signed by RH, rather than my CA.

Is that relevant? Can you tell that I don’t really understand how
the

certs are used?

On Wednesday, 19 August 2015 13:35:52 UTC+1, JC wrote:

Ahhh, right, on the client (/var/log/messages) I see:

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
amqps://katello.server:5647

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - Traceback (most
recent

call

last):

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File

“/usr/lib/python2.6/site-packages/gofer/messaging/adapter/proton/connection.py”,

line 101, in open

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - domain =
self.ssl_domain(connector)

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File

“/usr/lib/python2.6/site-packages/gofer/messaging/adapter/proton/connection.py”,

line 57, in ssl_domain

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
domain.set_trusted_ca_db(connector.ssl.ca_certificate)

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/init.py", line
3386, in

set_trusted_ca_db

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
certificate_db) )

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/init.py", line
3376, in

_check

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - raise exc(“SSL
failure.”)

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - SSLException: SSL
failure.

Aug 19 13:18:02 ptnoc61 goferd: [INFO][Thread-1]
gofer.messaging.adapter.proton.connection:108 - retry in 106
seconds

Aug 19 13:19:49 ptnoc61 goferd: [INFO][Thread-1]
gofer.messaging.adapter.proton.connection:100 - connecting: URL:
amqps://katello.server:5647|SSL: ca:
/etc/rhsm/ca/katello-server-ca.pem|key: None|certificate:
/etc/pki/consumer/bundle.pem|host-validation: None

And on the server I see (ignore the times, grabbed from later in
/var/log/qdrouterd.log):

Wed Aug 19 13:32:23 2015 SERVER (debug) Accepting incoming
connection

from

katello.client:44791 to 0.0.0.0:5647

I’ve previously updated the Foreman UI cert using:

$ katello-installer --certs-server-cert “katello.cer”
–certs-server-cert-req “katello.csr” --certs-server-key
"katello.key"

–certs-server-ca-cert “RootAll.cer” --certs-update-server
–certs-update-server-ca

Did I miss something then? The UI looks happy…

OK, anyone know the solution?

On Wednesday, 19 August 2015 12:57:20 UTC+1, JC wrote:

OK, strace showed a problem writing to the log file. Perms changed
and

now we have some output…

cat /var/log/qdrouterd.log

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/ROUTER_LS, identity=log/ROUTER_LS,
type=org.apache.qpid.dispatch.log, enable=default,
module=ROUTER_LS)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/ROUTER_MA, identity=log/ROUTER_MA,
type=org.apache.qpid.dispatch.log, enable=default,
module=ROUTER_MA)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/DISPATCH, identity=log/DISPATCH,
type=org.apache.qpid.dispatch.log, enable=default, module=DISPATCH)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/ROUTER_HELLO, identity=log/ROUTER_HELLO,
type=org.apache.qpid.dispatch.log, enable=default,
module=ROUTER_HELLO)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/SERVER,

identity=log/SERVER, type=org.apache.qpid.dispatch.log,
enable=default,

module=SERVER)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/CONTAINER, identity=log/CONTAINER,
type=org.apache.qpid.dispatch.log, enable=default,
module=CONTAINER)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/AGENT,

identity=log/AGENT, type=org.apache.qpid.dispatch.log,
enable=default,

module=AGENT)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/ERROR,

identity=log/ERROR, type=org.apache.qpid.dispatch.log,
enable=default,

module=ERROR)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/ROUTER,

identity=log/ROUTER, type=org.apache.qpid.dispatch.log,
enable=default,

module=ROUTER)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/MESSAGE, identity=log/MESSAGE,
type=org.apache.qpid.dispatch.log, enable=default, module=MESSAGE)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/CONFIG,

identity=log/CONFIG, type=org.apache.qpid.dispatch.log,
enable=default,

module=CONFIG)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=container/katello.server,
identity=container/katello.server,

type=org.apache.qpid.dispatch.container,
containerName=katello.server,

workerThreads=2)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.router, raIntervalFlux=4,
helloInterval=1, area=0, helloMaxAge=3, remoteLsMaxAge=60,
routerId=katello.server, raInterval=30, mode=interior,
mobileAddrMaxAge=60)

Wed Aug 19 12:32:43 2015 SERVER (info) Container Name:
katello.server

Wed Aug 19 12:32:43 2015 ROUTER (info) Router started in Interior
mode,

area=0 id=katello.server

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=16,
typeSize=2104, transferBatchSize=16, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_log_entry_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=16,

localFreeListMax=32)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=88, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_field_iterator_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=64,

localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=32, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_hash_item_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=64,

localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=56, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_node_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=64,

localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=136, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_bitmask_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=64,

localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=56, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_timer_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=64,

localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=216, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_address_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=64,

localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=16, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_hash_handle_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=64,

localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.router.address,
subscriberCount=0,

deliveriesEgress=0, deliveriesIngress=0, remoteCount=0,
inProcess=False,

deliveriesFromContainer=0, deliveriesTransit=0, key=Lqdrouter,
deliveriesToContainer=0)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.router.address,
subscriberCount=0,

deliveriesEgress=0, deliveriesIngress=0, remoteCount=0,
inProcess=False,

deliveriesFromContainer=0, deliveriesTransit=0, key=Lqdrouter.ma,
deliveriesToContainer=0)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.router.address,
subscriberCount=0,

deliveriesEgress=0, deliveriesIngress=0, remoteCount=0,
inProcess=False,

deliveriesFromContainer=0, deliveriesTransit=0, key=Lqdhello,
deli

JC,

Trying to read back, I think I understand that you are using custom
certificates and hitting a katello-agent issue. A user on IRC, tamarin,
made me realize in discussion today that I never backported to 2.2 a fix
for custom certificates and katello-agent whereby we aren’t laying down the
katello-default-ca.crt (this is fixed in 2.3). You can see here –
https://github.com/Katello/puppet-certs/blob/master/manifests/katello.pp#L42
this exact comment which sounds like your issue. If you need this fixed in
2.2 vs just upgrading to 2.3 (and all the excellent work and bugs fixes
that went into it) please let me know.

Eric

On Thu, Aug 20, 2015 at 8:25 AM, Stephen Benjamin stephen@redhat.com > wrote:

On Thu, Aug 20, 2015 at 12:36:37AM -0700, JC wrote:

Morning Stephen,

Yes, they match. I have checked the date/time stamps on

https://katello.server/pub/katello-ca-consumer-katello.server-1.0-2.noarch.rpm

with that on the client (using rpm to review the build date).

Installed on the client, it provides:

/etc/rhsm/ca/katello-server-ca.pem

It doesn’t provide katello-default-ca.pem?

That is the one from the self-signed cert and the one that katello-agent
needs to use to connect to qpid.

Examining this cert shows it to be issued by our internal CA.

On Wednesday, 19 August 2015 17:43:42 UTC+1, stephen wrote:

On Wed, Aug 19, 2015 at 06:33:59AM -0700, JC wrote:

Correction, the issuer is katello.server (with some RH text to fill
in

the

cert), and it is for my client!

Certificate:

•    Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello,
  

OU=SomeOrgUnit, CN=katello.server*

    Validity

        Not Before: Aug 18 14:25:23 2015 GMT

        Not After : Aug 18 14:25:23 2031 GMT

            Exponent: 65257 (0x10001)

    X509v3 extensions:

        Netscape Cert Type:

            SSL Client, S/MIME

        X509v3 Key Usage:

            Digital Signature, Key Encipherment, Data

Encipherment

        X509v3 Authority Key Identifier:

            keyid:EA:37:47:…..2E:71:EC:91

•            DirName:/C=US/ST=North
  

Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=katello.server*

            serial:A7:A2:3C:……….:65:B1

        X509v3 Subject Key Identifier:

            FB:A7:9C:E6:7……………………………..0E:78:B8:C8

        X509v3 Extended Key Usage:

            TLS Web Client Authentication

•        X509v3 Subject Alternative Name:*
  

•            URI:CN=katello.client*
  

  Signature Algorithm: sha1WithRSAEncryption

     7d:80:dd:6f:d5:b……………….2d:a8:a2:86:07:
  
     <snip>
  

Now, from the client:

*# openssl s_client -connect katello.server:5647 -showcerts ##
same for

port 5446*
CONNECTED(00000003)
depth=1 C = US, ST = North Carolina, L = Raleigh, O = Katello, OU =
SomeOrgUnit, CN = katello.server
verify error:num=19:self signed certificate in certificate chain
verify return:0
140220054890312:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert

handshake failure:s3_pkt.c:1259:SSL alert number 40
140220054890312:error:140790E5:SSL routines:SSL23_WRITE:ssl
handshake

failure:s23_lib.c:184:

That’s expected, we don’t use the UI cert for qpid.

You have the latest katello-ca-consumer-latest from the Katello server
installed on the client? (it’s in /pub on the web server)

On Wednesday, 19 August 2015 13:49:54 UTC+1, JC wrote:

Sorry for all the postings, but perhaps I’m getting somewhere…

# grep “cert=” /etc/gofer/plugins/katelloplugin.conf
cacert=/etc/rhsm/ca/candlepin-local.pem
clientcert=/etc/pki/consumer/bundle.pem
# file /etc/rhsm/ca/candlepin-local.pem
/etc/rhsm/ca/candlepin-local.pem: cannot open
`/etc/rhsm/ca/candlepin-local.pem’ (No such file or directory)
# file /etc/pki/consumer/bundle.pem
/etc/pki/consumer/bundle.pem: ASCII text

$ openssl x509 -in /etc/pki/consumer/bundle.pem -noout -text

shows a cert for katello.server signed by RH, rather than my CA.

Is that relevant? Can you tell that I don’t really understand
how the

certs are used?

On Wednesday, 19 August 2015 13:35:52 UTC+1, JC wrote:

Ahhh, right, on the client (/var/log/messages) I see:

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
amqps://katello.server:5647

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - Traceback (most
recent

call

last):

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File

“/usr/lib/python2.6/site-packages/gofer/messaging/adapter/proton/connection.py”,

line 101, in open

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - domain =
self.ssl_domain(connector)

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File

“/usr/lib/python2.6/site-packages/gofer/messaging/adapter/proton/connection.py”,

line 57, in ssl_domain

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
domain.set_trusted_ca_db(connector.ssl.ca_certificate)

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/init.py", line
3386, in

set_trusted_ca_db

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 -
certificate_db) )

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - File
"/usr/lib64/python2.6/site-packages/proton/init.py", line
3376, in

_check

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - raise exc(“SSL
failure.”)

Aug 19 13:18:02 ptnoc61 goferd: [ERROR][Thread-1]
gofer.messaging.adapter.proton.connection:106 - SSLException: SSL
failure.

Aug 19 13:18:02 ptnoc61 goferd: [INFO][Thread-1]
gofer.messaging.adapter.proton.connection:108 - retry in 106
seconds

Aug 19 13:19:49 ptnoc61 goferd: [INFO][Thread-1]
gofer.messaging.adapter.proton.connection:100 - connecting: URL:
amqps://katello.server:5647|SSL: ca:
/etc/rhsm/ca/katello-server-ca.pem|key: None|certificate:
/etc/pki/consumer/bundle.pem|host-validation: None

And on the server I see (ignore the times, grabbed from later in
/var/log/qdrouterd.log):

Wed Aug 19 13:32:23 2015 SERVER (debug) Accepting incoming
connection

from

katello.client:44791 to 0.0.0.0:5647

I’ve previously updated the Foreman UI cert using:

$ katello-installer --certs-server-cert “katello.cer”
–certs-server-cert-req “katello.csr” --certs-server-key
"katello.key"

–certs-server-ca-cert “RootAll.cer” --certs-update-server
–certs-update-server-ca

Did I miss something then? The UI looks happy…

OK, anyone know the solution?

On Wednesday, 19 August 2015 12:57:20 UTC+1, JC wrote:

OK, strace showed a problem writing to the log file. Perms
changed

and

now we have some output…

cat /var/log/qdrouterd.log

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/ROUTER_LS, identity=log/ROUTER_LS,
type=org.apache.qpid.dispatch.log, enable=default,
module=ROUTER_LS)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/ROUTER_MA, identity=log/ROUTER_MA,
type=org.apache.qpid.dispatch.log, enable=default,
module=ROUTER_MA)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/DISPATCH, identity=log/DISPATCH,
type=org.apache.qpid.dispatch.log, enable=default,
module=DISPATCH)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/ROUTER_HELLO, identity=log/ROUTER_HELLO,
type=org.apache.qpid.dispatch.log, enable=default,
module=ROUTER_HELLO)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/SERVER,

identity=log/SERVER, type=org.apache.qpid.dispatch.log,
enable=default,

module=SERVER)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/CONTAINER, identity=log/CONTAINER,
type=org.apache.qpid.dispatch.log, enable=default,
module=CONTAINER)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/AGENT,

identity=log/AGENT, type=org.apache.qpid.dispatch.log,
enable=default,

module=AGENT)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/ERROR,

identity=log/ERROR, type=org.apache.qpid.dispatch.log,
enable=default,

module=ERROR)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/ROUTER,

identity=log/ROUTER, type=org.apache.qpid.dispatch.log,
enable=default,

module=ROUTER)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/MESSAGE, identity=log/MESSAGE,
type=org.apache.qpid.dispatch.log, enable=default, module=MESSAGE)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=log/CONFIG,

identity=log/CONFIG, type=org.apache.qpid.dispatch.log,
enable=default,

module=CONFIG)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(name=container/katello.server,
identity=container/katello.server,

type=org.apache.qpid.dispatch.container,
containerName=katello.server,

workerThreads=2)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.router, raIntervalFlux=4,
helloInterval=1, area=0, helloMaxAge=3, remoteLsMaxAge=60,
routerId=katello.server, raInterval=30, mode=interior,
mobileAddrMaxAge=60)

Wed Aug 19 12:32:43 2015 SERVER (info) Container Name:
katello.server

Wed Aug 19 12:32:43 2015 ROUTER (info) Router started in Interior
mode,

area=0 id=katello.server

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=16,
typeSize=2104, transferBatchSize=16, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_log_entry_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=16,

localFreeListMax=32)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=88, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_field_iterator_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=64,

localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=32, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_hash_item_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=64,

localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=56, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_node_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=64,

localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=136, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_bitmask_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=64,

localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=56, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_timer_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=64,

localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=216, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_address_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,
totalAllocFromHeap=64,

localFreeListMax=128)

Wed Aug 19 12:32:43 2015 AGENT (debug) Add entity:
Entity(type=org.apache.qpid.dispatch.allocator, heldByThreads=64,
typeSize=16, transferBatchSize=64, globalFreeListMax=0,
batchesRebalancedToGlobal=0, typeName=qd_hash_handle_t,
batchesRebalancedToThreads=0, totalFreeToHeap=0,