Katello-certs-check broken after updating from 3.11.2 to 3.11.4

Problem:
The Katello certs check is failing on checking CA bundle against the certificate file.
It seems that there is an unknown openssl verify option set in the latest foreman-installer-katello version “-no-CAstore
I am using custom certificates.

3.11.4:
 
function check-ca-bundle () {
    printf "Checking CA bundle against the certificate file: "
    ERROR_PATTERN="error [0-9]+ at"
    CHECK=$(openssl verify -no-CApath -no-CAstore -CAfile $CA_BUNDLE_FILE -purpose sslserver -verbose $CERT_FILE 2>&1)
 
 
3.11.2:
 
function check-ca-bundle () {
    printf "Checking CA bundle against the certificate file: "
    ERROR_PATTERN="error [0-9]+ at"
    CHECK=$(openssl verify -CAfile $CA_BUNDLE_FILE -purpose sslserver -verbose $CERT_FILE 2>&1)

Expected outcome:
success
Foreman and Proxy versions:
Last working version foreman-installer-katello-3.11.2-1.el8.noarch
Non working version foreman-installer-katello-3.11.4-1.el8.noarch

OS RHEL 8.10

Foreman and Proxy plugin versions:

Distribution and version:

Other relevant data:
openssl version is up to date

root@foreman01 /etc/httpd/ssl (git)-[master] # yum list installed | grep openssl
apr-util-openssl.x86_64 1.6.1-9.el8 @rhel-8-for-x86_64-appstream-rpms
openssl.x86_64 1:1.1.1k-14.el8_6 @rhel-8-for-x86_64-baseos-rpms
openssl-libs.x86_64 1:1.1.1k-14.el8_6 @rhel-8-for-x86_64-baseos-rpms
openssl-pkcs11.x86_64 0.4.10-3.el8 @rhel-8-for-x86_64-baseos-rpms
rubygem-openssl.x86_64 2.1.4-139.module+el8.8.0+18745+f1bef313 @rhel-8-for-x86_64-appstream-rpms
xmlsec1-openssl.x86_64 1.2.25-8.el8_10 @rhel-8-for-x86_64-appstream-rpms
root@foreman01 /etc/httpd/ssl (git)-[master] # which openssl
/bin/openssl
root@foreman01 /etc/httpd/ssl (git)-[master] # rpm -qf /bin/openssl
openssl-1.1.1k-14.el8_6.x86_64

It’s a problem on EL8 which has been deprecated anyway:

Being that 3.11 is the first release of Foreman that officially supports EL9, it makes sense to upgrade to 3.11 first and then plan your upgrade to EL9. This is what I am doing. This requires that the 3.11 release of Foreman continue to fully support EL8.

Throwing many changes at once into the mix can lead to unforeseen consequences IMO.

Due to improvements in our server build process, I have chosen to build new EL9 servers for both the Foreman services and the backend database. This clean build approach guarantees that feature creep in the EL8 server doesn’t comeback to bite me with surprises made undocumented changes and other hazards.

The immediate goal for me with the upgrade to 3.11 was the retirement of PostgreSQL 12 which reaches end of life with the PostgreSQL project at the end of November. Now I can focus on the OS replacement knowing by Foreman environment is solid and I can plan my migration to EL9.

Official deprecation of EL8 is scheduled for 3.13 per posts in here.

Read the other thread. Your problem is a known bug. It has been solved and the fix will be available soon. You can always make the necessary change yourself to proceed. There is literally nothing else to say which isn’t in the other thread.

Thanks for sharing. I need to improve my search skills :smiley: , I was not able to find the other thread.

The link to that thread was in [gvde] post Applied 3.11.4 update to existing 3.11.2 install, now foreman-installer is erroring out

Anyways i managed to get around this issue with
sudo vi /usr/sbin/katello-certs-check
#edit line 160
#from
CHECK=$(openssl verify -no-CApath -no-CAstore -CAfile $CA_BUNDLE_FILE -purpose sslserver -verbose $CERT_FILE 2>&1)
to
CHECK=$(openssl verify -no-CApath -CAfile $CA_BUNDLE_FILE -purpose sslserver -verbose $CERT_FILE 2>&1)

and then running`…

@frostygresh should the line be changed back to -no-CAstore, i guess not untill the bug is fixed?