Katello-certs-check broken after updating from 3.11.2 to 3.11.4

trendyandy · November 14, 2024, 8:42am

Problem:
The Katello certs check is failing on checking CA bundle against the certificate file.
It seems that there is an unknown openssl verify option set in the latest foreman-installer-katello version “-no-CAstore”
I am using custom certificates.

3.11.4:
 
function check-ca-bundle () {
    printf "Checking CA bundle against the certificate file: "
    ERROR_PATTERN="error [0-9]+ at"
    CHECK=$(openssl verify -no-CApath -no-CAstore -CAfile $CA_BUNDLE_FILE -purpose sslserver -verbose $CERT_FILE 2>&1)
 
 
3.11.2:
 
function check-ca-bundle () {
    printf "Checking CA bundle against the certificate file: "
    ERROR_PATTERN="error [0-9]+ at"
    CHECK=$(openssl verify -CAfile $CA_BUNDLE_FILE -purpose sslserver -verbose $CERT_FILE 2>&1)

Expected outcome:
success
Foreman and Proxy versions:
Last working version foreman-installer-katello-3.11.2-1.el8.noarch
Non working version foreman-installer-katello-3.11.4-1.el8.noarch

OS RHEL 8.10

Foreman and Proxy plugin versions:

Distribution and version:

Other relevant data:
openssl version is up to date

root@foreman01 /etc/httpd/ssl (git)-[master] # yum list installed | grep openssl
apr-util-openssl.x86_64 1.6.1-9.el8 @rhel-8-for-x86_64-appstream-rpms
openssl.x86_64 1:1.1.1k-14.el8_6 @rhel-8-for-x86_64-baseos-rpms
openssl-libs.x86_64 1:1.1.1k-14.el8_6 @rhel-8-for-x86_64-baseos-rpms
openssl-pkcs11.x86_64 0.4.10-3.el8 @rhel-8-for-x86_64-baseos-rpms
rubygem-openssl.x86_64 2.1.4-139.module+el8.8.0+18745+f1bef313 @rhel-8-for-x86_64-appstream-rpms
xmlsec1-openssl.x86_64 1.2.25-8.el8_10 @rhel-8-for-x86_64-appstream-rpms
root@foreman01 /etc/httpd/ssl (git)-[master] # which openssl
/bin/openssl
root@foreman01 /etc/httpd/ssl (git)-[master] # rpm -qf /bin/openssl
openssl-1.1.1k-14.el8_6.x86_64

gvde · November 14, 2024, 2:34pm

It’s a problem on EL8 which has been deprecated anyway:

frostygresh · November 14, 2024, 11:09pm

Being that 3.11 is the first release of Foreman that officially supports EL9, it makes sense to upgrade to 3.11 first and then plan your upgrade to EL9. This is what I am doing. This requires that the 3.11 release of Foreman continue to fully support EL8.

Throwing many changes at once into the mix can lead to unforeseen consequences IMO.

Due to improvements in our server build process, I have chosen to build new EL9 servers for both the Foreman services and the backend database. This clean build approach guarantees that feature creep in the EL8 server doesn’t comeback to bite me with surprises made undocumented changes and other hazards.

The immediate goal for me with the upgrade to 3.11 was the retirement of PostgreSQL 12 which reaches end of life with the PostgreSQL project at the end of November. Now I can focus on the OS replacement knowing by Foreman environment is solid and I can plan my migration to EL9.

Official deprecation of EL8 is scheduled for 3.13 per posts in here.

gvde · November 15, 2024, 12:26am

Read the other thread. Your problem is a known bug. It has been solved and the fix will be available soon. You can always make the necessary change yourself to proceed. There is literally nothing else to say which isn’t in the other thread.

trendyandy · November 15, 2024, 7:21am

Thanks for sharing. I need to improve my search skills , I was not able to find the other thread.