Katello Client Installation Fails with Certificate Errors

nealepetrillo · February 28, 2019, 9:09pm

Problem:
We’re attempting to install Foreman 1.20 with Katello 3.10 with custom certificates following the guide here: https://gist.github.com/ericlake/7d01a2377d5cc7de7f0746e297224de4

The server seems to have installed correctly. and the SSL certificate is recognized by the browser. However, when I attempt to install a bare metal node I receive this error when installing the katello-consumer-ca package:

p11-kit: certificate with distrust in location for anchors: katello-server-ca.pem
p11-kit: certificate with distrust in location for anchors: katello-server-ca.pem
p11-kit: certificate with distrust in location for anchors: katello-server-ca.pem
.....

I also receive this message when running yum check-update

Peer's Certificate issuer is not recognized

Does anyone have any thoughts?

Expected outcome:
Katello consumer key installs without error.

Foreman and Proxy versions:
Froreman 1.20

Foreman and Proxy plugin versions:
Foreman 1.20 with Katello 3.10

Other relevant data:[e.g. logs from Foreman and/or the Proxy, modified templates, commands issued, etc]
(for logs, surround with three back-ticks to get proper formatting, e.g.)

logs

nealepetrillo · February 28, 2019, 9:20pm

The CA’s keys were added to the /etc/pki/ca-trust/source/anchors/ directory and update-ca-trust enable and update-ca-trust extract

sajha · March 6, 2019, 3:47pm

Hello @nealepetrillo,

This documentation might be helful : Foreman :: Plugin Manuals

jm_cruk · March 8, 2019, 10:12am

I can confirm the exact same issue on a fresh install - however I did not add the keys to the /etc/pki/ca-trust/source/anchors directory, I just passed them as arguments to the installer. This was after having installed the server, not as part of the initial install.

I not only get the p11-kit warning on the content hosts, I get it on the katello server also when trying to run updater-ca-trust extract. It looks like The chain certificates I have supplied have been blacklisted and I can’t find any way of removing them from the blacklist.

Happily this is a testing install and I haven’t got massively far - I am going to try a fresh install and passing the certificates as part of the initial install.

Please let me know if you need any more specific details.