[Katello] Using an external CA to generate SSL Certificates

Hi Everyone

I'm trying to install Katello with custom certificates. To generate the SSL
certificate I have tried using FreeIPA 4.2 and also tried generating the
certificate using this guide to create a CA and a server cetrificate
https://jamielinux.com/docs/openssl-certificate-authority/. Both methods
end with the same result. I'm not sure where I am going wrong or even how
to troubleshoot this one.

Then following the these instructions
https://github.com/Katello/katello-installer#certificates on a clean Centos
7.3 install I get the following error:

[root@katello ssl-freeipa]# foreman-installer --scenario katello
> --certs-server-cert
"/root/ssl-freeipa/katello.example.com.crt"
> --certs-server-cert-req
"/root/ssl-freeipa/katello.example.com.csr"
> --certs-server-key
"/root/ssl-freeipa/katello.example.com.key"
> --certs-server-ca-cert "/root/ssl-freeipa/ca.crt"
/Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]:
Failed to call refresh: /usr/sbin/foreman-rake db:seed returned 1 instead
of one of [0]
/Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]:
/usr/sbin/foreman-rake db:seed returned 1 instead of one of [0]
Proxy katello.example.com cannot be registered: unknown error (response
500)
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello.example.com]/ensure:
change from absent to present failed: Proxy katello.example.com cannot be
registered: unknown error (response 500)
Installing Done
[100%] […]
Something went wrong! Check the log for ERROR-level output
The full log is at /var/log/foreman-installer/katello.log

The certificate verification works:

[root@katello ssl-freeipa]# katello-certs-check -c
/root/ssl-freeipa/katello.example.com.crt -k
/root/ssl-freeipa/katello.example.com.key -b /root/ssl-freeipa/ca.crt -r
katello.example.com.csr
Validating the certificate subject= /O=EXAMPLE.COM/CN=katello.example.com
Check private key matches the certificate: [OK]
Check ca bundle verifies the cert file: [OK]

Validation succeeded.

To install the Katello main server with the custom certificates, run:

foreman-installer --scenario katello\
                  --certs-server-cert 

"/root/ssl-freeipa/katello.example.com.crt"
–certs-server-cert-req
"/root/ssl-freeipa/katello.example.com.csr"
–certs-server-key
"/root/ssl-freeipa/katello.example.com.key"
–certs-server-ca-cert "/root/ssl-freeipa/ca.crt"

To update the certificates on a currently running Katello installation, run:

foreman-installer --scenario katello\
                  --certs-server-cert 

"/root/ssl-freeipa/katello.example.com.crt"
–certs-server-cert-req
"/root/ssl-freeipa/katello.example.com.csr"
–certs-server-key
"/root/ssl-freeipa/katello.example.com.key"
–certs-server-ca-cert "/root/ssl-freeipa/ca.crt"
–certs-update-server --certs-update-server-ca

To use them inside a $CAPSULE, run this command INSTEAD:

capsule-certs-generate --capsule-fqdn ""\
                       --certs-tar  "~/-certs.tar"\
                       --server-cert 

"/root/ssl-freeipa/katello.example.com.crt"
–server-cert-req
"/root/ssl-freeipa/katello.example.com.csr"
–server-key
"/root/ssl-freeipa/katello.example.com.key"
–server-ca-cert "/root/ssl-freeipa/ca.crt"
–certs-update-server

Certificates were generated using the following process:

mkdir ~/ssl-freeipa
semanage fcontext -a -t cert_t "/root/ssl-freeipa(/.*)?"
restorecon -FvvR /root/ssl-freeipa

openssl genrsa -out katello.example.com.key 2048
openssl req -new -sha256 -key katello.example.com.key -out
katello.example.com.csr

On IPA server:
ipa service-add-host HTTP/katello.example.com --host katello.example.com
ipa cert-request --principal=HTTP/katello.example.com
katello.example.com.csr
ipa cert-show 22 --out=katello.example.com.crt

Copy ca.crt and katello.example.com.crt back to katello.example.com. Then
run the certificate check and installer.

Looking through /var/log/foreman-installer/katello.log the first sign of
trouble I see is:
[ WARN 2016-11-17 23:06:48 main]
/Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]/returns:
rake aborted!
[ WARN 2016-11-17 23:06:48 main]
/Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]/returns:
There was an issue with the backend service candlepin: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed

Thanks for any help. I'm happy to attach the logs if they would be useful.

Tim

External certs don't work correctly. Its an outstanding issue. Somewhere on
foreman's issue tracker is a ticket talking about this. I outlined a few
things I did, but found out that at least one step breaks another further
downstream.

Basically comes down to the fact that Katello needs to build two top-level
CAs and use them accordingly one for the "custom" certs and one for the
"default" based certs. Until that happens I don't see all the cert issues
being resolved correctly.

For example, I have a working instance after some cert shuffling and root
CA updates. But the moment I installed the components for docker image
repositories, the $capsule:5000 vhost has the wrong cert chain.

Thanks Danny

Looking at the issue tracker I see some SSL bugs have been squished in the last three days by Eric Helms, eg Bug #17379: Specifying ca_cert_file for Candlepin fails with SSL verify error - Katello - Foreman. I'll try and give the master branch a test to see if it solves my issue.

>
> External certs don't work correctly. Its an outstanding issue. Somewhere
> on foreman's issue tracker is a ticket talking about this. I outlined a few
> things I did, but found out that at least one step breaks another further
> downstream.
>
> Basically comes down to the fact that Katello needs to build two top-level
> CAs and use them accordingly one for the "custom" certs and one for the
> "default" based certs. Until that happens I don't see all the cert issues
> being resolved correctly.
>
>
We're running Satellite 6.2 with custom certs and everything works (well,
see the note below!):

> For example, I have a working instance after some cert shuffling and root
> CA updates. But the moment I installed the components for docker image
> repositories, the $capsule:5000 vhost has the wrong cert chain.
>

I suspect we are hitting this - do you know a BZ or tracker ID?

I don't, I only discovered it recently and mentally flagged it under the
existing issue.

Its easy to diagnose. do an openssl s_client and look at the cert chain it
provides. its the custom-cert with the default's chain.