Problem:
Apple changed the requirements in Catalina that restrict long-term self-signed certificates from being used. This causes Safari and Chrome-based browsers to be unable to browse to the web interface of Foreman. To do so, new certificates must be generated and installed manually.
Usually, just shortening the expiration dates to <825 days will solve most self-signed issues, but the other requirement for the DNS name as a SAN is important too.
Thanks for the heads up @x86txt. Most browsers have been moving towards this for CA signed but left out self signed certificates. Until now it appears.
Hi @ekohl - I’ve installed it both ways with the same result. Simply generating a new certificate with the new requirements and re-running the foreman-installer with the correct switches to update the certs works perfectly. Both for a Katello or straight Foreman install.
If it was an older installation it could also have been SHA1 signatures instead of SHA256. We changed a while ago but didn’t enforce new certificates.
Hi @ekohl - these were brand new installs. I deployed 4 of them in the past month but didn’t notice until I switched from Firefox to Brave (Chromium-based). I even re-built it in my homelab last weekend (was playing around with Katello) to check. It’s the certificate validity length I believe, it has to be less than 825 days.That’s the only thing I change with my internal CA when I regenerate certs.
Here is the openssl command my script uses to generate valid certs for Catalina: