macOS Catalina + SSL Certs Incompatible

Problem:
Apple changed the requirements in Catalina that restrict long-term self-signed certificates from being used. This causes Safari and Chrome-based browsers to be unable to browse to the web interface of Foreman. To do so, new certificates must be generated and installed manually.

Usually, just shortening the expiration dates to <825 days will solve most self-signed issues, but the other requirement for the DNS name as a SAN is important too.

Expected outcome:

Foreman and Proxy versions:
1.23, 1.24

Other relevant data:

1 Like

Thanks for reaching to us, most of us don’t use evil browsers… :wink:

This should be just a parameter somewhere @ekohl? Probably worth including in 1.24 I think @tbrisker?

Thanks for the heads up @x86txt. Most browsers have been moving towards this for CA signed but left out self signed certificates. Until now it appears.

@x86txt did you install with Katello or Foreman?

Hi @ekohl - I’ve installed it both ways with the same result. Simply generating a new certificate with the new requirements and re-running the foreman-installer with the correct switches to update the certs works perfectly. Both for a Katello or straight Foreman install.

If it was an older installation it could also have been SHA1 signatures instead of SHA256. We changed a while ago but didn’t enforce new certificates.

Hi @ekohl - these were brand new installs. I deployed 4 of them in the past month but didn’t notice until I switched from Firefox to Brave (Chromium-based). I even re-built it in my homelab last weekend (was playing around with Katello) to check. It’s the certificate validity length I believe, it has to be less than 825 days.That’s the only thing I change with my internal CA when I regenerate certs.

Here is the openssl command my script uses to generate valid certs for Catalina:

/usr/bin/openssl x509 -req -SHA256 -extfile $hostname.ext -days 824 -in $hostname.csr -CA ./ca/ca.crt -CAkey ./ca/ca.key -CAcreateserial -out $hostname.crt

Nothing special with that except the expiration length I believe?

Then I re-run this to point to the new certs, and all is well:

foreman-installer --foreman-server-ssl-cert /etc/puppetlabs/puppet/ssl/certs/puppet.crt \ 
--foreman-server-ssl-key /etc/puppetlabs/puppet/ssl/certs/puppet.key \ 
--puppet-server-foreman-ssl-ca /etc/puppetlabs/puppet/ssl/certs/ca.crt \ 
--foreman-proxy-foreman-ssl-ca /etc/puppetlabs/puppet/ssl/certs/ca.crt