Not able to install foreman-installer-katello

Support
#1

I am trying to Install Foreman 2.5 server with Katello 4.1 plugin on Centos 7 Linux Using the below document.

going through the below steps I was getting response

[root@xxxxx]# yum localinstall https://yum.theforeman.org/releases/2.5/el7/x86_64/foreman-release.rpm
Loaded plugins: fastestmirror, langpacks
Cannot open: https://yum.theforeman.org/releases/2.5/el7/x86_64/foreman-release.rpm. Skipping.
Nothing to do
[root@xxxxx]# yum localinstall https://yum.theforeman.org/katello/4.1/katello/el7/x86_64/katello-repos-latest.rpm
Loaded plugins: fastestmirror, langpacks
Cannot open: https://yum.theforeman.org/katello/4.1/katello/el7/x86_64/katello-repos-latest.rpm. Skipping.
Nothing to do

I decide to use wget command with
–no-check-certificat option.
See the commands below.e

CentOS 7

wget https://yum.theforeman.org/releases/2.5/el7/x86_64/foreman-release.rpm --no-check-certificate
wget https://yum.puppet.com/puppet6-release-el-7.noarch.rpm --no-check-certificate
wget https://yum.theforeman.org/katello/4.1/katello/el7/x86_64/katello-repos-latest.rpm --no-check-certificate
After I was able to use yum localinstall foreman-release.rpm, katello-repos-latest.rmp and puppet6-release-el-7.noarch.rpm packages and I can see the repositories.

-rw-r–r–. 1 root root 259 Feb 5 06:50 puppet6.repo
-rw-r–r–. 1 root root 1469 Jun 22 03:46 katello.repo
-rw-r–r–. 1 root root 354 Jun 24 00:51 foreman.repo
-rw-r–r–. 1 root root 384 Jun 24 00:51 foreman-plugins.repo

I have been since able to yum update while i had to disable repo for foreman.
But when i try to enable foreman, katello and puppet6 repo i was not able to look for foreman-installer-katello.

I am getting the below error message.
Any suggestions please!!!

[root@aidris yum.repos.d]# yum install foreman-installer-katello
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile

One of the configured repositories failed (Foreman 2.5),
and yum doesn’t have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work “fix” this:

 1. Contact the upstream for the repository and get them to fix the problem.

 2. Reconfigure the baseurl/etc. for the repository, to point to a working
    upstream. This is most often useful if you are using a newer
    distribution release than is supported by the repository (and the
    packages for the previous distribution release still work).

 3. Run the command with the repository temporarily disabled
        yum --disablerepo=foreman ...

 4. Disable the repository permanently, so yum won't use it by default. Yum
    will then just ignore the repository until you permanently enable it
    again or use --enablerepo for temporary usage:

        yum-config-manager --disable foreman
    or
        subscription-manager repos --disable=foreman

 5. Configure the failing repository to be skipped, if it is unavailable.
    Note that yum will try to contact the repo. when it runs most commands,
    so will have to try and fail each time (and thus. yum will be be much
    slower). If it is a very temporary problem though, this is often a nice
    compromise:

        yum-config-manager --save --setopt=foreman.skip_if_unavailable=true

failure: repodata/repomd.xml from foreman: [Errno 256] No more mirrors to try.
https://yum.theforeman.org/releases/2.5/el7/x86_64/repodata/repomd.xml: [Errno 14] curl#60 - “Peer’s certificate issuer has been marked as not trusted by the user.”

#2

Could this be related to the install earlier with --no-check-certificate

#3

It seems the certificate check fails. I have just verified on my end and everything just verified fine.

What happens if you do a

$ curl -v 'https://yum.theforeman.org/releases/2.5/el7/x86_64/'

and

$ openssl s_client -connect yum.theforeman.org:443

on that server? Generally, main suspects for this issue would be a firewall which intercepts TLS connections, broken root ca bundle in the system or your local clock is completely off.

Check the bundle:

$ rpm -V ca-certificates
#4

Thanks gvde
I am getting the below response.

[root@aidris yum.repos.d]# curl -v ‘Index of /releases/2.5/el7/x86_64

  • About to connect() to yum.theforeman.org port 443 (#0)
  • Trying 151.101.30.49…
  • Connected to yum.theforeman.org (151.101.30.49) port 443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • Server certificate:
  •   subject: CN=yum.theforeman.org

  •   start date: Jul 01 02:32:33 2021 GMT

  •   expire date: Jul 01 02:32:33 2022 GMT

  •   common name: yum.theforeman.org

  •   issuer: E=level3OnCall@harris.com,CN=MWG,OU=EISO,O=L3Harris,L=Melbourne,ST=Florida,C=US
  • NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
  • Peer’s certificate issuer has been marked as not trusted by the user.
  • Closing connection 0
    curl: (60) Peer’s certificate issuer has been marked as not trusted by the user.
    More details here: curl - SSL CA Certificates

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.

openssl s_client -connect yum.theforeman.org:443
CONNECTED(00000003)
depth=3 O = Harris Corporation, CN = Harris Corporation Root CA
verify error:num=19:self signed certificate in certificate chain

Certificate chain
0 s:/CN=151.101.30.49
i:/C=US/ST=Florida/L=Melbourne/O=L3Harris/OU=EISO/CN=MWG/emailAddress=level3OnCall@harris.com
1 s:/C=US/ST=Florida/L=Melbourne/O=L3Harris/OU=EISO/CN=MWG/emailAddress=level3OnCall@harris.com
i:/DC=net/DC=myharris/CN=Harris Corporation SubCA 1
2 s:/DC=net/DC=myharris/CN=Harris Corporation SubCA 1
i:/O=Harris Corporation/CN=Harris Corporation Root CA
3 s:/O=Harris Corporation/CN=Harris Corporation Root CA
i:/O=Harris Corporation/CN=Harris Corporation Root CA

Server certificate
-----BEGIN CERTIFICATE-----
MIIFozCCBIugAwIBAgIRAIwP0/u5PV0VCFD1TeXrrKcwDQYJKoZIhvcNAQELBQAw
gYsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRIwEAYDVQQHDAlNZWxi
b3VybmUxETAPBgNVBAoMCEwzSGFycmlzMQ0wCwYDVQQLDARFSVNPMQwwCgYDVQQD
DANNV0cxJjAkBgkqhkiG9w0BCQEWF2xldmVsM09uQ2FsbEBoYXJyaXMuY29tMB4X
DTIxMDYwMTIxMzc0OFoXDTIyMDYwMTIxMzc0OFowGDEWMBQGA1UEAwwNMTUxLjEw
MS4zMC40OTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOoG5tpUW5Qm
1XOC6UfXMMfYnfJNPO4nDaWdcJf0QjZ+/AKXUb6+OcE+/JWxqw1GE+mf0rPREqhQ
Z9LLMF65jAAZPONKqL6PUTdP2uiTO3w9dJEz0DtXbKgKCTJkTYrUyxKgFdYDOTzP
QfouO+MSYVIh98gCc8NEDxAwzX2NpMoIP84C4nCESF1OTvRvn3ZzQYo1Nn6LC3CB
mbmN60mynxP/2RQGYdfSy2rLZzCg44ph8fitJkuvcaUjh5Ij1h05Q59+ZzHg0+d9
dXEzqBWkwiAFn0eGR3V7wWWVehFDh3eKsFIxmxkLpTwfGDX6b4JfbSi0V08d2f31
45Y3GVBGESECAwEAAaOCAnIwggJuMAkGA1UdEwQCMAAwHQYDVR0OBBYEFOi32Ddp
R3SlqLNDKZU93n9QTfjdMIGQBgNVHSMEgYgwgYWAFDguQis9SmzVdGo8XzagEpdM
LayvoVikVjBUMRMwEQYKCZImiZPyLGQBGRYDbmV0MRgwFgYKCZImiZPyLGQBGRYI
bXloYXJyaXMxIzAhBgNVBAMTGkhhcnJpcyBDb3Jwb3JhdGlvbiBTdWJDQSAxghM6
AAAJRl+Hh9p5Lc+0AAAAAAlGMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEF
BQcDATCBwwYDVR0fBIG7MIG4MIG1oIGyoIGvhoGsaHR0cDovL2NybC5td2dpbnRl
cm5hbC5jb20vY3JsLzAvY29tLnNjdXIuZW5naW5lLnNzbGNsaWVudGNvbnRleHQu
MTA5NTYvMmYxNGIyNmMxMjBkNTI1ZmJmNGExYjlhYzIxZDJjODU2OWFlZGQ5Yy9j
ZXJ0SWQ9Zjc4V2VEelExZUxhQ3NtZUhXaU1GZXpMcnlQdTdrWkp2WWVnRFlnc1dp
RSwvY3JsLmNybDCBxgYIKwYBBQUHAQEEgbkwgbYwgbMGCCsGAQUFBzABhoGmaHR0
cDovL29jc3AubXdnaW50ZXJuYWwuY29tL29jc3AvMC9jb20uc2N1ci5lbmdpbmUu
c3NsY2xpZW50Y29udGV4dC4xMDk1Ni8yZjE0YjI2YzEyMGQ1MjVmYmY0YTFiOWFj
MjFkMmM4NTY5YWVkZDljL2NlcnRJZD1mNzhXZUR6UTFlTGFDc21lSFdpTUZlekxy
eVB1N2taSnZZZWdEWWdzV2lFLDANBgkqhkiG9w0BAQsFAAOCAQEAWdybRXy/c+ND
SwFLzElhB1crDTKpa/MiTl/yrFU0ErLZRHNGIoQIynpeFitynZOxnGFQmH5iHP/c
KUt7dmEbi/QQZXPuL8HQvUnzBJcBUCEvJt95epdOBXzkoKXeThcjnWv2Vt6edCiP
8bFn1AkSXANjSvTukJ8AfS4v7XX7j/qxXJU6BNpzgrfqy4+X3suiBvDiru+ANTsy
IlV/TYETHzT87Dt50eykMtumOQKFGZqiKpgPdBy1kiz7Jc7fgBGIR6T19r1VS2nL
U4j4hLFE4W9ZBx68CYJPYWCfjTNv1R4QI9kO6q0ofFuJQKSye/IanvUQBkm3v9nr
DIEWc4CIZQ==
-----END CERTIFICATE-----
subject=/CN=151.101.30.49
issuer=/C=US/ST=Florida/L=Melbourne/O=L3Harris/OU=EISO/CN=MWG/emailAddress=level3OnCall@harris.com

No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 7605 bytes and written 415 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: EDA5C6FC7122080F573EF316C4C3999188C98C502B2F7CFFE086A47BF997DB1B
Session-ID-ctx:
Master-Key: A3F3DC7001CA91AA7DD25253E3655EFD0851D217854ECD93A62E4E28AE2CECA591F631012DCEB90A7A873FFD38ACD12E
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - d3 c3 11 c2 0a c8 78 c5-de 89 b9 94 13 9c 42 59 …x…BY
0010 - 7d f4 0a bf 82 97 29 91-81 e8 49 d0 be 95 f5 0c }…)…I…
0020 - 67 33 2d 65 c5 f3 20 75-8a 2e 97 94 fa 74 8a 32 g3-e… u…t.2
0030 - 98 d6 2c 99 2e 83 c4 e1-05 25 2e 63 02 69 b7 c4 …,…%.c.i…
0040 - 19 9e 70 a3 1e 84 36 4f-55 6c 0e 15 51 69 57 21 …p…6OUl…QiW!
0050 - f1 9e 53 d7 58 60 16 e3-95 13 21 f2 97 85 ee a5 …S.X....!..... 0060 - b4 dd 74 24 b7 50 36 6c-1e 30 95 96 b0 52 0d 45 ..t$.P6l.0...R.E 0070 - 65 de 7c 78 e8 f7 a6 1a-c9 35 98 6b 9c 73 3b 5d e.|x.....5.k.s;] 0080 - 1a c4 4f fc 7e 6e c2 6d-74 25 90 15 47 43 f2 1d ..O.~n.mt%..GC.. 0090 - e2 54 b8 5a 99 2b 0a 6e-41 39 53 28 60 9c 34 7f .T.Z.+.nA9S(.4.

Start Time: 1625159037
Timeout   : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)

read:errno=0

#5

I can confirm.

firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports: 80/tcp 443/tcp 5647/tcp 8000/tcp 8140/tcp 9090/tcp 53/udp 53/tcp 67/udp 69/udp 5000/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

After the above confirmation for the firewall ports i ran the install again below

yum install foreman-installer-katello
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 7.4 kB 00:00:00

One of the configured repositories failed (Foreman 2.5),
and yum doesn’t have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work “fix” this:

 1. Contact the upstream for the repository and get them to fix the problem.

 2. Reconfigure the baseurl/etc. for the repository, to point to a working
    upstream. This is most often useful if you are using a newer
    distribution release than is supported by the repository (and the
    packages for the previous distribution release still work).

 3. Run the command with the repository temporarily disabled
        yum --disablerepo=foreman ...

 4. Disable the repository permanently, so yum won't use it by default. Yum
    will then just ignore the repository until you permanently enable it
    again or use --enablerepo for temporary usage:

        yum-config-manager --disable foreman
    or
        subscription-manager repos --disable=foreman

 5. Configure the failing repository to be skipped, if it is unavailable.
    Note that yum will try to contact the repo. when it runs most commands,
    so will have to try and fail each time (and thus. yum will be be much
    slower). If it is a very temporary problem though, this is often a nice
    compromise:

        yum-config-manager --save --setopt=foreman.skip_if_unavailable=true

failure: repodata/repomd.xml from foreman: [Errno 256] No more mirrors to try.
https://yum.theforeman.org/releases/2.5/el7/x86_64/repodata/repomd.xml: [Errno 14] curl#60 - “Peer’s certificate issuer has been marked as not trusted by the user.”

#6

I have noticed the below.
date
Fri Jul 2 03:18:56 AEST 2021

Whereas it should be Thursday July 1 17:19 AEST at the time of typing this

#7

There is your problem. That is not the certificate of the foreman server. If you had a correct connection you would see:

* Server certificate:
* 	subject: CN=*.theforeman.org
* 	start date: Mar 23 15:55:38 2021 GMT
* 	expire date: Apr 24 15:55:37 2022 GMT
* 	common name: *.theforeman.org
* 	issuer: CN=GlobalSign Atlas R3 DV TLS CA 2020,O=GlobalSign nv-sa,C=BE

Something is intercepting your TLS connection and uses a certificate issued by ‘level3OnCall@harris.com’ which is eventually signed by an untrusted root CA ‘Harris Corporation Root CA’.

So either you have a firewall intercepting or maybe a local http proxy configured?

You should fix the time as well. Incorrect time isn’t good. But it’s not so far off as it would mean certificates are considered not valid.

1 Like
#8

thanks for your prompt response Gvde