Problem: foreman URL is Not secure
Expected outcome: i want to access via https://boldforeman.micron.com
**Foreman and Proxy versions:**3.3
**Foreman and Proxy plugin versions:**3.3
**Distribution and version:**3.3
Other relevant data:
- Upgrade. 3.3 is outdated.
- What is the exact reason why it’s not trusted?
- If you did not set custom ssl certificates, but only generated self-signed certificates you have to trust the certificate in your browser.
- If you want to use custom ssl certificates follow the docs Installing Foreman 3.3 Server with Katello 4.5 Plugin on RHEL/CentOS
- What is the exact reason why it’s not trusted?
foreman installation ompleted successfully and we are trying to autheticate our micron certificate with URL 7so i have followed with internal conf file and genrated csr file to get certificate.
The below steps are followed but it is not working so requesting to get information once we get our internal certificate what we need to do ?
openssl req -new -out hostname -micron.csr -newkey rsa:2048 -nodes -sha256 -keyout hostname -micron.key -config hostname -micron.cnf
openssl pkcs7 -print_certs - in hostname -micron.p7b -out hostname -micron.cer
cp -r /opt/ssl-certificate/hostname-micron .cer /etc/pki/ca-trust/source/anchors/
cp -r /opt/ssl-certificate/hostname-micron .key /etc/pki/tls/private
update-ca-trust
[root@boldforeman foreman_cert]# openssl genrsa -out /root/foreman_cert/foreman_cert_key.pem 4096
Generating RSA private key, 4096 bit long modulus
…++
…++
e is 65537 (0x10001)
[root@boldforeman foreman_cert]# ls -ltr
total 8
-rw-r–r-- 1 root root 440 Mar 12 22:18 boldforeman-micron.cnf
-rw-r–r-- 1 root root 3243 Mar 13 02:14 foreman_cert_key.pem
[root@boldforeman foreman_cert]# mv boldforeman-micron.cnf openssl.cnf
[root@boldforeman foreman_cert]# openssl req -new -key /root/foreman_cert/foreman_cert_key.pem -config /root/foreman_cert/openssl.cnf -out /root/foreman_cert/foreman_cert_csr.pem
[root@boldforeman foreman_cert]# ls -ltr
total 12
-rw-r–r-- 1 root root 440 Mar 12 22:18 openssl.cnf
-rw-r–r-- 1 root root 3243 Mar 13 02:14 foreman_cert_key.pem
-rw-r–r-- 1 root root 1821 Mar 13 02:15 foreman_cert_csr.pem
[root@boldforeman foreman_cert]# katello-certs-check -c /root/satellite_cert/satellite_cert.pem -k /root/satellite_cert/satellite_cert_key.pem -b /root/satellite_cert/ca_cert_bundle.pem
One of the required parameters is missing.
Verifies, that custom SSL certificate files are usable
as part of the Katello installation. When passing filenames use absolute paths.
usage: /usr/sbin/katello-certs-check -t [foreman|foreman-proxy] -c CERT_FILE -k KEY_FILE -b CA_BUNDLE_FILE
[root@boldforeman foreman_cert]#
Please suggest me
Directory is named foreman_cert.
Here you use a different path.
Sorry, but then you’ll have to tell how exactly you have configured those certificate using foreman-installer.
If that micron certificate is not from a public ca which is part of the trusted roots, i.e. if that certificate is a root ca certificate not generally trusted, only then you may have to add to the trusted roots.
However, you don’t have to add it on the server but on the client. If it’s an untrusted root ca you’ll have to add it to your browser to accept and trust it. Otherwise, the browser will always consider it not secure because the certificate has not been issued by a PKI signed by a trusted root ca…
thank you for your suggestion but still i have some issue while validating
[root@boldforeman foreman_cert]# ls -ltr
total 48
-rw-r–r-- 1 root root 440 Mar 12 22:18 openssl.cnf
-rw-r–r-- 1 root root 3243 Mar 13 02:14 foreman_cert_key.pem
-rw-r–r-- 1 root root 1821 Mar 13 02:15 foreman_cert_csr.pem
-rwxr-xr-x 1 srikanthm srikanthm 3304 Mar 13 02:27 certnew.cer
-rwxr-xr-x 1 srikanthm srikanthm 10886 Mar 13 02:28 certnew.p7b
-rw-r–r-- 1 root root 20480 Mar 13 02:32 fssl.tar
[root@boldforeman foreman_cert]# katello-certs-check -c /root/foreman_cert/certnew.cer -k /root/foreman_cert/foreman_cert_key.pem -b /root/foreman_cert/certnew.p7b
Checking server certificate encoding:
[OK]
unable to load certificate
140684617414544:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1239:
140684617414544:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:405:Type=X509_CINF
140684617414544:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:739:Field=cert_info, Type=X509
140684617414544:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:
date: invalid date ‘+%Y%m%d%H%M%S’
Checking expiration of certificate:
[OK]
Checking expiration of CA bundle:
[FAIL]
The CA bundle “/root/foreman_cert/certnew.p7b” has already expired on:
Checking if server certificate has CA:TRUE flag
[OK]
Checking for private key passphrase:
[OK]
Checking to see if the private key matches the certificate:
[OK]
Checking CA bundle against the certificate file:
[FAIL]
The /root/foreman_cert/certnew.p7b does not verify the /root/foreman_cert/certnew.cer
Error loading file /root/foreman_cert/certnew.p7b
139984124909456:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1239:
139984124909456:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:405:Type=X509_CINF
139984124909456:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:739:Field=cert_info, Type=X509
139984124909456:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib:pem_info.c:249:
139984124909456:error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib:by_file.c:264:
Checking CA bundle size: 1
[OK]
Checking Subject Alt Name on certificate
[OK]
Checking if any Subject Alt Name on certificate matches the Subject CN
[OK]
Checking Key Usage extension on certificate for Key Encipherment
[OK]
Checking for use of shortname as CN
[OK]
[root@boldforeman foreman_cert]#
You have to use PEM encoded X.509 certificate files, not PKCS#7.
still i have issue i will work and update on this issue.
thank you for your suggestion.