Problem with external certmonger ssl certifcates

Hi,

We have freeipa attached to Katello/foreman and now I want to use the
certmonger ssl certificates for Katello/foreman/puppet.

After reading several manuals, blogposts and other info (most of it is a
bit outdated); I found a solution that appears to work. The webserver
has a new certificate, but still it fails on candlepin.

  qpid-config --ssl-certificate
/etc/pki/katello/certs/java-client.crt --ssl-key
/etc/pki/katello/private/java-client.key -b
'amqps://<servername>:5671' add exchange topic event --durable
returned 1 instead of one of [0]
  /Stage[main]/Certs::Candlepin/Exec[create candlepin qpid
exchange]/returns: change from notrun to 0 failed: qpid-config
--ssl-certificate /etc/pki/katello/certs/java-client.crt --ssl-key
/etc/pki/katello/private/java-client.key -b
'amqps://deployen.netbulae.mgmt:5671' add exchange topic event
--durable returned 1 instead of one of [0]


Failed: ConnectError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert
unknown ca (_ssl.c:765)

What I did so far:

mkdir /etc/ipa/private
cd /etc/ipa/private

kinit admin

cat << EOF > /etc/ipa/private/passout.txt
****************Password************
EOF

HOSTNAME=`hostname`
openssl genrsa -aes256 -out $HOSTNAME.pem -passout
file:/etc/ipa/private/passout.txt 2048
openssl rsa -in $HOSTNAME.pem -out $HOSTNAME.password.key -passin
file:/etc/ipa/private/passout.txt
openssl req -new -key $HOSTNAME.password.key -out $HOSTNAME.csr
-subj "/C=NL/ST=Enschede/L=Overijssel/O=Netbulae/CN=<servername>"
ipa service-add HTTP/$HOSTNAME

ipa cert-request $HOSTNAME.csr --principal HTTP/$HOSTNAME
#use the serial number output above to provide the SERIALNUMBER below.
ipa cert-show <SERIALNUMBER> --out=$HOSTNAME.crt

openssl rsa -in $HOSTNAME.password.key -out
$HOSTNAME.passwordless.key -passin file:/etc/ipa/private/passout.txt
cp $HOSTNAME.passwordless.key $HOSTNAME.key

# this checks to make sure the certs will work with the installer it
will provide commands to install the certs
katello-certs-check -c $HOSTNAME.crt -k $HOSTNAME.key -r
$HOSTNAME.csr -b /etc/ipa/ca.crt

foreman-installer --scenario katello\
                       --certs-server-cert
"/etc/ipa/private/deployen.netbulae.mgmt.crt"\
                       --certs-server-cert-req
"/etc/ipa/private/deployen.netbulae.mgmt.csr"\
                       --certs-server-key
"/etc/ipa/private/deployen.netbulae.mgmt.key"\
                       --certs-server-ca-cert "/etc/ipa/ca.crt" \
                       --certs-update-server --certs-update-server-ca

Met vriendelijke groet, With kind regards,

Jorick Astrego

Netbulae Virtualization Experts

Tel: 053 20 30 270 	info@netbulae.eu 	Staalsteden 4-3A 	KvK 08198180
Fax: 053 20 30 271 	www.netbulae.eu 	7547 TA Enschede 	BTW NL821234584B01

Found bug Bug #15700: When default-ca is updated, it doesn't update the nssdb - Katello - Foreman that's supposed to
be fixed in 3.2.

Will test it now.

Met vriendelijke groet, With kind regards,

Jorick Astrego

Netbulae Virtualization Experts

Tel: 053 20 30 270 	info@netbulae.eu 	Staalsteden 4-3A 	KvK 08198180
Fax: 053 20 30 271 	www.netbulae.eu 	7547 TA Enschede 	BTW NL821234584B01