Problem with uploads via smart proxy

martux69 · July 8, 2021, 11:17am

Problem:
Uploading openscap scan results failed with certificate error:

1:
DEBUG: running: oscap xccdf eval    --results-arf /tmp/d20210708-2775727-1wqxt0d/results.xml /var/lib/openscap/content/b7772a4001f865517e30762c406dee80fdab2100ecc010f4408519a979665f6e.xml
   2:
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml'. Use '--fetch-remote-resources' option to download it.
   3:
WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml' file which is referenced from datastream
   4:
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml file which is referenced from XCCDF content
   5:
DEBUG: running: /usr/bin/env bzip2 /tmp/d20210708-2775727-1wqxt0d/results.xml
   6:
Uploading results to https://<proxyname>:9090/compliance/arf/3
   7:
Upload failed: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
   8:
Exit status: 4

Expected outcome:
Result should be successfully uploaded.

Foreman and Proxy versions:

Foreman and Proxy plugin versions:
Foreman 2.5.1 with Katello 4.1 / Proxy 2.5.1

Distribution and version:
RHEL 8.4

Other relevant data:
Upload of openscap results are working fine for another registered host with katello certificates.
Upload failed if the host is not registered and is configured to use his puppert certificates.

Is it possible to create a separate katello client certificate for the failing host ?
I could not register the failing hosts because it is register directly to Redhat.

Marek_Hulan · July 8, 2021, 12:05pm

Interesting. I’m afraid there’s no good solution. The client certificate that foreman_scap_client uses needs to be trusted by the CA that Foreman uses, in case of Foreman + Katello, it’s the Candlepin CA. You’d need to obtain a certificate from the CA for this client somehow. Perhaps that’s possible with katello-ssl-tool --gen-client ran on the Katello host. It may generate the rpm that you can simply install on the client. Perhaps @ehelms would know exactly.

martux69 · July 8, 2021, 12:27pm

Ok, I will have a look at katello-ssl-tool.
Of course another solution could be to register the host, but I don’t have the possibility to get a subscription manifest and also I would not sync the RHEL repos locally but use the repos directly from Red Hat. As far as I understand such a “mixed” use is not possible, right ?

martux69 · July 8, 2021, 6:29pm

Hi Marek,

it works with katello-ssl-tool --gen-client !
Thank you for helping.

Kind regards

Martin

Marek_Hulan · July 8, 2021, 7:52pm

Glad to hear that. FTR, I think you can’t really mix RH CDN repos and locally synced repos, because each time the certificate the subscription-manager use is generated by different CA.