Problem with uploads via smart proxy

Uploading openscap scan results failed with certificate error:

DEBUG: running: oscap xccdf eval    --results-arf /tmp/d20210708-2775727-1wqxt0d/results.xml /var/lib/openscap/content/b7772a4001f865517e30762c406dee80fdab2100ecc010f4408519a979665f6e.xml
WARNING: Datastream component '' points out to the remote ''. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping '' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml file which is referenced from XCCDF content
DEBUG: running: /usr/bin/env bzip2 /tmp/d20210708-2775727-1wqxt0d/results.xml
Uploading results to https://<proxyname>:9090/compliance/arf/3
Upload failed: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
Exit status: 4

Expected outcome:
Result should be successfully uploaded.

Foreman and Proxy versions:

Foreman and Proxy plugin versions:
Foreman 2.5.1 with Katello 4.1 / Proxy 2.5.1

Distribution and version:
RHEL 8.4

Other relevant data:
Upload of openscap results are working fine for another registered host with katello certificates.
Upload failed if the host is not registered and is configured to use his puppert certificates.

Is it possible to create a separate katello client certificate for the failing host ?
I could not register the failing hosts because it is register directly to Redhat.

Interesting. I’m afraid there’s no good solution. The client certificate that foreman_scap_client uses needs to be trusted by the CA that Foreman uses, in case of Foreman + Katello, it’s the Candlepin CA. You’d need to obtain a certificate from the CA for this client somehow. Perhaps that’s possible with katello-ssl-tool --gen-client ran on the Katello host. It may generate the rpm that you can simply install on the client. Perhaps @ehelms would know exactly.

Ok, I will have a look at katello-ssl-tool.
Of course another solution could be to register the host, but I don’t have the possibility to get a subscription manifest and also I would not sync the RHEL repos locally but use the repos directly from Red Hat. As far as I understand such a “mixed” use is not possible, right ?

Hi Marek,

it works with katello-ssl-tool --gen-client !
Thank you for helping.

Kind regards


Glad to hear that. FTR, I think you can’t really mix RH CDN repos and locally synced repos, because each time the certificate the subscription-manager use is generated by different CA.