Problems publishing new content view version since changing ssl certificates

crashdog · February 22, 2019, 9:47am

Problem:
Hello,
I’ve replaced the self signed certificates in Apache Webserver for Foreman with my domains certificates. I oriented myself on this tutorial: https://theforeman.org/2015/11/foreman-ssl.html
However I fear that I made a misstake. The webpage is displaying correctly in Firefox but now when I try to publish a new conent view version I get following error when clicking on save : There was an issue with the backend service pulp: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)

A difference against the above mentioned tutorial is that changing the SSL seetings in 05-foreman-ssl.conf did not have any affect. I had to change them in a file called 03-crane.conf.

I’ve changed the settings in 03-crane.conf as follows:

  SSLCertificateFile      "/etc/pki/katello/certs/STAR_md80_ch.crt"
  SSLCertificateKeyFile   "/etc/pki/katello/certs/star_md80_ch.key"
  SSLCertificateChainFile "/etc/pki/katello/certs/SSL_COM_RSA_SSL_SUBCA.crt"

error shown in the About page:
#### Backend System Status

|Component|Status|Message|
| --- | --- | --- |
|candlepin|OK||
|candlepin_auth|OK||
|foreman_tasks|OK||
|pulp|FAIL|SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)|
|pulp_auth|FAIL|Skipped pulp_auth check after failed pulp check|

I’ve seen this warning in the documentation above :

It is important that you do not change SSLCACertificateFile or SSLCARevocationFile , as these are used for client authentication

That is probably where I made a misstake. I tried to revert the setting to :

SSLCertificateChainFile "/etc/pki/katello/certs/katello-default-ca.crt"

restarted httpd but no change in behaviour.

Foreman and Proxy versions:
Foreman 1.20.1
Katello 3.10.0

Foreman and Proxy plugin versions:

Other relevant data:
[e.g. logs from Foreman and/or the Proxy, modified templates, commands issued, etc]
(for logs, surround with three back-ticks to get proper formatting, e.g.)

logs
in the /var/log/httpd/foreman-ssl_error_ssl.log I only see:

[Fri Feb 22 09:45:34.690914 2019] [ssl:error] [pid 10103] [client 192.168.178.22:57598] AH02039: Certificate Verification: Error (19): self signed certificate in certificate chain

crashdog · February 22, 2019, 10:46am

Additionally I also have a problem now that when I try to provision a system I see the following error when calling the kickstart url:

Failed to retrieve provision template for {"token?"=>"975447c8-5b99-4884-b939-d3894933b551", "splat"=>[], "captures"=>["provision"], "kind"=>"provision"}: SSL_connect returned=1 errno=0 state=error: certificate verify failed

Also the system reports that it can’t load the kickstarter file.

crashdog · February 22, 2019, 11:26am

is there anyway to stop foreman of using https to connect to the proxy ?
in the file : /etc/foreman-proxy/settings.yml I see:

# https is enabled if certificate, CA certificate, and private key are present in locations specifed by
# ssl_certificate, ssl_ca_file, and ssl_private_key correspondingly

So I commented out

#:ssl_ca_file: /etc/foreman-proxy/ssl_ca.pem
#:ssl_certificate: /etc/foreman-proxy/ssl_cert.pem
#:ssl_private_key: /etc/foreman-proxy/ssl_key.pem

and

#:foreman_ssl_ca: /etc/foreman-proxy/foreman_ssl_ca.pem
#:foreman_ssl_cert: /etc/foreman-proxy/foreman_ssl_cert.pem
#:foreman_ssl_key: /etc/foreman-proxy/foreman_ssl_key.pem

restarted foreman, foreman-proxy and httpd.

But when clicking the build button I get following errors:

**Templates**

Failure parsing Kickstart default PXELinux: Failed to open TCP connection to katello.md80.ch:9090 (Connection refused - connect(2) for "katello.md80.ch" port 9090).
...

So it’s still trying to use the https port 9090 instead of http port 8000. How can this be changed ?

crashdog · February 22, 2019, 12:37pm

currently when I’m trying to provision a system I get curl: (22) the requested url returned 500 internal server error.
proxy.log gives me :

2019-02-22T13:31:18 c0a00559 [I] Finished GET /provision with 500 (10.87 ms)
2019-02-22T13:31:22 4684689f [I] Started GET /provision token=bcdb30ff-ea76-4b68-9724-7618e81ea9fb
2019-02-22T13:31:22 4684689f [E] Failed to retrieve provision template for {"token"=>"bcdb30ff-ea76-4b68-9724-7618e81ea9fb", "splat"=>[], "captures"=>["provision"], "kind"=>"provision"}: SSL_connect returned=1 errno=0 state=error: certificate verify failed
2019-02-22T13:31:22 4684689f [I] Finished GET /provision with 500 (39.88 ms)

I’ve got no clue why. No matter how I try to set the ssl certificates somethings always not working. I event tried to set everything back to original… still get above error.

Jonathon_Turel · February 22, 2019, 8:06pm

Hello @crashdog,

Sorry you’re having trouble. Since you’re using Katello I recommend taking a look here: Foreman :: Plugin Manuals

The writeup you mentioned is before my time on the project, but the documentation I’ve linked should be more helpful in that it provides steps to invoke the foreman-installer in order to distribute new certificates. The katello-certs-check command mentioned there might be of particular help. Let me know if that gets you anywhere and we can dig in further if necessary.

crashdog · February 23, 2019, 10:26am

Thank you for your response. I’ve read the documentation that you mentioned now. However I chose to flatten my installation and start again fresh. For now I did what the Katello install suggests to add the Katello ca intermediate certificate to the browsers trusted.

Jonathon_Turel · February 25, 2019, 2:23pm

Ok! Let us know if you run into any more issues