Provisioning fails for CentOS 7.5 with curl certificate error

synaptik · June 14, 2018, 11:31pm

During PXE provisioning curl fails to download https://foreman/installmedia/centos75/LiveOS/squashfs.img because it cannot find the Foreman CA in the local /etc/pki/tls/ca-bundle.pem.

Allowing the provisoned server to go to dracut rescue mode and manually appending the Foreman CA cert to /etc/pki/tls/ca-bundle.pem and manually running “curl https://foreman/installmedia/centos75/LiveOS/squashfs.img” will download the file but we can’t do that during provisioning. Nor can we run “curl -k”

Fix is to edit the kickstart_default_pxelinux template to add “inst.noverifyssl” to the Anaconda options.

# Tell Anaconda what to pass off to kickstart server
  #  both current and legacy syntax provided
  options.push("kssendmac", "ks.sendmac", "inst.ks.sendmac", "inst.noverifyssl")

lzap · June 15, 2018, 6:25am

Known thing, go ahead and file PR into https://github.com/theforeman/community-templates to all PXE kickstart templates (including Grub ones).

In general, it is not good idea to ship such a weak security default, but Anaconda IIRC does not actually allow you to set CA certificate via kernel command line and there is no other option.