Provisioning fails for CentOS 7.5 with curl certificate error

During PXE provisioning curl fails to download https://foreman/installmedia/centos75/LiveOS/squashfs.img because it cannot find the Foreman CA in the local /etc/pki/tls/ca-bundle.pem.

Allowing the provisoned server to go to dracut rescue mode and manually appending the Foreman CA cert to /etc/pki/tls/ca-bundle.pem and manually running “curl https://foreman/installmedia/centos75/LiveOS/squashfs.img” will download the file but we can’t do that during provisioning. Nor can we run “curl -k”

Fix is to edit the kickstart_default_pxelinux template to add “inst.noverifyssl” to the Anaconda options.

# Tell Anaconda what to pass off to kickstart server
  #  both current and legacy syntax provided
  options.push("kssendmac", "ks.sendmac", "inst.ks.sendmac", "inst.noverifyssl")

Known thing, go ahead and file PR into to all PXE kickstart templates (including Grub ones).

In general, it is not good idea to ship such a weak security default, but Anaconda IIRC does not actually allow you to set CA certificate via kernel command line and there is no other option.