Proxy cannot be registered: Unable to communicate with the proxy: ERF12-2530

Problem:
Trying to add a smartproxy fails with certificate errors.

Expected outcome:

Foreman and Proxy versions:
Foreman: 2.3.3
Katello: 3.18.2

Foreman and Proxy plugin versions:

Distribution and version:
CentOS Linux release 7.9.2009 (Core) (on both servers)

Other relevant data:

The machines do not have direct access to each other, but we’re NATing the traffic and they can reach each other ports - 5646, 5647, 8443, 9090.

The domain updates.example.com is an A record, updates-smartproxy.example.com is a entry on /etc/hosts.

We’re using our own certificates that were updated using:

[root@updates ~]# foreman-installer --scenario katello \
    --certs-server-cert "/etc/pki/tls/certs/asterisk.example.com.crt" \
    --certs-server-key "/etc/pki/tls/private/asterisk.example.com.key" \
    --certs-server-ca-cert "/etc/pki/tls/certs/my-bundle-sha1.crt" 

The certificates for the smartproxy were generated on the main server using:

[root@updates ~]# foreman-proxy-certs-generate \
    --foreman-proxy-fqdn  updates-smartproxy.example.com \
    --certs-tar /root/updates-smartproxy.example.com-certs.tar

Smartproxy install:

[root@updates-smartproxy ~]# foreman-installer                     \ 
    --scenario foreman-proxy-content                     \ 
    --certs-tar-file                      "/root/updates-smartproxy.example.com-certs.tar" \ 
    --foreman-proxy-content-parent-fqdn           "updates.example.com"                 \ 
    --foreman-proxy-register-in-foreman           "true"        \ 
    --foreman-proxy-foreman-base-url              "https://updates.example.com"       \ 
    --foreman-proxy-trusted-hosts                 "updates.example.com"          \ 
    --foreman-proxy-trusted-hosts                 "updates-smartproxy.example.com"   \
    --foreman-proxy-oauth-consumer-key            "<my key>"                    \ 
    --foreman-proxy-oauth-consumer-secret         "<my secret>"                    \ 
    --puppet-server-foreman-url                   "https://updates.example.com"    \ 
    --verbose-log-level "debug

Error logs:

2021-05-01 11:55:06 [ERROR ] [configure] Proxy updates-smartproxy.example.com cannot be registered: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)) for proxy https://updates-smartproxy.example.com:9090/v2/features Please check the proxy is configured and running on the host.
2021-05-01 11:55:06 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[updates-smartproxy.example.com]/ensure: change from 'absent' to 'present' failed: Proxy updates-smartproxy.example.com cannot be registered: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)) for proxy https://updates-smartproxy.example.com:9090/v2/features Please check the proxy is configured and running on the host.

Those are the only errors we’re getting on the installation and the smartproxy appears to have been properly configured.
We can login into https://updates-smartproxy.example.com:8443 and we can see our Organizations and Products there. And when for example a repo syncs we can see it there too.
So the servers are clearly communicating.

The error above also appears when we try to add the smartproxy directly on katello’s interface.

I think the problem is that you are using your own certificates for the main foreman server but not for the proxy, i.e. the proxy cannot verify the main server certificate because it’s from a different CA. I am not even sure what CA it will use for the proxy in your case.

We use a custom certificate for our proxy as well like this:

foreman-proxy-certs-generate --foreman-proxy-fqdn "foreman-proxy.example.de" \
       --certs-tar  "~/foreman-proxy.example.de-certs.tar" \
       --server-cert "/root/foreman-proxy.crt" \
       --server-key "/root/foreman-proxy.key" \
       --server-ca-cert "/etc/pki/tls/certs/example-bundle-g2.crt" \
       --certs-update-server

Otherwise, you’ll probably have to go through the configuration options of foreman-proxy-certs-generate or foreman-installer to find out how to pass the ca chain to the proxy (i.e. the my-bundle-sha1.crt file) for verification of the connection to the foreman server without interfering with the setup of the proxy itself…

Hello gvde,
Thank you for your help, that solved it.

  Success!
  * Foreman Proxy is running at https://updates-smartproxy.example.com:9090

Best regards,
Armindo Silva.