Problem:
Trying to add a smartproxy fails with certificate errors.
Expected outcome:
Foreman and Proxy versions:
Foreman: 2.3.3
Katello: 3.18.2
Foreman and Proxy plugin versions:
Distribution and version:
CentOS Linux release 7.9.2009 (Core) (on both servers)
Other relevant data:
The machines do not have direct access to each other, but we’re NATing the traffic and they can reach each other ports - 5646, 5647, 8443, 9090.
The domain updates.example.com is an A record, updates-smartproxy.example.com is a entry on /etc/hosts.
We’re using our own certificates that were updated using:
[root@updates ~]# foreman-installer --scenario katello \
--certs-server-cert "/etc/pki/tls/certs/asterisk.example.com.crt" \
--certs-server-key "/etc/pki/tls/private/asterisk.example.com.key" \
--certs-server-ca-cert "/etc/pki/tls/certs/my-bundle-sha1.crt"
The certificates for the smartproxy were generated on the main server using:
[root@updates ~]# foreman-proxy-certs-generate \
--foreman-proxy-fqdn updates-smartproxy.example.com \
--certs-tar /root/updates-smartproxy.example.com-certs.tar
Smartproxy install:
[root@updates-smartproxy ~]# foreman-installer \
--scenario foreman-proxy-content \
--certs-tar-file "/root/updates-smartproxy.example.com-certs.tar" \
--foreman-proxy-content-parent-fqdn "updates.example.com" \
--foreman-proxy-register-in-foreman "true" \
--foreman-proxy-foreman-base-url "https://updates.example.com" \
--foreman-proxy-trusted-hosts "updates.example.com" \
--foreman-proxy-trusted-hosts "updates-smartproxy.example.com" \
--foreman-proxy-oauth-consumer-key "<my key>" \
--foreman-proxy-oauth-consumer-secret "<my secret>" \
--puppet-server-foreman-url "https://updates.example.com" \
--verbose-log-level "debug
Error logs:
2021-05-01 11:55:06 [ERROR ] [configure] Proxy updates-smartproxy.example.com cannot be registered: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)) for proxy https://updates-smartproxy.example.com:9090/v2/features Please check the proxy is configured and running on the host.
2021-05-01 11:55:06 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[updates-smartproxy.example.com]/ensure: change from 'absent' to 'present' failed: Proxy updates-smartproxy.example.com cannot be registered: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)) for proxy https://updates-smartproxy.example.com:9090/v2/features Please check the proxy is configured and running on the host.
Those are the only errors we’re getting on the installation and the smartproxy appears to have been properly configured.
We can login into https://updates-smartproxy.example.com:8443 and we can see our Organizations and Products there. And when for example a repo syncs we can see it there too.
So the servers are clearly communicating.
The error above also appears when we try to add the smartproxy directly on katello’s interface.