Proxy: certificate verify failed (unsupported certificate purpose)

Background: we are trying to use our self-sign CA and server certificate and plan to let proxy and foreman communicate via an encrypted channel, however, it failed; If I switched to non-encrypted method, proxy can correctly registered without issue.

Log from proxy:
[E] OpenSSL::SSL::SSLError SSL_accept returned=1 errno=0 state=error: certificate verify failed (unsupported certificate purpose)
/usr/lib/ruby/2.7.0/webrick/server.rb:299:in accept' /usr/lib/ruby/2.7.0/webrick/server.rb:299:in block (2 levels) in start_thread’
/usr/lib/ruby/2.7.0/webrick/utils.rb:263:in timeout' /usr/lib/ruby/2.7.0/webrick/server.rb:297:in block in start_thread’
/usr/lib/ruby/vendor_ruby/logging/diagnostic_context.rb:474:in `block in create_with_logging_context’

Foreman web UI error message:
Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([OpenSSL::SSL::SSLError]: SSL_read: sslv3 alert unsupported certificate) for proxy https://host1.intranet:8443/v2/features and Please check the proxy is configured and running on the host.

Foreman and Foreman-proxy version: 3.5.0-develop
Environment: both Foreman and proxy is running on the same host

Foreman-proxy SSL config:
:ssl_ca_file: /etc/pki/CA/cacert.pem
:ssl_certificate: /etc/pki/cert/host1.intranet_cert.pem
:ssl_private_key: /etc/pki/private/host1.intranet_key.pem
:foreman_ssl_ca: /etc/pki/CA/cacert.pem
:foreman_ssl_cert: /etc/pki/cert/host1.intranet_cert.pem
:foreman_ssl_key: /etc/pki/private/host1.intranet_key.pem

Foreman SSL config:
:websockets_ssl_key: /etc/pki/private/host1.intranet_key.pem
:websockets_ssl_cert: /etc/pki/cert/host1.intranet_cert.pem
:ssl_certificate: /etc/pki/cert/host1.intranet_cert.pem
:ssl_ca_file: /etc/pki/CA/cacert.pem
:ssl_priv_key: /etc/pki/private/host1.intranet_key.pem
:ssl_client_dn_env: HTTP_SSL_CLIENT_S_DN
:ssl_client_verify_env: HTTP_SSL_CLIENT_VERIFY
:ssl_client_cert_env: HTTP_SSL_CLIENT_CERT

I found the root cause, because the certificate require “tls_www_client”, example can be found here: TLSCreateClientCerts - Libvirt Wiki

Why do you want to replace the client certificates for the internal backend connections? Replacing the certificate for the frontend can be done with foreman-installer. For the client connections foreman usually uses self-signed certs. I don’t see why you want to replace those with your own certs…

1 Like

Can you elaborate on that?
How we can replace certs for frontend with foreman-installer?

It’s in the docs

It seems this solution works only with katello
Unfortunately, my foreman installation doesn’t use katello…

Is there any other way?
Or I should install foreman with katello?