Background: we are trying to use our self-sign CA and server certificate and plan to let proxy and foreman communicate via an encrypted channel, however, it failed; If I switched to non-encrypted method, proxy can correctly registered without issue.
Log from proxy:
[E] OpenSSL::SSL::SSLError SSL_accept returned=1 errno=0 state=error: certificate verify failed (unsupported certificate purpose)
/usr/lib/ruby/2.7.0/webrick/server.rb:299:in accept' /usr/lib/ruby/2.7.0/webrick/server.rb:299:in block (2 levels) in start_thread’
/usr/lib/ruby/2.7.0/webrick/utils.rb:263:in timeout' /usr/lib/ruby/2.7.0/webrick/server.rb:297:in block in start_thread’
/usr/lib/ruby/vendor_ruby/logging/diagnostic_context.rb:474:in `block in create_with_logging_context’
Foreman web UI error message:
Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([OpenSSL::SSL::SSLError]: SSL_read: sslv3 alert unsupported certificate) for proxy https://host1.intranet:8443/v2/features and Please check the proxy is configured and running on the host.
Foreman and Foreman-proxy version: 3.5.0-develop
Environment: both Foreman and proxy is running on the same host
Foreman-proxy SSL config:
:ssl_ca_file: /etc/pki/CA/cacert.pem
:ssl_certificate: /etc/pki/cert/host1.intranet_cert.pem
:ssl_private_key: /etc/pki/private/host1.intranet_key.pem
:foreman_ssl_ca: /etc/pki/CA/cacert.pem
:foreman_ssl_cert: /etc/pki/cert/host1.intranet_cert.pem
:foreman_ssl_key: /etc/pki/private/host1.intranet_key.pem
Foreman SSL config:
:websockets_ssl_key: /etc/pki/private/host1.intranet_key.pem
:websockets_ssl_cert: /etc/pki/cert/host1.intranet_cert.pem
:ssl_certificate: /etc/pki/cert/host1.intranet_cert.pem
:ssl_ca_file: /etc/pki/CA/cacert.pem
:ssl_priv_key: /etc/pki/private/host1.intranet_key.pem
:ssl_client_dn_env: HTTP_SSL_CLIENT_S_DN
:ssl_client_verify_env: HTTP_SSL_CLIENT_VERIFY
:ssl_client_cert_env: HTTP_SSL_CLIENT_CERT