Proxy signed certificates

normans · July 27, 2022, 11:53am

Problem:

I have deployed signed certificates into a Foreman/Katello Master which appears to work OK.
The browser connection shows a valid certificate.

Trying to add a smart proxy after generating the certs using foreman-proxy-certs.

foreman-proxy-certs-generate --foreman-proxy-fqdn “PROXY_HOST”
–certs-tar “~/PROXY_HOST.tar”
–server-cert “/etc/pki/tls/MASTER_HOSTr.cer”
–server-key “/etc/pki/tls/private/MASTER_HOST.key”
–server-ca-cert "/etc/pki/tls/certs/CA_cert_bundle.cer

The proxy install fails with the following errors:

2022-07-27 12:19:07 [ERROR ] [configure] Error making POST request to Foreman at https://MASTER_HOST/api/v2/smart_proxies: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unspecified certificate verification error)) for proxy https://PROXY_HOST:9090/v2/features Please check the proxy is configured and running on the host.
2022-07-27 12:19:07 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[PROXY_HOST]/ensure: change from ‘absent’ to ‘present’ failed: Error making POST request to Foreman at https://MASTER_HOST/api/v2/smart_proxies: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unspecified certificate verification error)) for proxy https://PROXY_HOST:9090/v2/features Please check the proxy is configured and running on the host.
2022-07-27 12:19:09 [NOTICE] [configure] System configuration has finished.

katello-check-certs passes all tests against the cert, key and CA-bundle used.
The certs include an intermediary and root CA which are both contained in the CA_cert_bundle.cer, the host certificate includes the whole chain.

Checking the cert using opnssl on the proxy does not appear to contain any errors.

openssl s_client -connect $(hostname -f):8443 | openssl x509 -text

Similarly on the master looks OK.

openssl s_client -connect MASTER_HOST:9090 | openssl x509 -text

Any ideas as to how to troubleshoot this?

Foreman and Proxy versions:

foreman-3.1.3-1

Foreman and Proxy plugin versions:

katello-4.3.1-1

gvde · July 27, 2022, 11:58am

You need to pass the certificate and key for the proxy, not the master.

normans · July 27, 2022, 12:42pm

DOH!

Thanks gvde I will test that using proxy host certs.

normans · July 27, 2022, 1:49pm

That did the trick, thanks again for your help.

Success!

Foreman Proxy is running at https://