Problem:
Puppet (server) log shows an error when trying to update foreman after an agent run. Foreman is not updated
Expected outcome:
Foreman is updated successfully
Foreman and Proxy versions:
Foreman 3.8.0-1
Proxy 3.8.0-1
Both on the same host
Distribution and version:
Rocky 8.9
Other relevant data:
Not using Katello
This was all installed on a clean system, and all dependent packages were installed by foreman-installer (puppetserver7, java-1.8.0-openjdk-headless.x86_64)
https port 433 works as expected, no ssl or cert issues
However when the report processor runs, it throws this error
The certificate is sha256withrsa (2048 bits) and is happily accepted by chrome/edge/safari
I tried tweaking the java.security file to make it more permissive (no change)
I tried turning on as many debugging options as I can find (also no extra info)
How can I get some more meaningful info to debug the issue?
Has anyone seen this before?
Check the system-wide crypto policies, and reenable the default Redhat policy if needed via update-crypto-policies --set DEFAULT.
I know in the little playbook we have to do regular foreman updates, we have to re-enable the default crypto policy, because we have a more restrictive setup of crypto’s we allow for Tomcat/Apache on Foreman, and then re-enable our custom policy and configs after foreman-installer runs.
Just wanted to add a note here. Having moved from a working instance of Foreman on Linux 8 to the same certs failing on Linux 9. I had the same issues with Puppet sending reports back to Foreman and getting the same error above.
It turns out the bundled/chain of certs that was sent to me from the SSL/TLS provider was including some older certs using sha1WithRSAEncryption. I had to break down each cert in /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem and scan them individually with openssl x509 -text -in test.pem to work out which cert was causing the issues. Having removed the older sha1 certs, reports started working again.
The policy seemed to be a bit more forgiving in Linux System 8. Linux 9 seemed to be a little stricter with how Java connects with httpd/Apache. Rather strangely, Apache didn’t have a problem working with the certs.