RestClient::SSLCertificateNotVerified after custom cert setup

Support
1

I am getting the following errors just after logging into katello after
installing certificates signed by our internal authority.

*Oops, we're sorry but something went wrong *Katello::Resources::Candlepin::OwnerInfo:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed (GET /candlepin/owners/Default_Organization/info)

RestClient::SSLCertificateNotVerified

*Katello::Resources::Candlepin::OwnerInfo: SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verify failed (GET
/candlepin/owners/Default_Organization/info)*I used the instructions
provided here:

I've also tried the workaround mentioned in
https://bugzilla.redhat.com/show_bug.cgi?id=1218251#c0

katello-certs-check reported everything was fine and I used the installer
commands it provided. It appears to have configured apache correctly to use
the new certs but some other piece apparently did not. I'm completely lost
as to which one given the error message. This is on a CentOS 7.2.1511
system. Is there a way to determine which service (and it's cert) katello
is attempting to connect to?

2

When dealing with custom certs, the candlepin communication should not
really be affected.

I would recommand checking, what's runnin on port 8443:

netstat -tulpan | grep 8443

check which cert it is using:

openssl s_client -connect $(hostname -f):8443 | openssl x509 -text
-noout | less

Also,

could you write what commands exactly have you run, for further investigation?

– Ivan

··· On Mon, Aug 15, 2016 at 10:00 PM, Ciarán Taog wrote: > I am getting the following errors just after logging into katello after > installing certificates signed by our internal authority. > > Oops, we're sorry but something went wrong > Katello::Resources::Candlepin::OwnerInfo: SSL_connect returned=1 errno=0 > state=SSLv3 read server certificate B: certificate verify failed (GET > /candlepin/owners/Default_Organization/info) > > > RestClient::SSLCertificateNotVerified > Katello::Resources::Candlepin::OwnerInfo: SSL_connect returned=1 errno=0 > state=SSLv3 read server certificate B: certificate verify failed (GET > /candlepin/owners/Default_Organization/info) > > > I used the instructions provided here: > https://github.com/Katello/katello-installer#certificates > > I've also tried the workaround mentioned in > https://bugzilla.redhat.com/show_bug.cgi?id=1218251#c0 > > katello-certs-check reported everything was fine and I used the installer > commands it provided. It appears to have configured apache correctly to use > the new certs but some other piece apparently did not. I'm completely lost > as to which one given the error message. This is on a CentOS 7.2.1511 > system. Is there a way to determine which service (and it's cert) katello is > attempting to connect to? > > > > -- > You received this message because you are subscribed to the Google Groups > "Foreman users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to foreman-users+unsubscribe@googlegroups.com. > To post to this group, send email to foreman-users@googlegroups.com. > Visit this group at https://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/d/optout.
3

I was finally able to resolve this issue by performing the following.

The default katello certificate remains in the ssl-build directory created
by the initial install. I added it to the CA trust bundle on CentOS with:

cp /root/ssl-build/katello-default-ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust enable
update-ca-trust

There is probably a better and more restrictive way to accomplish this but
this seems to have resolved the issue for me. Thank you for pointing me in
the right direction with the port 8443 tip.

4

[root@henson ~]# lsof -Pni | grep 8443
java 1371 tomcat 47u IPv6 24336 0t0 TCP *:8443
(LISTEN)
[root@henson ~]# ps aux | grep 1371
tomcat 1371 1.1 15.3 3644872 617928 ? Ssl 15:05 0:31 java
-classpath /usr/share/tomcat/bin/
bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
-Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp
-Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
org.apache.catalina.startup.Bootstrap start

openssl output shows what looks to be the self signed cert that was not
changed as you mention.

    Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello,

OU=SomeOrgUnit, CN=henson.in.example.com
Validity
Not Before: Aug 11 19:08:40 2016 GMT
Not After : Jan 17 19:08:40 2038 GMT
OU=SomeOrgUnit, CN=henson.in.example.com

As for commands, I have a snapshot where everything is "working" with self
signed certs in place having used './setup.rb --version 1.12 --scenario
katello'. I quote working because CentOS 7.2 defaults to HSTS so neither
Chrome nor Firefox will allow you to add the certificate as an exception.
However, using IE, I am able to log in with the default admin and all seems
well.

I then perform the following:

katello-certs-check -c henson.in.example.com.crt -k
henson.in.example.com.key -r henson.in.example.com.csr -b exampleroot.pem

This reports Validation succeeded and outputs the next steps. I then used
the section for existing installations of katello:

foreman-installer --scenario katello\
                  --certs-server-cert "henson.in.example.com.crt"\
                  --certs-server-cert-req "henson.in.example.com.csr"\
                  --certs-server-key "henson.in.example.com.key"\
                  --certs-server-ca-cert "exampleroot.pem"\
                  --certs-update-server --certs-update-server-ca

The installer completes and outputs this:

Marking certificate /root/ssl-build/
henson.in.example.com/henson.in.example.com-apache for update
Marking certificate /root/ssl-build/
henson.in.example.com/henson.in.example.com-foreman-proxy for update
Marking certificate /root/ssl-build/katello-server-ca for update
Installing Done
[100%]
[…]
Success!

  • Katello is running at https://henson.in.example.com

  • To install additional capsule on separate machine continue by running:

    capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar
    "~/$CAPSULE-certs.tar"

The full log is at /var/log/foreman-installer/katello.log

It is at this point I begin to get the certificate error. I get the login
prompt, enter the admin credentials, and then am taken to the error message
originally posted.

I'm guessing at this point I may need to tell katello to trust the self
signed cert tomcat is using somewhere since I've told it to trust our
internal root CA with the configure script with --server-ca-cert. However,
I'm having trouble sorting out the large number of cert related flags in
the installer as well as any relevant config files.

post scriptum:
No, i'm not really using example.com. I replaced the domain to comply with
company policy.

Thank you for your help with this. It is greatly appreciated.

··· Subject: C=US, ST=North Carolina, L=Raleigh, O=Katello,

On Tuesday, August 16, 2016 at 1:58:28 AM UTC-5, Ivan Necas wrote:

When dealing with custom certs, the candlepin communication should not
really be affected.

I would recommand checking, what’s runnin on port 8443:

netstat -tulpan | grep 8443

check which cert it is using:

openssl s_client -connect $(hostname -f):8443 | openssl x509 -text
-noout | less

Also,

could you write what commands exactly have you run, for further
investigation?

– Ivan

5

This issue still exists for Katello 3.1. Without the workaround mentioned
by Claran, it's not possible to use custom SSL certificates for katello.

··· On Wed, Aug 17, 2016 at 10:40 AM, Ciarán Taog wrote:

I was finally able to resolve this issue by performing the following.

The default katello certificate remains in the ssl-build directory created
by the initial install. I added it to the CA trust bundle on CentOS with:

cp /root/ssl-build/katello-default-ca.crt /etc/pki/ca-trust/source/
anchors/
update-ca-trust enable
update-ca-trust

There is probably a better and more restrictive way to accomplish this but
this seems to have resolved the issue for me. Thank you for pointing me in
the right direction with the port 8443 tip.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

6

This issue still exists for Katello 3.1. Without the workaround mentioned
by Claran, it's not possible to use custom SSL certificates for katello.

I too have run into this issue. Copying the default-ca into the system
trust seems to address the issue.

Unfortunately I believe the smart proxy installer is similarly broken. It
is unable to complete install using a custom cert for capsule.acme.com.

[ INFO 2016-09-19 11:33:26 verbose] Class[Foreman_proxy::Register]:
Scheduling refresh of Foreman_smartproxy[capsule.acme.com]
[ERROR 2016-09-19 11:33:26 verbose] Proxy capsule.acme.com cannot be
registered: Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Un
able to detect features ([RestClient::SSLCertificateNotVerified]:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verif…) for pr
oxy https://capsule.acme.com:9090/features Please check the proxy is
configured and running on the host.
[ INFO 2016-09-19 11:33:26 verbose]
/usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:23:in
`create'

Adding the katello-default-ca to the system store does not address the
problem. The capsule's proxy log shows a client ca issue.
E, [2016-09-19T11:33:26.811258 #9849] ERROR – : OpenSSL::SSL::SSLError:
SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1
alert unknown ca
/usr/share/ruby/openssl/ssl.rb:226:in `accept'

··· On Monday, September 19, 2016 at 6:25:04 AM UTC-5, prasu...@gmail.com wrote:
7

Yes, I can confirm that foreman-proxy doesn't start with the same errors.

··· On Mon, Sep 19, 2016 at 1:25 PM, Danny Kimsey wrote:

On Monday, September 19, 2016 at 6:25:04 AM UTC-5, prasu...@gmail.com > wrote:
This issue still exists for Katello 3.1. Without the workaround mentioned
by Claran, it’s not possible to use custom SSL certificates for katello.

I too have run into this issue. Copying the default-ca into the system
trust seems to address the issue.

Unfortunately I believe the smart proxy installer is similarly broken. It
is unable to complete install using a custom cert for capsule.acme.com.

[ INFO 2016-09-19 11:33:26 verbose] Class[Foreman_proxy::Register]:
Scheduling refresh of Foreman_smartproxy[capsule.acme.com]
[ERROR 2016-09-19 11:33:26 verbose] Proxy capsule.acme.com cannot be
registered: Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Un
able to detect features ([RestClient::SSLCertificateNotVerified]:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verif…) for pr
oxy https://capsule.acme.com:9090/features Please check the proxy is
configured and running on the host.
[ INFO 2016-09-19 11:33:26 verbose] /usr/share/foreman-installer/
modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:23:in
`create’

Adding the katello-default-ca to the system store does not address the
problem. The capsule’s proxy log shows a client ca issue.
E, [2016-09-19T11:33:26.811258 #9849] ERROR – : OpenSSL::SSL::SSLError:
SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1
alert unknown ca
/usr/share/ruby/openssl/ssl.rb:226:in `accept’


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

8

Prasun Gera, I was working with jsherril on IRC earlier and might have a
potential work-around.

On the foreman master, the /etc/foreman/proxy_ca.pem file likely has the
custom certificate chain, try swapping it out for your default-ca (the
internal self-signed). This appears to have addressed my issue. I restarted
foreman-proxy on the master, you will likely need to as well.

Note: I am at home, so I might not have the exact path.

··· On Mon, Sep 19, 2016 at 7:07 PM Prasun Gera wrote:

Yes, I can confirm that foreman-proxy doesn’t start with the same errors.

On Mon, Sep 19, 2016 at 1:25 PM, Danny Kimsey dekimsey@gmail.com wrote:

On Monday, September 19, 2016 at 6:25:04 AM UTC-5, prasu...@gmail.com >> wrote:
This issue still exists for Katello 3.1. Without the workaround mentioned
by Claran, it’s not possible to use custom SSL certificates for katello.

I too have run into this issue. Copying the default-ca into the system
trust seems to address the issue.

Unfortunately I believe the smart proxy installer is similarly broken. It
is unable to complete install using a custom cert for capsule.acme.com.

[ INFO 2016-09-19 11:33:26 verbose] Class[Foreman_proxy::Register]:
Scheduling refresh of Foreman_smartproxy[capsule.acme.com]
[ERROR 2016-09-19 11:33:26 verbose] Proxy capsule.acme.com cannot be
registered: Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Un
able to detect features ([RestClient::SSLCertificateNotVerified]:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verif…) for pr
oxy https://capsule.acme.com:9090/features Please check the proxy is
configured and running on the host.
[ INFO 2016-09-19 11:33:26 verbose]
/usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:23:in
`create’

Adding the katello-default-ca to the system store does not address the
problem. The capsule’s proxy log shows a client ca issue.
E, [2016-09-19T11:33:26.811258 #9849] ERROR – : OpenSSL::SSL::SSLError:
SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1
alert unknown ca
/usr/share/ruby/openssl/ssl.rb:226:in `accept’

You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.

To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/foreman-users/BCfKbTUl_ic/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Danny.

Beware! The mind of the believer stagnates. It fails to grow outward into
an unlimited, infinite universe.

Frank Herbert, Heretics of Dune

9

Hi Danny,
Thanks! That worked. Here's what I did:

cd /etc/foreman
cp proxy_ca.pem proxy_ca_bkp.pem
cp /root/ssl-build/katello-default-ca.crt ./proxy_ca.pem

Regards,
Prasun

··· On Mon, Sep 19, 2016 at 8:57 PM, Danny Kimsey wrote:

Prasun Gera, I was working with jsherril on IRC earlier and might have a
potential work-around.

On the foreman master, the /etc/foreman/proxy_ca.pem file likely has the
custom certificate chain, try swapping it out for your default-ca (the
internal self-signed). This appears to have addressed my issue. I restarted
foreman-proxy on the master, you will likely need to as well.

Note: I am at home, so I might not have the exact path.

On Mon, Sep 19, 2016 at 7:07 PM Prasun Gera prasun.gera@gmail.com wrote:

Yes, I can confirm that foreman-proxy doesn’t start with the same errors.

On Mon, Sep 19, 2016 at 1:25 PM, Danny Kimsey dekimsey@gmail.com wrote:

On Monday, September 19, 2016 at 6:25:04 AM UTC-5, prasu...@gmail.com >>> wrote:
This issue still exists for Katello 3.1. Without the workaround
mentioned by Claran, it’s not possible to use custom SSL certificates for
katello.

I too have run into this issue. Copying the default-ca into the system
trust seems to address the issue.

Unfortunately I believe the smart proxy installer is similarly broken.
It is unable to complete install using a custom cert for
capsule.acme.com.

[ INFO 2016-09-19 11:33:26 verbose] Class[Foreman_proxy::Register]:
Scheduling refresh of Foreman_smartproxy[capsule.acme.com]
[ERROR 2016-09-19 11:33:26 verbose] Proxy capsule.acme.com cannot be
registered: Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Un
able to detect features ([RestClient::SSLCertificateNotVerified]:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verif…) for pr
oxy https://capsule.acme.com:9090/features Please check the proxy is
configured and running on the host.
[ INFO 2016-09-19 11:33:26 verbose] /usr/share/foreman-installer/
modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:23:in
`create’

Adding the katello-default-ca to the system store does not address the
problem. The capsule’s proxy log shows a client ca issue.
E, [2016-09-19T11:33:26.811258 #9849] ERROR – : OpenSSL::SSL::SSLError:
SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1
alert unknown ca
/usr/share/ruby/openssl/ssl.rb:226:in `accept’

You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.

To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit https://groups.google.com/d/
topic/foreman-users/BCfKbTUl_ic/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Danny.

Beware! The mind of the believer stagnates. It fails to grow outward into
an unlimited, infinite universe.

Frank Herbert, Heretics of Dune


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

10

Great, confirmation is a wonderful thing!

I've written a ticket regarding these issues which I've submitted. Let me
know if I missed anything.

http://projects.theforeman.org/issues/16620

··· On Monday, September 19, 2016 at 8:13:18 PM UTC-5, prasu...@gmail.com wrote: > > Hi Danny, > Thanks! That worked. Here's what I did: > > cd /etc/foreman > cp proxy_ca.pem proxy_ca_bkp.pem > cp /root/ssl-build/katello-default-ca.crt ./proxy_ca.pem > > Regards, > Prasun > > On Mon, Sep 19, 2016 at 8:57 PM, Danny Kimsey > wrote: > >> Prasun Gera, I was working with jsherril on IRC earlier and might have a >> potential work-around. >> >> On the foreman master, the /etc/foreman/proxy_ca.pem file likely has the >> custom certificate chain, try swapping it out for your default-ca (the >> internal self-signed). This appears to have addressed my issue. I restarted >> foreman-proxy on the master, you will likely need to as well. >> >> Note: I am at home, so I might not have the exact path. >> >> On Mon, Sep 19, 2016 at 7:07 PM Prasun Gera > > wrote: >> >>> Yes, I can confirm that foreman-proxy doesn't start with the same >>> errors. >>> >>> On Mon, Sep 19, 2016 at 1:25 PM, Danny Kimsey >> > wrote: >>> >>>> >>>> On Monday, September 19, 2016 at 6:25:04 AM UTC-5, prasu...@gmail.com >>>> wrote: >>>> This issue still exists for Katello 3.1. Without the workaround >>>> mentioned by Claran, it's not possible to use custom SSL certificates for >>>> katello. >>>> >>>> I too have run into this issue. Copying the default-ca into the system >>>> trust seems to address the issue. >>>> >>>> Unfortunately I believe the smart proxy installer is similarly broken. >>>> It is unable to complete install using a custom cert for >>>> capsule.acme.com. >>>> >>>> [ INFO 2016-09-19 11:33:26 verbose] Class[Foreman_proxy::Register]: >>>> Scheduling refresh of Foreman_smartproxy[capsule.acme.com] >>>> [ERROR 2016-09-19 11:33:26 verbose] Proxy capsule.acme.com cannot be >>>> registered: Unable to communicate with the proxy: ERF12-2530 >>>> [ProxyAPI::ProxyException]: Un >>>> able to detect features ([RestClient::SSLCertificateNotVerified]: >>>> SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: >>>> certificate verif...) for pr >>>> oxy https://capsule.acme.com:9090/features Please check the proxy is >>>> configured and running on the host. >>>> [ INFO 2016-09-19 11:33:26 verbose] >>>> /usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:23:in >>>> `create' >>>> >>>> Adding the katello-default-ca to the system store does not address the >>>> problem. The capsule's proxy log shows a client ca issue. >>>> E, [2016-09-19T11:33:26.811258 #9849] ERROR -- : >>>> OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read >>>> client certificate A: tlsv1 alert unknown ca >>>> /usr/share/ruby/openssl/ssl.rb:226:in `accept' >>>> >>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Foreman users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to foreman-user...@googlegroups.com . >>>> >>> >>>> To post to this group, send email to forema...@googlegroups.com >>>> . >>>> Visit this group at https://groups.google.com/group/foreman-users. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "Foreman users" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/foreman-users/BCfKbTUl_ic/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> foreman-user...@googlegroups.com . >>> To post to this group, send email to forema...@googlegroups.com >>> . >>> Visit this group at https://groups.google.com/group/foreman-users. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- >> >> -- >> Danny. >> >> Beware! The mind of the believer stagnates. It fails to grow outward into >> an unlimited, infinite universe. >> >> Frank Herbert, Heretics of Dune >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Foreman users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to foreman-user...@googlegroups.com . >> To post to this group, send email to forema...@googlegroups.com >> . >> Visit this group at https://groups.google.com/group/foreman-users. >> For more options, visit https://groups.google.com/d/optout. >> > >
11

That's a great summary, and it also highlights the other problem of
renewals, at least with let's encrypt certs. Since katello expects the root
to be included, it adds one more step to the process during cert renewals
because LE doesn't include the root in the cert. It only goes up to DST X3,
and you need to manually download DST X3's cert and concatenate it.
Incidentally, I remember facing some similar issues with freeipa too for
installing 3rd party http certs.

··· On Tue, Sep 20, 2016 at 11:31 AM, Danny Kimsey wrote:

Great, confirmation is a wonderful thing!

I’ve written a ticket regarding these issues which I’ve submitted. Let me
know if I missed anything.

Bug #16620: custom certificates do not work out-of-the box on katello 3.1 - Katello - Foreman

On Monday, September 19, 2016 at 8:13:18 PM UTC-5, prasu...@gmail.com > wrote:

Hi Danny,
Thanks! That worked. Here’s what I did:

cd /etc/foreman
cp proxy_ca.pem proxy_ca_bkp.pem
cp /root/ssl-build/katello-default-ca.crt ./proxy_ca.pem

Regards,
Prasun

On Mon, Sep 19, 2016 at 8:57 PM, Danny Kimsey deki...@gmail.com wrote:

Prasun Gera, I was working with jsherril on IRC earlier and might have a
potential work-around.

On the foreman master, the /etc/foreman/proxy_ca.pem file likely has the
custom certificate chain, try swapping it out for your default-ca (the
internal self-signed). This appears to have addressed my issue. I restarted
foreman-proxy on the master, you will likely need to as well.

Note: I am at home, so I might not have the exact path.

On Mon, Sep 19, 2016 at 7:07 PM Prasun Gera prasu...@gmail.com wrote:

Yes, I can confirm that foreman-proxy doesn’t start with the same
errors.

On Mon, Sep 19, 2016 at 1:25 PM, Danny Kimsey deki...@gmail.com >>>> wrote:

On Monday, September 19, 2016 at 6:25:04 AM UTC-5, prasu...@gmail.com >>>>> wrote:
This issue still exists for Katello 3.1. Without the workaround
mentioned by Claran, it’s not possible to use custom SSL certificates for
katello.

I too have run into this issue. Copying the default-ca into the system
trust seems to address the issue.

Unfortunately I believe the smart proxy installer is similarly broken.
It is unable to complete install using a custom cert for
capsule.acme.com.

[ INFO 2016-09-19 11:33:26 verbose] Class[Foreman_proxy::Register]:
Scheduling refresh of Foreman_smartproxy[capsule.acme.com]
[ERROR 2016-09-19 11:33:26 verbose] Proxy capsule.acme.com cannot be
registered: Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Un
able to detect features ([RestClient::SSLCertificateNotVerified]:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verif…) for pr
oxy https://capsule.acme.com:9090/features Please check the proxy is
configured and running on the host.
[ INFO 2016-09-19 11:33:26 verbose] /usr/share/foreman-installer/m
odules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:23:in
`create’

Adding the katello-default-ca to the system store does not address the
problem. The capsule’s proxy log shows a client ca issue.
E, [2016-09-19T11:33:26.811258 #9849] ERROR – :
OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read
client certificate A: tlsv1 alert unknown ca
/usr/share/ruby/openssl/ssl.rb:226:in `accept’

You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.

To post to this group, send email to forema...@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit https://groups.google.com/d/to
pic/foreman-users/BCfKbTUl_ic/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Danny.

Beware! The mind of the believer stagnates. It fails to grow outward
into an unlimited, infinite universe.

Frank Herbert, Heretics of Dune


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

12

In my production deployment I've noticed that katello can't talk to its own
smart proxy, but can communicate with the capsules. I'm still trying to
debug it, but I haven't had any success.

I think the root of the problem (and I mention it in the ticket) is the
software is designed to assume two different CAs (katello-default-ca and
katello-custom-ca)*, but default install is with the one CA,
katello-default-ca. So logical errors like flipping the certs or their
chains are not visible.

Unfortunately the issue is back-logged for the time being. I would
recommend anyone trying to do this in production to not bother at this time.

  • Maybe renaming to katello-internal-ca and katello-external-ca might be
    more meaningful? Or updating the katello connection diagram to state which
    certs should be where.