[root@henson ~]# lsof -Pni | grep 8443
java 1371 tomcat 47u IPv6 24336 0t0 TCP *:8443
(LISTEN)
[root@henson ~]# ps aux | grep 1371
tomcat 1371 1.1 15.3 3644872 617928 ? Ssl 15:05 0:31 java
-classpath /usr/share/tomcat/bin/
bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
-Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp
-Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
org.apache.catalina.startup.Bootstrap start
openssl output shows what looks to be the self signed cert that was not
changed as you mention.
Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello,
OU=SomeOrgUnit, CN=henson.in.example.com
Validity
Not Before: Aug 11 19:08:40 2016 GMT
Not After : Jan 17 19:08:40 2038 GMT
OU=SomeOrgUnit, CN=henson.in.example.com
As for commands, I have a snapshot where everything is "working" with self
signed certs in place having used './setup.rb --version 1.12 --scenario
katello'. I quote working because CentOS 7.2 defaults to HSTS so neither
Chrome nor Firefox will allow you to add the certificate as an exception.
However, using IE, I am able to log in with the default admin and all seems
well.
I then perform the following:
katello-certs-check -c henson.in.example.com.crt -k
henson.in.example.com.key -r henson.in.example.com.csr -b exampleroot.pem
This reports Validation succeeded and outputs the next steps. I then used
the section for existing installations of katello:
foreman-installer --scenario katello\
--certs-server-cert "henson.in.example.com.crt"\
--certs-server-cert-req "henson.in.example.com.csr"\
--certs-server-key "henson.in.example.com.key"\
--certs-server-ca-cert "exampleroot.pem"\
--certs-update-server --certs-update-server-ca
The installer completes and outputs this:
Marking certificate /root/ssl-build/
henson.in.example.com/henson.in.example.com-apache for update
Marking certificate /root/ssl-build/
henson.in.example.com/henson.in.example.com-foreman-proxy for update
Marking certificate /root/ssl-build/katello-server-ca for update
Installing Done
[100%]
[…]
Success!
-
Katello is running at https://henson.in.example.com
-
To install additional capsule on separate machine continue by running:
capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar
"~/$CAPSULE-certs.tar"
The full log is at /var/log/foreman-installer/katello.log
It is at this point I begin to get the certificate error. I get the login
prompt, enter the admin credentials, and then am taken to the error message
originally posted.
I'm guessing at this point I may need to tell katello to trust the self
signed cert tomcat is using somewhere since I've told it to trust our
internal root CA with the configure script with --server-ca-cert. However,
I'm having trouble sorting out the large number of cert related flags in
the installer as well as any relevant config files.
post scriptum:
No, i'm not really using example.com. I replaced the domain to comply with
company policy.
Thank you for your help with this. It is greatly appreciated.
···
Subject: C=US, ST=North Carolina, L=Raleigh, O=Katello,
On Tuesday, August 16, 2016 at 1:58:28 AM UTC-5, Ivan Necas wrote:
When dealing with custom certs, the candlepin communication should not
really be affected.
I would recommand checking, what’s runnin on port 8443:
netstat -tulpan | grep 8443
check which cert it is using:
openssl s_client -connect $(hostname -f):8443 | openssl x509 -text
-noout | less
Also,
could you write what commands exactly have you run, for further
investigation?
– Ivan