RHSM registration through SSL inspection

leighdj · May 22, 2025, 2:02pm

Problem: Unable to register hosts with Foreman when going through a firewall with SSL inspection (SSL mismatches)

Expected outcome: Successful registration

Foreman and Proxy versions: Foreman 3.13 / katello 4.15 / subscription-manager 1.29

Foreman and Proxy plugin versions:

Distribution and version:

Other relevant data:
We’ve had Foreman / Katello running for a while now for machines on the same network. Recently we resolved the cross network firewalling so that we can register machines on different networks, but we do have SSL inspection (no movement on that).

The issue that I’m having is that the CA certificate that we use for the OS isn’t making a difference when copying to /etc/rhsm/ca and configuring in rhsm.conf - it’s still failing.

I’ve confirmed that if we set rhsm to be insecure then we are registering with no issues, but we don’t want to do this moving forward. I’ve also seen on a previous post that it’s not supported, but surely that’s the point of the certificate config?

I’ve been banging my head against the wall on this, so any help would be appreciated!

leighdj · May 22, 2025, 2:03pm

Apologies - this is all on Rocky Linux 9.5 (both server and host).

rainer_d · May 26, 2025, 10:03am

This article suggest to not do SSL inspection on the domain that your foreman is running on.

leighdj · May 27, 2025, 8:16am

I had seen that somewhere else from a few years ago (I don’t have access to RH access articles), but was thinking that because there is the option in rhsm.conf that it had possible been resolved.

I’ll take it to the network guys - cheers.