Could not send facts to Foreman: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed
I have searched through the topics here and goggled but nothing seems to
work…
I have also setup a new foreman installation with the installer ssl
parameters but the results are the same.
I did not investigate your problem yet, please read it and confirm.
LZ
···
On Tue, Sep 23, 2014 at 11:38:57PM -0700, Sandro Roth wrote:
> Hi
>
> We're trying to change the webserver ssl certificate to a internal signed
> one.
> I changed the following settings to replace the certificate.
>
> /etc/puppet/foreman.yaml
> ---
> #:url: "https://hostname.fqdn.local"
> #:ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem"
> #:ssl_cert: "/var/lib/puppet/ssl/certs/hostname.fqdn.local.pem"
> #:ssl_key: "/var/lib/puppet/ssl/private_keys/hostname.fqdn.local.pem"
> :url: "https://foreman-test.fqdn.local"
> :ssl_ca: "/var/lib/puppet/ssl/certs/fqdn-root-int-ca1.pem"
> :ssl_cert: "/var/lib/puppet/ssl/certs/foreman-test.fqdn.local.crt"
> :ssl_key: "/var/lib/puppet/ssl/private_keys/foreman-test.fqdn.local.key"
>
> /etc/httpd/conf.d/05-foreman-ssl.conf
>
>
> ServerName foreman-test.fqdn.local
> ...
> ## SSL directives
> SSLEngine on
> # SSLCertificateFile
> "/var/lib/puppet/ssl/certs/hostname.fqdn.local.pem"
> # SSLCertificateKeyFile
> "/var/lib/puppet/ssl/private_keys/hostname.fqdn.local.pem"
> # SSLCertificateChainFile "/var/lib/puppet/ssl/certs/ca.pem"
> SSLCertificateFile
> "/var/lib/puppet/ssl/certs/foreman-test.fqdn.local.pem"
> SSLCertificateKeyFile
> "/var/lib/puppet/ssl/private_keys/foreman-test.fqdn.local.key"
> SSLCertificateChainFile "/var/lib/puppet/ssl/certs/fqdn-root-int-ca1.pem"
>
>
> Restarted apache and now it works fine in the web browser. But puppet
> clients are not able to send reports any more.
> I think the problem is this..
>
> # sudo -u puppet /etc/puppet/node.rb hostname.fqdn.local
> Could not send facts to Foreman: SSL_connect returned=1 errno=0 state=SSLv3
> read server certificate B: certificate verify failed
>
> I have searched through the topics here and goggled but nothing seems to
> work..
> I have also setup a new foreman installation with the installer ssl
> parameters but the results are the same.
>
> foreman-installer -v \
> --foreman-foreman-url=foreman-test.fqdn.local \
> --foreman-server-ssl-cert=/etc/pki/tls/certs/foreman-test.fqdn.local.pem \
> --foreman-server-ssl-key=/etc/pki/tls/private/foreman-test.fqdn.local.key
>
> Any ideas would be appreciated!
>
>
> Thanks
> Sandro
>
> --
> You received this message because you are subscribed to the Google Groups "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com.
> To post to this group, send email to foreman-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/d/optout.
Not sure if this really applies to my issue…
We're not trying to rename the foreman server or something like that.
I don't think it's necessary to replace the proxy's certificate?
But I did replace the paths to the new certificate and key file in the ENC
node script, report script and in foreman settings.
Still the same issue.
···
On Thursday, September 25, 2014 6:18:21 PM UTC+2, Lukas Zapletal wrote:
>
> Have you seen this?
>
>
> http://projects.theforeman.org/projects/foreman/wiki/Troubleshooting#How-do-I-change-the-FQDN-of-the-Foreman-host
>
> I did not investigate your problem yet, please read it and confirm.
>
> LZ
>
> On Tue, Sep 23, 2014 at 11:38:57PM -0700, Sandro Roth wrote:
> > Hi
> >
> > We're trying to change the webserver ssl certificate to a internal
> signed
> > one.
> > I changed the following settings to replace the certificate.
> >
> > /etc/puppet/foreman.yaml
> > ---
> > #:url: "https://hostname.fqdn.local"
> > #:ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem"
> > #:ssl_cert: "/var/lib/puppet/ssl/certs/hostname.fqdn.local.pem"
> > #:ssl_key: "/var/lib/puppet/ssl/private_keys/hostname.fqdn.local.pem"
> > :url: "https://foreman-test.fqdn.local"
> > :ssl_ca: "/var/lib/puppet/ssl/certs/fqdn-root-int-ca1.pem"
> > :ssl_cert: "/var/lib/puppet/ssl/certs/foreman-test.fqdn.local.crt"
> > :ssl_key: "/var/lib/puppet/ssl/private_keys/foreman-test.fqdn.local.key"
> >
> > /etc/httpd/conf.d/05-foreman-ssl.conf
> >
> >
> > ServerName foreman-test.fqdn.local
> > ...
> > ## SSL directives
> > SSLEngine on
> > # SSLCertificateFile
> > "/var/lib/puppet/ssl/certs/hostname.fqdn.local.pem"
> > # SSLCertificateKeyFile
> > "/var/lib/puppet/ssl/private_keys/hostname.fqdn.local.pem"
> > # SSLCertificateChainFile "/var/lib/puppet/ssl/certs/ca.pem"
> > SSLCertificateFile
> > "/var/lib/puppet/ssl/certs/foreman-test.fqdn.local.pem"
> > SSLCertificateKeyFile
> > "/var/lib/puppet/ssl/private_keys/foreman-test.fqdn.local.key"
> > SSLCertificateChainFile
> "/var/lib/puppet/ssl/certs/fqdn-root-int-ca1.pem"
> >
> >
> > Restarted apache and now it works fine in the web browser. But puppet
> > clients are not able to send reports any more.
> > I think the problem is this..
> >
> > # sudo -u puppet /etc/puppet/node.rb hostname.fqdn.local
> > Could not send facts to Foreman: SSL_connect returned=1 errno=0
> state=SSLv3
> > read server certificate B: certificate verify failed
> >
> > I have searched through the topics here and goggled but nothing seems to
> > work..
> > I have also setup a new foreman installation with the installer ssl
> > parameters but the results are the same.
> >
> > foreman-installer -v \
> > --foreman-foreman-url=foreman-test.fqdn.local \
> > --foreman-server-ssl-cert=/etc/pki/tls/certs/foreman-test.fqdn.local.pem
> \
> >
> --foreman-server-ssl-key=/etc/pki/tls/private/foreman-test.fqdn.local.key
> >
> > Any ideas would be appreciated!
> >
> >
> > Thanks
> > Sandro
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "Foreman users" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to foreman-user...@googlegroups.com .
> > To post to this group, send email to forema...@googlegroups.com
> .
> > Visit this group at http://groups.google.com/group/foreman-users.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
> Later,
> Lukas #lzap Zapletal
>
Sandro, I am running into the same issue, and I think there may be
something missing in your proposed fix. Can you elaborate on the changes
that got a replacement SSL to work?