Per the Katello/Foreman 3.16 instructions:
When I do so after a successful install, I get this:
Is this correct?
Hello, yes.
Awesome! Just making sure.
I installed on a fresh CentOS7 and it was already trusted when I went to the link hence why I asked. Not sure if that info is helpful.
Do you use your custom certificate during installation or did you let katello generate its own CA. If it’s a new katello CA then your browser doesn’t know the root CA and doesn’t trust it. You should not get that message in your browser if you never before use that browser to open any web page on your new katello installation with the new katello CA.
I also wonder why your browser seems to import that certificate. With my Firefox 80 and macOS and Windows it only suggests to save the certificate file and not to open it. So I find it curious that your Firefox seems to handle that differently…
“Do you use your custom certificate during installation or did you let katello generate its own CA.”
I did not custom options on install. I followed the steps outlined on this website to install Katello/Foreman on a brand new CentOS 7 installation.
“You should not get that message in your browser if you never before use that browser to open any web page on your new katello installation with the new katello CA.”
Hence why I made this thread. I reverted my server to a snapshot before katello installation. This time I:
- Never opened Firefox
- Installed Katello/Foreman
- Opened Firefox
- Went to the .crt link
This is the result:
Still get the same message.
Script I use:
O.K. You did not say that you are running Firefox locally on the server.
As a start verify if the message is correct: check the subject and issuer name of the certificate with openssl
openssl x509 -in /var/www/html/pub/katello-server-ca.crt -noout -subject -issuer -startdate -enddate
then open the Certificate Manager in Firefox and check the list of authorities and servers if that subject & issuer is really already installed.
“O.K. You did not say that you are running Firefox locally on the server”
I’m sorry. If there is another browser on a brand new CentOS 7 install then I’m not aware.
Results from your request (There was nothing Foreman/Katello related in the “Servers” tab):
Well, I usually use my browser on my desktop and we never install client tools/browsers on servers as they are servers and not browsing stations…
Either way, foreman/katello installs the certificate in the system directories. If you run Firefox on the server itself Firefox picks them up there, thus recognizing them as “System Trust” and there is no need to import them.
However, if you use your browser on your desktop and connect to the server using that it will refuse the connection as it does not know the CA certificate. To prevent that you can import the certificate first or you can go the usual path and set up an exception for the server…
It’s my understanding that this is the reason why the notice is in the katello installation documentation. I personally find it unusual to run the browser on the server itself. And considering the number of essential services foreman provides and wouldn’t want to run anything unnecessary on the server itself…
“Either way, foreman/katello installs the certificate in the system directories. If you run Firefox on the server itself Firefox picks them up there, thus recognizing them as “System Trust” and there is no need to import them.”
Confirmed. I tried accessing my foreman server from an external node and got the message asking if it wants to trust the CA.
As for the other comments, when I try to learn new things I like to “KISS” as much as possible. If I can’t get something working on a single node before expanding its services to the network then I don’t have a real grasp. While the Foreman team has very detailed documentation (and an actual responsive community!), there is always a level of “assuming” in documentation and this just happens to be one of those nuances.
Thank again to everyone for your swift help!
Well, I think the documentation should not mention that at all. It‘s not an assumption but a requirement that you know certificates, how they work, how you use them. Certificate 101. Then you would immediately understand the meaning. If you don‘t know the basics you‘ll quickly run into problems or later run into serious security issues…