Unable to register hosts after uploading custom certificate

ericville · May 17, 2023, 7:09pm

Problem:
Unable to register hosts after uploading custom certificate
Expected outcome:
successfully register to Foreman/Katello
Foreman and Proxy versions:
3.6.1
Foreman and Proxy plugin versions:
3.6.1 / katello 4.8
Distribution and version:
RHEL 8
Other relevant data:
Getting following error when running registration curl script on hosts after uploading with custom certificate:

Running registration

Loaded plugins: fastestmirror, product-id, search-disabled-repos, subscription-
: manager
Error loading certificate: [Errno 2] No such file or directory: ‘/etc/pki/consumer/cert.pem’
Loading mirror speeds from cached hostfile

base: coresite.mm.fcix.net
extras: mirror.team-cymru.com
updates: mirror.wdc2.us.leaseweb.net
No packages marked for update
Unable to verify server’s identity: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)

cintrix84 · May 18, 2023, 6:20pm

Hi @ericville

On the client there should be this CA /etc/rhsm/ca/katello-server-ca.pem can you run openssl x509 -in /etc/rhsm/ca/katello-server-ca.pem -noout -text and confirm if that matches the new custom cert and ca you have updated the Foreman instance with?

atarallo · May 18, 2023, 8:30pm

@ericville Could you tell us more about what you did? I’m experiencing a similar problem.

Today I’ve updated the Apache web server certificate (on the foreman server). After oing that I’ve noticed that some VM registered to Foreman server are unable to register or do a yum repolist

ericville · May 19, 2023, 12:11pm

I ran the command and it does not look like the certificates match, however I did enable “Insecure” when generating the curl script for registration, so I would think that shouldn’t matter.
I’m also getting the following error as well -

Error loading certificate: [Errno 2] No such file or directory: ‘/etc/pki/consumer/cert.pem’

If I remove the certificates and use the self signed, then I’m able to register successfully.

Thanks,

ericville · May 19, 2023, 12:51pm

@atarallo
I followed the documentation on deploying a custom certificate to foreman server, and am now unable to register any hosts, where I was able to when using the self signed cert.
Not sure if there is another step I’m missing…

ericville · May 19, 2023, 12:55pm

Also when following the steps in the documentation to deploy the custom certificate to hosts, and running the ““yum install http://foreman.example.com/pub/katello-ca-consumer-latest.noarch.rpm”” command, I get the following error:
Error loading certificate: [Errno 2] No such file or directory: ‘/etc/pki/consumer/cert.pem’

cintrix84 · May 19, 2023, 2:57pm

@ericville

On the client can you email me the /var/log/rhsm.log file and output of ls /etc/pki/consumer/ to chrobert@redhat.com so I can look at the rhsm client log?

ericville · May 19, 2023, 3:48pm

just emailed the log to you, and the ls command showed the /etc/pki/consumer/ directory as empty.

Thanks,

ericville · May 24, 2023, 6:49pm

Finally got this working. Was a bad custom certificate.

Thanks,

cintrix84 · May 24, 2023, 7:07pm

Hey @ericville

Sorry for the delay, I have been out sick this week. I just got back this morning and was testing it. Glad you got it figured out. I will stop my investigation and again sorry for the delay.