No, you were right after all. The CA certs (/etc/pki/katello/certs/katello-server-ca.crt and /etc/pki/katello/puppet/puppet_client_ca.crt – two copies of the same file) have multiple certs in them. When you split them out and check them all, there’s one that is RSA1. Once I removed the RSA1 cert and rebooted the reports started coming in again.
I have noticed the same error. /etc/pki/katello/certs/katello-server-ca.crt and /etc/pki/katello/puppet/puppet_client_ca.crt both contain the full chain of our custom certificate. This includes the root ca certificate which in our case is
/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
which has
Signature Algorithm: sha1WithRSAEncryption
But as far as I understand, sha1 for a root ca is acceptable because the signature is not really relevant.
So, now I could either remove the root ca from our ca chain which I pass to foreman-installer in --certs-server-ca-cert or enable SHA1 for the time being. But if I am not mistaken, the root ca should be passed certs-server-ca-cert for pinning. So far, it seems to me as if only puppetserver complains about the sha1 root ca.