Project

General

Profile

Actions

Bug #10672

closed

Registering a content host fails (certificate verify failed)

Added by Justin Garrison over 9 years ago. Updated about 6 years ago.

Status:
Rejected
Priority:
High
Assignee:
-
Category:
-
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

When registering a new content host to katello 2.2.0-5.el7 the command fails with the error

Unable to verify server's identity: certificate verify failed

I am using an activation key for registration and the katello server has custom certificates for the foreman web interface (internal ca signed). But after installing the katello-ca-consumer-latest.noarch.rpm the register command fails.

Actions #1

Updated by Eric Helms over 9 years ago

  • Translation missing: en.field_release set to 55
  • Triaged changed from No to Yes
Actions #2

Updated by Eric Helms over 9 years ago

  • Status changed from New to Need more information

In your scenario, did you add the custom certs post-install or during the initial installation?

Actions #3

Updated by Justin Garrison over 9 years ago

custom certs were added post-install. The first install was done with the default certs.

Actions #4

Updated by Eric Helms about 9 years ago

  • Translation missing: en.field_release changed from 55 to 61

My attempts to replicate this have not been successful to date. Not sure what I might be missing with respect to how the custom certificates are generated. I used https://github.com/iNecas/ownca to generate and test.

Actions #5

Updated by Eric Helms about 9 years ago

  • Translation missing: en.field_release changed from 61 to 31
Actions #6

Updated by Justin Garrison about 9 years ago

I can't look at this for a while while I set up a different satellite instance. I will try again with the link you provided in a couple of weeks.

Actions #7

Updated by Stephen Benjamin about 9 years ago

  • Translation missing: en.field_release changed from 31 to 70
Actions #8

Updated by Justin Garrison almost 9 years ago

openssl s_client -connect katello:443 -CAfile /etc/rhsm/ca/katello-server-ca.pem

I get "Verify return code: 2 (unable to get issuer certificate)"

Looking at the katello-server-ca.pem I can see the cert was signed by our internal sub ca but the cert chain and ca don't appear to be trusted by rhsm.

Actions #9

Updated by Justin Garrison almost 9 years ago

Copying in our ca and chain files into /etc/rhsm/ca allowed my system to register.

Shouldn't katello-ca-consumer-latest rpm add those?

Actions #10

Updated by Justin Sherrill almost 9 years ago

  • Translation missing: en.field_release changed from 70 to 86
Actions #11

Updated by Eric Helms over 8 years ago

  • Translation missing: en.field_release changed from 86 to 144
Actions #12

Updated by Justin Garrison over 8 years ago

What other information is neede? I think it'd be a good idea if the consumer cert rpm included the ca cert in /etc/rhsm/ca
I haven't used this for a while so maybe it's fixed now.

Actions #13

Updated by Eric Helms about 8 years ago

  • Translation missing: en.field_release deleted (144)
Actions #14

Updated by Justin Sherrill about 8 years ago

"Copying in our ca and chain files into /etc/rhsm/ca allowed my system to register.

Shouldn't katello-ca-consumer-latest rpm add those?'

Yes this should include the right certs, can you upload the bootstrap rpm that does not?

Actions #15

Updated by Justin Garrison about 8 years ago

Sorry this ticket is really old. I don't have the rpm anymore nor do I have the installation of katello. If no one else is able to reproduce the bug we should probably close this ticket.

Actions #16

Updated by Justin Sherrill about 8 years ago

  • Status changed from Need more information to Rejected

Closing, please reopen if you still see the issue.

Actions #17

Updated by Justin Sherrill about 8 years ago

  • Translation missing: en.field_release set to 166
Actions

Also available in: Atom PDF