Bug #10672
closedRegistering a content host fails (certificate verify failed)
Description
When registering a new content host to katello 2.2.0-5.el7 the command fails with the error
Unable to verify server's identity: certificate verify failed
I am using an activation key for registration and the katello server has custom certificates for the foreman web interface (internal ca signed). But after installing the katello-ca-consumer-latest.noarch.rpm the register command fails.
Updated by Eric Helms over 9 years ago
- Translation missing: en.field_release set to 55
- Triaged changed from No to Yes
Updated by Eric Helms over 9 years ago
- Status changed from New to Need more information
In your scenario, did you add the custom certs post-install or during the initial installation?
Updated by Justin Garrison over 9 years ago
custom certs were added post-install. The first install was done with the default certs.
Updated by Eric Helms about 9 years ago
- Translation missing: en.field_release changed from 55 to 61
My attempts to replicate this have not been successful to date. Not sure what I might be missing with respect to how the custom certificates are generated. I used https://github.com/iNecas/ownca to generate and test.
Updated by Eric Helms about 9 years ago
- Translation missing: en.field_release changed from 61 to 31
Updated by Justin Garrison about 9 years ago
I can't look at this for a while while I set up a different satellite instance. I will try again with the link you provided in a couple of weeks.
Updated by Stephen Benjamin about 9 years ago
- Translation missing: en.field_release changed from 31 to 70
Updated by Justin Garrison almost 9 years ago
openssl s_client -connect katello:443 -CAfile /etc/rhsm/ca/katello-server-ca.pem
I get "Verify return code: 2 (unable to get issuer certificate)"
Looking at the katello-server-ca.pem I can see the cert was signed by our internal sub ca but the cert chain and ca don't appear to be trusted by rhsm.
Updated by Justin Garrison almost 9 years ago
Copying in our ca and chain files into /etc/rhsm/ca allowed my system to register.
Shouldn't katello-ca-consumer-latest rpm add those?
Updated by Justin Sherrill almost 9 years ago
- Translation missing: en.field_release changed from 70 to 86
Updated by Eric Helms over 8 years ago
- Translation missing: en.field_release changed from 86 to 144
Updated by Justin Garrison over 8 years ago
What other information is neede? I think it'd be a good idea if the consumer cert rpm included the ca cert in /etc/rhsm/ca
I haven't used this for a while so maybe it's fixed now.
Updated by Eric Helms about 8 years ago
- Translation missing: en.field_release deleted (
144)
Updated by Justin Sherrill about 8 years ago
"Copying in our ca and chain files into /etc/rhsm/ca allowed my system to register.
Shouldn't katello-ca-consumer-latest rpm add those?'
Yes this should include the right certs, can you upload the bootstrap rpm that does not?
Updated by Justin Garrison about 8 years ago
Sorry this ticket is really old. I don't have the rpm anymore nor do I have the installation of katello. If no one else is able to reproduce the bug we should probably close this ticket.
Updated by Justin Sherrill about 8 years ago
- Status changed from Need more information to Rejected
Closing, please reopen if you still see the issue.
Updated by Justin Sherrill about 8 years ago
- Translation missing: en.field_release set to 166