Bug #10672
closed
Registering a content host fails (certificate verify failed)
Added by Justin Garrison over 9 years ago.
Updated about 6 years ago.
Description
When registering a new content host to katello 2.2.0-5.el7 the command fails with the error
Unable to verify server's identity: certificate verify failed
I am using an activation key for registration and the katello server has custom certificates for the foreman web interface (internal ca signed). But after installing the katello-ca-consumer-latest.noarch.rpm the register command fails.
- Translation missing: en.field_release set to 55
- Triaged changed from No to Yes
- Status changed from New to Need more information
In your scenario, did you add the custom certs post-install or during the initial installation?
custom certs were added post-install. The first install was done with the default certs.
- Translation missing: en.field_release changed from 55 to 61
My attempts to replicate this have not been successful to date. Not sure what I might be missing with respect to how the custom certificates are generated. I used https://github.com/iNecas/ownca to generate and test.
- Translation missing: en.field_release changed from 61 to 31
I can't look at this for a while while I set up a different satellite instance. I will try again with the link you provided in a couple of weeks.
- Translation missing: en.field_release changed from 31 to 70
openssl s_client -connect katello:443 -CAfile /etc/rhsm/ca/katello-server-ca.pem
I get "Verify return code: 2 (unable to get issuer certificate)"
Looking at the katello-server-ca.pem I can see the cert was signed by our internal sub ca but the cert chain and ca don't appear to be trusted by rhsm.
Copying in our ca and chain files into /etc/rhsm/ca allowed my system to register.
Shouldn't katello-ca-consumer-latest rpm add those?
- Translation missing: en.field_release changed from 70 to 86
- Translation missing: en.field_release changed from 86 to 144
What other information is neede? I think it'd be a good idea if the consumer cert rpm included the ca cert in /etc/rhsm/ca
I haven't used this for a while so maybe it's fixed now.
- Translation missing: en.field_release deleted (
144)
"Copying in our ca and chain files into /etc/rhsm/ca allowed my system to register.
Shouldn't katello-ca-consumer-latest rpm add those?'
Yes this should include the right certs, can you upload the bootstrap rpm that does not?
Sorry this ticket is really old. I don't have the rpm anymore nor do I have the installation of katello. If no one else is able to reproduce the bug we should probably close this ticket.
- Status changed from Need more information to Rejected
Closing, please reopen if you still see the issue.
- Translation missing: en.field_release set to 166
Also available in: Atom
PDF