Bug #18730

Upgrading to katello 3.3 from 3.2 breaks pulp certificate verification

Added by Edward Clay over 5 years ago. Updated almost 4 years ago.

Target version:
Bugzilla link:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:


Hello, I've run into an issue where after upgrading to katello 3.3 from 3.2 I get the following error when attempting to publish a content view.

There was an issue with the backend service pulp: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

I wasn't getting this error before the upgrade. I setup 3rd party signed ssl certs in 3.2 and all worked well. I used the following command to install the signed certs and to resolve the candlepin error that ensued.

foreman-installer --scenario katello --certs-server-cert /etc/pki/tls/certs/il-foreman1_slc_westdc_net.crt --certs-server-cert-req /etc/pki/tls/private/ --certs-server-key /etc/pki/tls/private/ --certs-server-ca-cert /etc/pki/tls/certs/comodo-ca-bundle.crt --certs-server-ca-name comodo-ca --certs-update-server --certs-update-server-ca

Copy /root/ssl-build/katello-default-ca.crt to /etc/pki/ca-trust/source/anchors/ and rebuild the openssl ca certs with update-ca-trust. Due to chicken-and-egg issue, this may prevent a clean install using custom certs. After performing these steps, re-run the installer. It should complete correctly the second time through.

I've attempted to perform these same steps once the upgrade completed and I found the error. Looking at the /etc/foreman/plugins/katello.yaml I see the following for pulp.

:oauth_key: katello
:oauth_secret: qXZyiEhe8WqoCeTtPJqhpUGCPV65GmeL
:ca_cert_file: /etc/pki/katello/certs/katello-server-ca.crt

Originally this ca_cert_file was pointed at katello-server-ca.crt. Someone in IRC recommended changing this file. I see the following in the 05-foreman-ssl.conf in relations to ssl certs.

  1. SSL directives
    SSLEngine on
    SSLCertificateFile "/etc/pki/katello/certs/katello-apache.crt"
    SSLCertificateKeyFile "/etc/pki/katello/private/katello-apache.key"
    SSLCertificateChainFile "/etc/pki/katello/certs/katello-server-ca.crt"
    SSLCACertificateFile "/etc/pki/katello/certs/katello-default-ca.crt"
    SSLVerifyClient optional
    SSLVerifyDepth 3
    SSLOptions +StdEnvVars +ExportCertData

I've tried changing SSLCACertificateFile to "/etc/pki/katello/certs/katello-server-ca.crt" and restarted httpd and foreman-task. I still get the same error. It seems that something broke in the upgrade process and I'm not sure what else to check.

Related issues

Has duplicate Katello - Bug #18872: Katello with custom certificate. Pulp restclient error.Duplicate2017-03-12


#1 Updated by Oliver Weinmann over 5 years ago


same issues here on a fresh install of Katello 3.3.

It's a show stopper when using custom certs.

#2 Updated by Eric Helms over 5 years ago

  • Status changed from New to Closed
  • Legacy Backlogs Release (now unused) changed from 188 to 219
  • Pull request added

#3 Updated by Edward Clay over 5 years ago

I see we've closed this issue. Does this mean that version 3.3.1 will fix this?

It's becoming very frustrating that adding signed ssl certs to katello/foreman seems to cause so many problem. Is there any way to fix this on the current version or is compiling the latest from source the only option? Because right now I'm in a broken state.

#4 Updated by Edward Clay over 5 years ago

Would reverting to using the default self signed certs resolve these issues? If so what is the best method of doing this? Ive found this non foreman/katello/redhat web page that states a possible method.

#5 Updated by Oliver Weinmann over 5 years ago


commenting out the ca_cert_file line in /etc/foreman/plugins/katello.yaml solved the problem for me:

    :oauth_key: katello
    :oauth_secret: qXZyiEhe8WqoCeTtPJqhpUGCPV65GmeL
    #:ca_cert_file: /etc/pki/katello/certs/katello-server-ca.crt

Thanks to ehelms for this hint. :)

#6 Updated by Justin Sherrill over 5 years ago

  • Has duplicate Bug #18872: Katello with custom certificate. Pulp restclient error. added

Also available in: Atom PDF