Bug #18730
closed
Upgrading to katello 3.3 from 3.2 breaks pulp certificate verification
Description
Hello, I've run into an issue where after upgrading to katello 3.3 from 3.2 I get the following error when attempting to publish a content view.
There was an issue with the backend service pulp: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
I wasn't getting this error before the upgrade. I setup 3rd party signed ssl certs in 3.2 and all worked well. I used the following command to install the signed certs and to resolve the candlepin error that ensued.
foreman-installer --scenario katello --certs-server-cert /etc/pki/tls/certs/il-foreman1_slc_westdc_net.crt --certs-server-cert-req /etc/pki/tls/private/il-foreman1.slc.westdc.net.csr --certs-server-key /etc/pki/tls/private/il-foreman1.slc.westdc.net.key --certs-server-ca-cert /etc/pki/tls/certs/comodo-ca-bundle.crt --certs-server-ca-name comodo-ca --certs-update-server --certs-update-server-ca
http://projects.theforeman.org/issues/16620
Copy /root/ssl-build/katello-default-ca.crt to /etc/pki/ca-trust/source/anchors/ and rebuild the openssl ca certs with update-ca-trust. Due to chicken-and-egg issue, this may prevent a clean install using custom certs. After performing these steps, re-run the installer. It should complete correctly the second time through.
I've attempted to perform these same steps once the upgrade completed and I found the error. Looking at the /etc/foreman/plugins/katello.yaml I see the following for pulp.
:pulp:
:url: https://il-foreman1.slc.westdc.net/pulp/api/v2/
:oauth_key: katello
:oauth_secret: qXZyiEhe8WqoCeTtPJqhpUGCPV65GmeL
:ca_cert_file: /etc/pki/katello/certs/katello-server-ca.crtOriginally this ca_cert_file was pointed at katello-server-ca.crt. Someone in IRC recommended changing this file. I see the following in the 05-foreman-ssl.conf in relations to ssl certs.
- SSL directives
SSLEngine on
SSLCertificateFile "/etc/pki/katello/certs/katello-apache.crt"
SSLCertificateKeyFile "/etc/pki/katello/private/katello-apache.key"
SSLCertificateChainFile "/etc/pki/katello/certs/katello-server-ca.crt"
SSLCACertificateFile "/etc/pki/katello/certs/katello-default-ca.crt"
SSLVerifyClient optional
SSLVerifyDepth 3
SSLOptions +StdEnvVars +ExportCertData
I've tried changing SSLCACertificateFile to "/etc/pki/katello/certs/katello-server-ca.crt" and restarted httpd and foreman-task. I still get the same error. It seems that something broke in the upgrade process and I'm not sure what else to check.
Updated by Oliver Weinmann about 7 years ago
Hi,
same issues here on a fresh install of Katello 3.3.
It's a show stopper when using custom certs.
Updated by Eric Helms about 7 years ago
- Status changed from New to Closed
- translation missing: en.field_release changed from 188 to 219
- Pull request https://github.com/Katello/puppet-katello/pull/166 added
Updated by Edward Clay about 7 years ago
I see we've closed this issue. Does this mean that version 3.3.1 will fix this?
It's becoming very frustrating that adding signed ssl certs to katello/foreman seems to cause so many problem. Is there any way to fix this on the current version or is compiling the latest from source the only option? Because right now I'm in a broken state.
Updated by Edward Clay about 7 years ago
Would reverting to using the default self signed certs resolve these issues? If so what is the best method of doing this? Ive found this non foreman/katello/redhat web page that states a possible method.
http://mariopang.blogspot.com/2015/05/reset-from-custom-certs-to-self-signed.html
Updated by Oliver Weinmann about 7 years ago
Hi,
commenting out the ca_cert_file line in /etc/foreman/plugins/katello.yaml solved the problem for me:
:pulp:
:url: https://il-foreman1.slc.westdc.net/pulp/api/v2/
:oauth_key: katello
:oauth_secret: qXZyiEhe8WqoCeTtPJqhpUGCPV65GmeL
#:ca_cert_file: /etc/pki/katello/certs/katello-server-ca.crt
Thanks to ehelms for this hint. :)
Updated by Justin Sherrill about 7 years ago
- Has duplicate Bug #18872: Katello with custom certificate. Pulp restclient error. added