Upgrading to katello 3.3 from 3.2 breaks pulp certificate verification
Hello, I've run into an issue where after upgrading to katello 3.3 from 3.2 I get the following error when attempting to publish a content view.
There was an issue with the backend service pulp: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
I wasn't getting this error before the upgrade. I setup 3rd party signed ssl certs in 3.2 and all worked well. I used the following command to install the signed certs and to resolve the candlepin error that ensued.
foreman-installer --scenario katello --certs-server-cert /etc/pki/tls/certs/il-foreman1_slc_westdc_net.crt --certs-server-cert-req /etc/pki/tls/private/il-foreman1.slc.westdc.net.csr --certs-server-key /etc/pki/tls/private/il-foreman1.slc.westdc.net.key --certs-server-ca-cert /etc/pki/tls/certs/comodo-ca-bundle.crt --certs-server-ca-name comodo-ca --certs-update-server --certs-update-server-ca
Copy /root/ssl-build/katello-default-ca.crt to /etc/pki/ca-trust/source/anchors/ and rebuild the openssl ca certs with update-ca-trust. Due to chicken-and-egg issue, this may prevent a clean install using custom certs. After performing these steps, re-run the installer. It should complete correctly the second time through.
I've attempted to perform these same steps once the upgrade completed and I found the error. Looking at the /etc/foreman/plugins/katello.yaml I see the following for pulp.
Originally this ca_cert_file was pointed at katello-server-ca.crt. Someone in IRC recommended changing this file. I see the following in the 05-foreman-ssl.conf in relations to ssl certs.
- SSL directives
SSLOptions +StdEnvVars +ExportCertData
I've tried changing SSLCACertificateFile to "/etc/pki/katello/certs/katello-server-ca.crt" and restarted httpd and foreman-task. I still get the same error. It seems that something broke in the upgrade process and I'm not sure what else to check.
#3 Updated by Edward Clay over 5 years ago
I see we've closed this issue. Does this mean that version 3.3.1 will fix this?
It's becoming very frustrating that adding signed ssl certs to katello/foreman seems to cause so many problem. Is there any way to fix this on the current version or is compiling the latest from source the only option? Because right now I'm in a broken state.
#4 Updated by Edward Clay over 5 years ago
Would reverting to using the default self signed certs resolve these issues? If so what is the best method of doing this? Ive found this non foreman/katello/redhat web page that states a possible method.
#5 Updated by Oliver Weinmann over 5 years ago
commenting out the ca_cert_file line in /etc/foreman/plugins/katello.yaml solved the problem for me:
:pulp: :url: https://il-foreman1.slc.westdc.net/pulp/api/v2/ :oauth_key: katello :oauth_secret: qXZyiEhe8WqoCeTtPJqhpUGCPV65GmeL #:ca_cert_file: /etc/pki/katello/certs/katello-server-ca.crt
Thanks to ehelms for this hint. :)