Bug #18730


Upgrading to katello 3.3 from 3.2 breaks pulp certificate verification

Added by Edward Clay about 7 years ago. Updated almost 6 years ago.

Target version:
Fixed in Releases:
Found in Releases:


Hello, I've run into an issue where after upgrading to katello 3.3 from 3.2 I get the following error when attempting to publish a content view.

There was an issue with the backend service pulp: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

I wasn't getting this error before the upgrade. I setup 3rd party signed ssl certs in 3.2 and all worked well. I used the following command to install the signed certs and to resolve the candlepin error that ensued.

foreman-installer --scenario katello --certs-server-cert /etc/pki/tls/certs/il-foreman1_slc_westdc_net.crt --certs-server-cert-req /etc/pki/tls/private/ --certs-server-key /etc/pki/tls/private/ --certs-server-ca-cert /etc/pki/tls/certs/comodo-ca-bundle.crt --certs-server-ca-name comodo-ca --certs-update-server --certs-update-server-ca

Copy /root/ssl-build/katello-default-ca.crt to /etc/pki/ca-trust/source/anchors/ and rebuild the openssl ca certs with update-ca-trust. Due to chicken-and-egg issue, this may prevent a clean install using custom certs. After performing these steps, re-run the installer. It should complete correctly the second time through.

I've attempted to perform these same steps once the upgrade completed and I found the error. Looking at the /etc/foreman/plugins/katello.yaml I see the following for pulp.

:oauth_key: katello
:oauth_secret: qXZyiEhe8WqoCeTtPJqhpUGCPV65GmeL
:ca_cert_file: /etc/pki/katello/certs/katello-server-ca.crt

Originally this ca_cert_file was pointed at katello-server-ca.crt. Someone in IRC recommended changing this file. I see the following in the 05-foreman-ssl.conf in relations to ssl certs.

  1. SSL directives
    SSLEngine on
    SSLCertificateFile "/etc/pki/katello/certs/katello-apache.crt"
    SSLCertificateKeyFile "/etc/pki/katello/private/katello-apache.key"
    SSLCertificateChainFile "/etc/pki/katello/certs/katello-server-ca.crt"
    SSLCACertificateFile "/etc/pki/katello/certs/katello-default-ca.crt"
    SSLVerifyClient optional
    SSLVerifyDepth 3
    SSLOptions +StdEnvVars +ExportCertData

I've tried changing SSLCACertificateFile to "/etc/pki/katello/certs/katello-server-ca.crt" and restarted httpd and foreman-task. I still get the same error. It seems that something broke in the upgrade process and I'm not sure what else to check.

Related issues 1 (0 open1 closed)

Has duplicate Katello - Bug #18872: Katello with custom certificate. Pulp restclient error.Duplicate03/12/2017Actions
Actions #1

Updated by Oliver Weinmann about 7 years ago


same issues here on a fresh install of Katello 3.3.

It's a show stopper when using custom certs.

Actions #2

Updated by Eric Helms about 7 years ago

  • Status changed from New to Closed
  • translation missing: en.field_release changed from 188 to 219
  • Pull request added
Actions #3

Updated by Edward Clay about 7 years ago

I see we've closed this issue. Does this mean that version 3.3.1 will fix this?

It's becoming very frustrating that adding signed ssl certs to katello/foreman seems to cause so many problem. Is there any way to fix this on the current version or is compiling the latest from source the only option? Because right now I'm in a broken state.

Actions #4

Updated by Edward Clay about 7 years ago

Would reverting to using the default self signed certs resolve these issues? If so what is the best method of doing this? Ive found this non foreman/katello/redhat web page that states a possible method.

Actions #5

Updated by Oliver Weinmann about 7 years ago


commenting out the ca_cert_file line in /etc/foreman/plugins/katello.yaml solved the problem for me:

    :oauth_key: katello
    :oauth_secret: qXZyiEhe8WqoCeTtPJqhpUGCPV65GmeL
    #:ca_cert_file: /etc/pki/katello/certs/katello-server-ca.crt

Thanks to ehelms for this hint. :)

Actions #6

Updated by Justin Sherrill about 7 years ago

  • Has duplicate Bug #18872: Katello with custom certificate. Pulp restclient error. added

Also available in: Atom PDF