Project

General

Profile

Actions
Copy link

Bug #18730

closed

Upgrading to katello 3.3 from 3.2 breaks pulp certificate verification

Added by Edward Clay about 8 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Katello 3.3.1
Difficulty:
Triaged:
Bugzilla link:
Pull request:
https://github.com/Katello/puppet-katello/pull/166
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Hello, I've run into an issue where after upgrading to katello 3.3 from 3.2 I get the following error when attempting to publish a content view.

There was an issue with the backend service pulp: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

I wasn't getting this error before the upgrade. I setup 3rd party signed ssl certs in 3.2 and all worked well. I used the following command to install the signed certs and to resolve the candlepin error that ensued.

foreman-installer --scenario katello --certs-server-cert /etc/pki/tls/certs/il-foreman1_slc_westdc_net.crt --certs-server-cert-req /etc/pki/tls/private/il-foreman1.slc.westdc.net.csr --certs-server-key /etc/pki/tls/private/il-foreman1.slc.westdc.net.key --certs-server-ca-cert /etc/pki/tls/certs/comodo-ca-bundle.crt --certs-server-ca-name comodo-ca --certs-update-server --certs-update-server-ca

http://projects.theforeman.org/issues/16620

Copy /root/ssl-build/katello-default-ca.crt to /etc/pki/ca-trust/source/anchors/ and rebuild the openssl ca certs with update-ca-trust. Due to chicken-and-egg issue, this may prevent a clean install using custom certs. After performing these steps, re-run the installer. It should complete correctly the second time through.

I've attempted to perform these same steps once the upgrade completed and I found the error. Looking at the /etc/foreman/plugins/katello.yaml I see the following for pulp.

:pulp:
    :url: https://il-foreman1.slc.westdc.net/pulp/api/v2/
    :oauth_key: katello
    :oauth_secret: qXZyiEhe8WqoCeTtPJqhpUGCPV65GmeL
    :ca_cert_file: /etc/pki/katello/certs/katello-server-ca.crt

Originally this ca_cert_file was pointed at katello-server-ca.crt. Someone in IRC recommended changing this file. I see the following in the 05-foreman-ssl.conf in relations to ssl certs.

  1. SSL directives
    SSLEngine on
    SSLCertificateFile "/etc/pki/katello/certs/katello-apache.crt"
    SSLCertificateKeyFile "/etc/pki/katello/private/katello-apache.key"
    SSLCertificateChainFile "/etc/pki/katello/certs/katello-server-ca.crt"
    SSLCACertificateFile "/etc/pki/katello/certs/katello-default-ca.crt"
    SSLVerifyClient optional
    SSLVerifyDepth 3
    SSLOptions +StdEnvVars +ExportCertData

I've tried changing SSLCACertificateFile to "/etc/pki/katello/certs/katello-server-ca.crt" and restarted httpd and foreman-task. I still get the same error. It seems that something broke in the upgrade process and I'm not sure what else to check.

Related issues 1 (0 open1 closed)

Has duplicate Katello - Bug #18872: Katello with custom certificate. Pulp restclient error.Duplicate03/12/2017Actions
Actions
Copy link

Also available in: Atom PDF