Bug #18807
closed
Katello 3.3 smart-proxy-fresh install with custom certs broken?
Description
Hi,
since three days I'm trying to deploy a fresh Katello 3.3 with a smart-proxy using custom certs.
The main Katello server is running fine with the custom certs. Thanks to ehelms for pointing out the workaround to comment out the line in /etc/foreman/plugins/katello.yaml:
:pulp:
:url: https://katello.a.space.corp/pulp/api/v2/
:oauth_key: katello
:oauth_secret: aoZbfkgXidvUGUF5t7woLXZoEPpNEzwf
#:ca_cert_file: /etc/pki/katello/certs/katello-default-ca.crt
Now the problem is that I can't get the proxy working.
I followed the installation instructions carefully but I just can't get it working. I assume it is because of the custom certs.
This is the error on the proxy:
[ERROR 2017-03-06 16:02:34 main] Proxy gedadvl02.a.space.corp cannot be registered: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([Errno::ECONNREFUSED]: Connection refused - connect(2) for "gedadvl02.a.space.corp" port 9090) for proxy https://gedadvl02.a.space.corp:9090/features Please check the proxy is configured and running on the host.
I checked and the proxy is running fine:
[root@gedadvl02 ~]# service foreman-proxy status
Redirecting to /bin/systemctl status foreman-proxy.service
● foreman-proxy.service - Foreman Proxy
Loaded: loaded (/usr/lib/systemd/system/foreman-proxy.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2017-03-06 16:02:34 CET; 29min ago
Main PID: 9064 (ruby)
CGroup: /system.slice/foreman-proxy.service
└─9064 ruby /usr/share/foreman-proxy/bin/smart-proxy
The strange thing is running openssl against the proxy from the main katello server works fine:
openssl s_client -connect gedadvl02.a.space.corp:9090 Verify return code: 0 (ok)
But from the proxy I get a validation error:
Verify return code: 19 (self signed certificate in certificate chain)
If I ran the smart-proxy install command again the error is now different:
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[gedadvl02.a.space.corp]/ensure: change from absent to present failed: Proxy gedadvl02.a.space.corp cannot be registered: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verif...) for proxy https://gedadvl02.a.space.corp:9090/features Please check the proxy is configured and running on the host.
Updated by Justin Sherrill almost 8 years ago
- Category set to Installer
- Translation missing: en.field_release set to 226
Updated by Eric Helms almost 8 years ago
- Status changed from New to Need more information
Can you re-test with Katello 3.3.1 ?
Updated by Justin Sherrill almost 8 years ago
- Status changed from Need more information to Rejected
Going ahead and closing this, as we believe it was resolved in 3.3.1. Please reopen if you can reproduce on 3.3.1
Updated by prem prakash over 6 years ago
- Translation missing: en.field_release changed from 226 to 351
Same as above issue with self signed certificate.
Katello 3.5
Proxy vio-openstack3.njrar.tus.ams1907.com cannot be registered: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed) for proxy https://vio-openstack3.xxx.xxx.xxx.com:9090/features Please check the proxy is configured and running on the host.Even commenting pulp cert in this file is not working /etc/foreman/plugins/katello.yaml
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[vio-openstack3.xxx.xxx.xxx.com]/ensure: change from absent to present failed: Proxy vio-openstack3.xxx.xxx.xxx.com cannot be registered: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed) for proxy https://vio-openstack3.xxx.xxx.xxx.com:9090/features Please check the proxy is configured and running on the host.
Tried this in katello server
[root@openstack9 ~]# wget https://vio-openstack3.xxx.xxx.xxx.com:9090/features
--2018-04-24 09:18:41-- https://vio-openstack3.xxx.xxx.xxx.com:9090/features
Resolving vio-openstack3.xxx.xxx.xxx.com (vio-openstack3.xxx.xxx.xxx.com)... 10.245.213.125
Connecting to vio-openstack3.xxx.xxx.xxx.com (vio-openstack3.xxx.xxx.xxx.com)|10.245.213.125|:9090... connected.
ERROR: cannot verify vio-openstack3.xxx.xxx.xxx.com's certificate, issued by ‘/C=US/ST=North Carolina/L=Raleigh/O=Default_Organization/OU=SomeOrgUnit/CN=openstack9.xxx.xxx.xxx.com’:
Self-signed certificate encountered.
To connect to vio-openstack3.xxx.xxx.xxx.com insecurely, use `--no-check-certificate'.
[root@openstack9 ~]# wget https://vio-openstack3.xxx.xxx.xxx.com:9090/features --no-check-certificate
--2018-04-24 09:49:25-- https://vio-openstack3.xxx.xxx.xxx.com:9090/features
Resolving vio-openstack3.xxx.xxx.xxx.com (vio-openstack3.xxx.xxx.xxx.com)... 10.245.213.125
Connecting to vio-openstack3.xxx.xxx.xxx.com (vio-openstack3.xxx.xxx.xxx.com)|10.245.213.125|:9090... connected.
WARNING: cannot verify vio-openstack3.xxx.xxx.xxx.com's certificate, issued by ‘/C=US/ST=North Carolina/L=Raleigh/O=Default_Organization/OU=SomeOrgUnit/CN=openstack9.njrar.tus.ams1907.com’:
Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 58 [application/json]
Saving to: ‘features’100%[=======================================================================================>] 58 --.-K/s in 0.04s