Project

General

Profile

Bug #18807

Katello 3.3 smart-proxy-fresh install with custom certs broken?

Added by Oliver Weinmann over 5 years ago. Updated almost 4 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Installer
Target version:
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Hi,

since three days I'm trying to deploy a fresh Katello 3.3 with a smart-proxy using custom certs.

The main Katello server is running fine with the custom certs. Thanks to ehelms for pointing out the workaround to comment out the line in /etc/foreman/plugins/katello.yaml:

:pulp:
    :url: https://katello.a.space.corp/pulp/api/v2/
    :oauth_key: katello
    :oauth_secret: aoZbfkgXidvUGUF5t7woLXZoEPpNEzwf
    #:ca_cert_file: /etc/pki/katello/certs/katello-default-ca.crt

Now the problem is that I can't get the proxy working.

I followed the installation instructions carefully but I just can't get it working. I assume it is because of the custom certs.

This is the error on the proxy:

[ERROR 2017-03-06 16:02:34 main]  Proxy gedadvl02.a.space.corp cannot be registered: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([Errno::ECONNREFUSED]: Connection refused - connect(2) for "gedadvl02.a.space.corp" port 9090) for proxy https://gedadvl02.a.space.corp:9090/features Please check the proxy is configured and running on the host.

I checked and the proxy is running fine:

[root@gedadvl02 ~]# service foreman-proxy status
Redirecting to /bin/systemctl status  foreman-proxy.service
● foreman-proxy.service - Foreman Proxy
   Loaded: loaded (/usr/lib/systemd/system/foreman-proxy.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2017-03-06 16:02:34 CET; 29min ago
 Main PID: 9064 (ruby)
   CGroup: /system.slice/foreman-proxy.service
           └─9064 ruby /usr/share/foreman-proxy/bin/smart-proxy

The strange thing is running openssl against the proxy from the main katello server works fine:

openssl s_client -connect gedadvl02.a.space.corp:9090

Verify return code: 0 (ok)

But from the proxy I get a validation error:

Verify return code: 19 (self signed certificate in certificate chain)

If I ran the smart-proxy install command again the error is now different:

/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[gedadvl02.a.space.corp]/ensure: change from absent to present failed: Proxy gedadvl02.a.space.corp cannot be registered: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verif...) for proxy https://gedadvl02.a.space.corp:9090/features Please check the proxy is configured and running on the host.

History

#1 Updated by Justin Sherrill over 5 years ago

  • Category set to Installer
  • Legacy Backlogs Release (now unused) set to 226

#2 Updated by Eric Helms over 5 years ago

  • Status changed from New to Need more information

Can you re-test with Katello 3.3.1 ?

#3 Updated by Justin Sherrill over 5 years ago

  • Status changed from Need more information to Rejected

Going ahead and closing this, as we believe it was resolved in 3.3.1. Please reopen if you can reproduce on 3.3.1

#4 Updated by prem prakash about 4 years ago

  • Legacy Backlogs Release (now unused) changed from 226 to 351

Same as above issue with self signed certificate.

Katello 3.5

Proxy vio-openstack3.njrar.tus.ams1907.com cannot be registered: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed) for proxy https://vio-openstack3.xxx.xxx.xxx.com:9090/features Please check the proxy is configured and running on the host.

Even commenting pulp cert in this file is not working /etc/foreman/plugins/katello.yaml

/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[vio-openstack3.xxx.xxx.xxx.com]/ensure: change from absent to present failed: Proxy vio-openstack3.xxx.xxx.xxx.com cannot be registered: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed) for proxy https://vio-openstack3.xxx.xxx.xxx.com:9090/features Please check the proxy is configured and running on the host.

Tried this in katello server
[root@openstack9 ~]# wget https://vio-openstack3.xxx.xxx.xxx.com:9090/features
--2018-04-24 09:18:41-- https://vio-openstack3.xxx.xxx.xxx.com:9090/features
Resolving vio-openstack3.xxx.xxx.xxx.com (vio-openstack3.xxx.xxx.xxx.com)... 10.245.213.125
Connecting to vio-openstack3.xxx.xxx.xxx.com (vio-openstack3.xxx.xxx.xxx.com)|10.245.213.125|:9090... connected.
ERROR: cannot verify vio-openstack3.xxx.xxx.xxx.com's certificate, issued by ‘/C=US/ST=North Carolina/L=Raleigh/O=Default_Organization/OU=SomeOrgUnit/CN=openstack9.xxx.xxx.xxx.com’:
Self-signed certificate encountered.
To connect to vio-openstack3.xxx.xxx.xxx.com insecurely, use `--no-check-certificate'.

[root@openstack9 ~]# wget https://vio-openstack3.xxx.xxx.xxx.com:9090/features --no-check-certificate
--2018-04-24 09:49:25-- https://vio-openstack3.xxx.xxx.xxx.com:9090/features
Resolving vio-openstack3.xxx.xxx.xxx.com (vio-openstack3.xxx.xxx.xxx.com)... 10.245.213.125
Connecting to vio-openstack3.xxx.xxx.xxx.com (vio-openstack3.xxx.xxx.xxx.com)|10.245.213.125|:9090... connected.
WARNING: cannot verify vio-openstack3.xxx.xxx.xxx.com's certificate, issued by ‘/C=US/ST=North Carolina/L=Raleigh/O=Default_Organization/OU=SomeOrgUnit/CN=openstack9.njrar.tus.ams1907.com’:
Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 58 [application/json]
Saving to: ‘features’

100%[=======================================================================================>] 58 --.-K/s in 0.04s

Also available in: Atom PDF