Project

General

Profile

Actions

Bug #23757

closed

Puppetmaster cannot push node facts to Katello master when custom SSL certificates are configured.

Added by Simon Thomson almost 6 years ago. Updated over 5 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Installer
Target version:
-
Difficulty:
Triaged:
Yes
Fixed in Releases:
Found in Releases:

Description

Configuration: Puppetmaster and Katello master are separate servers. Puppet is not installed at all on the Katello master. Puppet Smart Proxy is installed and running on the Puppetmaster. Custom SSL certificates have been configured via "foreman-installer" as per https://github.com/Katello/katello-installer#certificates.

Issue: After a fresh install and after each subsequent run of "foreman-installer --scenario katello" the Puppetmaster will fail to send node facts to Katello. This causes puppet runs to fail.
On the Puppetmaster:

  1. sudo -u puppet /etc/puppetlabs/puppet/node.rb node.domain.internal
    SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert unknown ca

On the Katello host:

> /var/log/httpd/foreman-ssl_error_ssl.log <
[Wed May 30 11:48:46.211497 2018] [ssl:error] [pid 18501] [client 10.1.105.16:50868] AH02039: Certificate Verification: Error (19): self signed certificate in certificate chain.

Workaround:

The issue seems to be that Apache is attempting to use "SSLCACertificateFile "/etc/pki/katello/certs/katello-default-ca.crt"" to authenticate the api request from the puppetmaster.
Puppet uses puppet certs and katello-default-ca.crt did not sign the puppet certs. As the cert referenced by the SSLCACertificateFile directive does not need to contain a certificate chain we can add the katello-server-ca.crt to katello-default-ca.crt and the client authentication will work.

  1. cat katello-server-ca.crt >> katello-default-ca.crt
  2. systemctl reload httpd

Other issues:

1. katello-default-ca.crt is recreated at each run of foreman-installer so node reports break again.
2. The workaround above breaks Candlepin. This is because the katello-default-ca.crt stored in candlepin.truststore now differs from the katello-default-ca.crt in use.

Delete candlepin.truststore and re-run foreman-installer to create an updated one.

  1. mv /etc/candlepin/certs/amqp{,_backup-`date +%F`}
  2. foreman-installer --scenario katello

The workaround to the original issue will then need to be reapplied, candlepin will not be affected this time.

Actions #1

Updated by John Mitsch almost 6 years ago

  • translation missing: en.field_release set to 349
Actions #2

Updated by Greg Sutcliffe over 5 years ago

  • Triaged set to No
  • Found in Releases Katello 3.5.2 added
Actions #3

Updated by Jonathon Turel over 5 years ago

  • Status changed from New to Need more information
  • Target version deleted (Katello 3.8.0)
  • Triaged changed from Yes to No

Hey Simon,

We think that this issue should be resolved in newer versions - perhaps you can give Katello 3.7 a try and see if that fixes the problem for you.

Actions #4

Updated by Simon Thomson over 5 years ago

Hi Jonathon,

We are in the midst of implementing Foreman 1.16/Katello 3.5.2 in production. Once we have it in I will build a test environment with Foreman 1.18/Katello 3.7 and report back on the status of this issue.

Actions #5

Updated by Justin Sherrill over 5 years ago

  • Status changed from Need more information to Rejected
  • Triaged changed from No to Yes

Going ahead and closing this. Feel free to reopen or ask for it to be reopened if you still find that this is an issue.

Actions

Also available in: Atom PDF