Project

General

Profile

Actions
Copy link

Bug #23757

closed

Puppetmaster cannot push node facts to Katello master when custom SSL certificates are configured.

Added by Simon Thomson almost 7 years ago. Updated over 6 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Installer
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Katello 3.5.2
Red Hat JIRA:

Description

Configuration: Puppetmaster and Katello master are separate servers. Puppet is not installed at all on the Katello master. Puppet Smart Proxy is installed and running on the Puppetmaster. Custom SSL certificates have been configured via "foreman-installer" as per https://github.com/Katello/katello-installer#certificates.

Issue: After a fresh install and after each subsequent run of "foreman-installer --scenario katello" the Puppetmaster will fail to send node facts to Katello. This causes puppet runs to fail.
On the Puppetmaster:

  1. sudo -u puppet /etc/puppetlabs/puppet/node.rb node.domain.internal
    SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert unknown ca

On the Katello host:

> /var/log/httpd/foreman-ssl_error_ssl.log <
[Wed May 30 11:48:46.211497 2018] [ssl:error] [pid 18501] [client 10.1.105.16:50868] AH02039: Certificate Verification: Error (19): self signed certificate in certificate chain.

Workaround:

The issue seems to be that Apache is attempting to use "SSLCACertificateFile "/etc/pki/katello/certs/katello-default-ca.crt"" to authenticate the api request from the puppetmaster.
Puppet uses puppet certs and katello-default-ca.crt did not sign the puppet certs. As the cert referenced by the SSLCACertificateFile directive does not need to contain a certificate chain we can add the katello-server-ca.crt to katello-default-ca.crt and the client authentication will work.

  1. cat katello-server-ca.crt >> katello-default-ca.crt
  2. systemctl reload httpd

Other issues:

1. katello-default-ca.crt is recreated at each run of foreman-installer so node reports break again.
2. The workaround above breaks Candlepin. This is because the katello-default-ca.crt stored in candlepin.truststore now differs from the katello-default-ca.crt in use.

Delete candlepin.truststore and re-run foreman-installer to create an updated one.

  1. mv /etc/candlepin/certs/amqp{,_backup-`date +%F`}
  2. foreman-installer --scenario katello

The workaround to the original issue will then need to be reapplied, candlepin will not be affected this time.

Actions
Copy link

Also available in: Atom PDF