Project

General

Profile

Bug #25221

Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed in get request

Added by Sven Vogel 7 months ago. Updated 4 months ago.

Status:
Rejected
Priority:
High
Assignee:
-
Category:
Installer
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Hi,

we use foreman 1.19 and katello 3.8
i have a problem to attach a capsule to the foreman server.

->important. we use own certificates.

i think the bug is near this old bug https://bugzilla.redhat.com/show_bug.cgi?id=1264208

error from smartproxy katello-proxy01.cs.ewerk.com

[DEBUG 2018-10-17T09:29:57 verbose]  Foreman_smartproxy[katello-proxy01.cs.ewerk.com](provider=rest_v3): Making get request to https://katello01.cs.ewerk.com/api/v2/smart_proxies?search=name=%22katello-proxy01.cs.ewerk.com%22
[ERROR 2018-10-17T09:29:57 verbose]  /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello-proxy01.cs.ewerk.com]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed in get request to: https://katello01.cs.ewerk.com/api/v2/smart_proxies?search=name=%22katello-proxy01.cs.ewerk.com%22

katello/foreman file from katello01.cs.ewerk.com

/etc/httpd/conf.d/05-foreman-ssl.conf
  ## SSL directives
  SSLEngine on
  SSLCertificateFile      "/etc/pki/katello/certs/katello-apache.crt" 
  SSLCertificateKeyFile   "/etc/pki/katello/private/katello-apache.key" 
  SSLCertificateChainFile "/etc/pki/katello/certs/katello-default-ca.crt" 
  SSLVerifyClient         optional
  SSLCACertificateFile    "/etc/pki/katello/certs/katello-default-ca.crt" 
  SSLVerifyDepth          3
  SSLOptions +StdEnvVars +ExportCertData

important:

official cert and key -> okay
/etc/pki/katello/private/katello-apache.key
/etc/pki/katello/certs/katello-apache.crt

[root@katello01 s.vogel]# openssl x509 -text -in /etc/pki/katello/certs/katello-apache.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:1d:14:5c:ce:49:e3:ad:41:92:e0:e1:f2:34:e9:c3
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL TLS RSA CA G1
        Validity
            Not Before: Jul 31 00:00:00 2018 GMT
            Not After : Jul 30 12:00:00 2020 GMT
        Subject: CN=*.cs.ewerk.com

katello-default-ca.crt -> it is the katello ca not my ca bundle file ...

[root@katello01 s.vogel]# openssl x509 -text -in /etc/pki/katello/certs/katello-default-ca.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d9:34:53:80:95:de:92:b2
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=katello01.cs.ewerk.com
        Validity
            Not Before: Aug  7 20:50:40 2018 GMT
            Not After : Jan 17 20:50:40 2038 GMT
        Subject: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=katello01.cs.ewerk.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:

these are the official certs and they looks good -> okay

Module certs:
    --certs-cname                 The alternative names of the host the generated certificates
                                  should be for (current: [])
    --certs-node-fqdn             The fqdn of the host the generated certificates
                                  should be for (current: "katello01.cs.ewerk.com")
    --certs-server-ca-cert        Path to the CA that issued the ssl certificates for https
                                  if not specified, the default CA will be used (current: "/etc/ssl/cs.ewerk.com/ca_bundle.pem")
    --certs-server-cert           Path to the ssl certificate for https
                                  if not specified, the default CA will generate one (current: "/etc/ssl/cs.ewerk.com/cs.ewerk.com.crt")
    --certs-server-cert-req       Path to the ssl certificate request for https
                                  if not specified, the default CA will generate one (current: "/etc/ssl/cs.ewerk.com/cs.ewerk.com.csr")
    --certs-server-key            Path to the ssl key for https
                                  if not specified, the default CA will generate one (current: "/etc/ssl/cs.ewerk.com/cs.ewerk.com.key")

looks good i think puppet and server cert....okay
[root@katello01 s.vogel]# openssl x509 -text -in /etc/puppetlabs/puppet/ssl/certs/katello01.cs.ewerk.com.pem

[root@katello01 s.vogel]# openssl x509 -text -in /etc/puppetlabs/puppet/ssl/certs/katello01.cs.ewerk.com.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Puppet CA: katello01.cs.ewerk.com
        Validity
            Not Before: Aug  6 20:51:30 2018 GMT
            Not After : Aug  6 20:51:30 2023 GMT
        Subject: CN=katello01.cs.ewerk.com


    --foreman-plugin-puppetdb-ssl-ca-file  CA certificate file which will be used to connect to the PuppetDB API.
                                  Defaults to client_ssl_ca (current: "/etc/puppetlabs/puppet/ssl/certs/ca.pem")
    --foreman-plugin-puppetdb-ssl-certificate  Certificate file which will be used to connect to the PuppetDB API.
                                  Defaults to client_ssl_cert (current: "/etc/puppetlabs/puppet/ssl/certs/katello01.cs.ewerk.com.pem")
    --foreman-plugin-puppetdb-ssl-private-key  Private key file which will be used to connect to the PuppetDB API.
                                  Defaults to client_ssl_key (current: "/etc/puppetlabs/puppet/ssl/private_keys/katello01.cs.ewerk.com.pem")

ssl_ca.pem -> same here it is the katello ca not my ca bundle file ... ???
openssl x509 -text -in /etc/foreman-proxy/ssl_ca.pem


    --foreman-proxy-ssl-ca        SSL CA to validate the client certificates used to access the proxy (current: "/etc/foreman-proxy/ssl_ca.pem")
    --foreman-proxy-ssl-cert      SSL certificate to be used to run the foreman proxy via https. (current: "/etc/foreman-proxy/ssl_cert.pem")
    --foreman-proxy-ssl-disabled-ciphers  List of OpenSSL cipher suite names that will be disabled from the default (current: [])
    --foreman-proxy-ssl-key       Corresponding key to a ssl_cert certificate (current: "/etc/foreman-proxy/ssl_key.pem")

[root@katello01 s.vogel]# openssl x509 -text -in /etc/foreman-proxy/ssl_ca.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d9:34:53:80:95:de:92:b2
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=katello01.cs.ewerk.com
        Validity

openssl x509 -text -in /etc/foreman-proxy/ssl_cert.pem

[root@katello01 s.vogel]# openssl x509 -text -in /etc/foreman-proxy/ssl_cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:1d:14:5c:ce:49:e3:ad:41:92:e0:e1:f2:34:e9:c3
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL TLS RSA CA G1
        Validity

there are different questions.

1. why is /etc/pki/katello/certs/katello-default-ca.crt no our official ca bundle?
2. foreman-proxy-certs-generate --foreman-proxy-fqdn "katello-proxy01.cs.ewerk.com" --certs-tar "/root/cs.ewerk.com-certs.tar"

  To finish the installation, follow these steps:

  If you do not have the smartproxy registered to the Katello instance, then please do the following:

  1. yum -y localinstall http://katello01.cs.ewerk.com/pub/katello-ca-consumer-latest.noarch.rpm
  2. subscription-manager register --org "Default_Organization" 

  Once this is completed run the steps below to start the smartproxy installation:

  1. Ensure that the foreman-installer-katello package is installed on the system.
  2. Copy the following file /root/cs.ewerk.com-certs.tar to the system katello-proxy01.cs.ewerk.com at the following location /root/cs.ewerk.com-certs.tar
  scp /root/cs.ewerk.com-certs.tar root@katello-proxy01.cs.ewerk.com:/root/cs.ewerk.com-certs.tar
  3. Run the following commands on the Foreman proxy (possibly with the customized
     parameters, see foreman-installer --scenario foreman-proxy-content --help and
     documentation for more info on setting up additional services):

  foreman-installer --scenario foreman-proxy-content\
                    --foreman-proxy-content-parent-fqdn           "katello01.cs.ewerk.com"\
                    --foreman-proxy-register-in-foreman           "true"\
                    --foreman-proxy-foreman-base-url              "https://katello01.cs.ewerk.com"\
                    --foreman-proxy-trusted-hosts                 "katello01.cs.ewerk.com"\
                    --foreman-proxy-trusted-hosts                 "katello-proxy01.cs.ewerk.com"\
                    --foreman-proxy-oauth-consumer-key            "XXX"\
                    --foreman-proxy-oauth-consumer-secret         "XXX"\
                    --foreman-proxy-content-certs-tar             "/root/cs.ewerk.com-certs.tar"\
                    --puppet-server-foreman-url                   "https://katello01.cs.ewerk.com" 
  The full log is at /var/log/foreman-installer/foreman-proxy-certs-generate.log

3. we run this foreman-installer like above and get the following error

error from smartproxy katello-proxy01.cs.ewerk.com

[DEBUG 2018-10-17T09:29:57 verbose]  Foreman_smartproxy[katello-proxy01.cs.ewerk.com](provider=rest_v3): Making get request to https://katello01.cs.ewerk.com/api/v2/smart_proxies?search=name=%22katello-proxy01.cs.ewerk.com%22
[ERROR 2018-10-17T09:29:57 verbose]  /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello-proxy01.cs.ewerk.com]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed in get request to: https://katello01.cs.ewerk.com/api/v2/smart_proxies?search=name=%22katello-proxy01.cs.ewerk.com%22

couriously because...
vim /etc/httpd/conf.d/28-katello-reverse-proxy.conf
on the proxy we get

[root@katello-proxy01 s.vogel]# openssl x509 -text -in /etc/pki/katello/certs/katello-apache.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d7:2d:3a:be:ec:37:be:17
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=North Carolina, L=Raleigh, O=Default_Organization, OU=SomeOrgUnit, CN=katello01.cs.ewerk.com
        Validity
            Not Before: Oct  9 13:46:28 2018 GMT
            Not After : Jan 18 13:46:29 2038 GMT
        Subject: C=US, ST=North Carolina, O=Default_Organization, OU=SomeOrgUnit, CN=katello-proxy01.cs.ewerk.com
        Subject Public Key Info:

why there is not the correct own certificate?!?!

History

#1 Updated by John Mitsch 7 months ago

  • Triaged changed from No to Yes
  • Target version set to Katello 3.10.0
  • Category changed from Security to Installer

#2 Updated by Sven Vogel 6 months ago

Hi John,

do you need additional informations?

thanks

Sven

#3 Updated by Christine Fouant 6 months ago

  • Target version changed from Katello 3.10.0 to Katello 3.11.0

#4 Updated by Jonathon Turel 4 months ago

  • Triaged changed from Yes to No
  • Target version deleted (Katello 3.11.0)

#5 Updated by Eric Helms 4 months ago

Howdy,

Some answers and notes:

1. why is /etc/pki/katello/certs/katello-default-ca.crt no our official ca bundle?

This certificate should always be the internally generated CA cert, even with custom certificates. When you supply custom certificates, the CA cert for the custom certificates is stored /etc/pki/katello/certs/katello-server-ca.crt . I would double check that you supplied it correctly, and that your answers file has "server_ca_cert: " pointed to your CA cert on disk.

#6 Updated by Andrew Kofink 4 months ago

  • Status changed from New to Need more information

#7 Updated by John Mitsch 4 months ago

  • Status changed from Need more information to Rejected

Since it's been two weeks with no activity, I'm going to close this for now, but feel free to reopen it and answer the question asked if you are still having this issue.

Also available in: Atom PDF