Bug #25221
closedCould not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed in get request
Description
Hi,
we use foreman 1.19 and katello 3.8
i have a problem to attach a capsule to the foreman server.
->important. we use own certificates.
i think the bug is near this old bug https://bugzilla.redhat.com/show_bug.cgi?id=1264208
error from smartproxy katello-proxy01.cs.ewerk.com
[DEBUG 2018-10-17T09:29:57 verbose] Foreman_smartproxy[katello-proxy01.cs.ewerk.com](provider=rest_v3): Making get request to https://katello01.cs.ewerk.com/api/v2/smart_proxies?search=name=%22katello-proxy01.cs.ewerk.com%22 [ERROR 2018-10-17T09:29:57 verbose] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello-proxy01.cs.ewerk.com]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed in get request to: https://katello01.cs.ewerk.com/api/v2/smart_proxies?search=name=%22katello-proxy01.cs.ewerk.com%22
katello/foreman file from katello01.cs.ewerk.com
/etc/httpd/conf.d/05-foreman-ssl.conf ## SSL directives SSLEngine on SSLCertificateFile "/etc/pki/katello/certs/katello-apache.crt" SSLCertificateKeyFile "/etc/pki/katello/private/katello-apache.key" SSLCertificateChainFile "/etc/pki/katello/certs/katello-default-ca.crt" SSLVerifyClient optional SSLCACertificateFile "/etc/pki/katello/certs/katello-default-ca.crt" SSLVerifyDepth 3 SSLOptions +StdEnvVars +ExportCertData
important:
official cert and key -> okay
/etc/pki/katello/private/katello-apache.key
/etc/pki/katello/certs/katello-apache.crt
[root@katello01 s.vogel]# openssl x509 -text -in /etc/pki/katello/certs/katello-apache.crt Certificate: Data: Version: 3 (0x2) Serial Number: 04:1d:14:5c:ce:49:e3:ad:41:92:e0:e1:f2:34:e9:c3 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL TLS RSA CA G1 Validity Not Before: Jul 31 00:00:00 2018 GMT Not After : Jul 30 12:00:00 2020 GMT Subject: CN=*.cs.ewerk.com
katello-default-ca.crt -> it is the katello ca not my ca bundle file ...
[root@katello01 s.vogel]# openssl x509 -text -in /etc/pki/katello/certs/katello-default-ca.crt Certificate: Data: Version: 3 (0x2) Serial Number: d9:34:53:80:95:de:92:b2 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=katello01.cs.ewerk.com Validity Not Before: Aug 7 20:50:40 2018 GMT Not After : Jan 17 20:50:40 2038 GMT Subject: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=katello01.cs.ewerk.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus:
these are the official certs and they looks good -> okay
Module certs: --certs-cname The alternative names of the host the generated certificates should be for (current: []) --certs-node-fqdn The fqdn of the host the generated certificates should be for (current: "katello01.cs.ewerk.com") --certs-server-ca-cert Path to the CA that issued the ssl certificates for https if not specified, the default CA will be used (current: "/etc/ssl/cs.ewerk.com/ca_bundle.pem") --certs-server-cert Path to the ssl certificate for https if not specified, the default CA will generate one (current: "/etc/ssl/cs.ewerk.com/cs.ewerk.com.crt") --certs-server-cert-req Path to the ssl certificate request for https if not specified, the default CA will generate one (current: "/etc/ssl/cs.ewerk.com/cs.ewerk.com.csr") --certs-server-key Path to the ssl key for https if not specified, the default CA will generate one (current: "/etc/ssl/cs.ewerk.com/cs.ewerk.com.key")
looks good i think puppet and server cert....okay
[root@katello01 s.vogel]# openssl x509 -text -in /etc/puppetlabs/puppet/ssl/certs/katello01.cs.ewerk.com.pem
[root@katello01 s.vogel]# openssl x509 -text -in /etc/puppetlabs/puppet/ssl/certs/katello01.cs.ewerk.com.pem Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Puppet CA: katello01.cs.ewerk.com Validity Not Before: Aug 6 20:51:30 2018 GMT Not After : Aug 6 20:51:30 2023 GMT Subject: CN=katello01.cs.ewerk.com
--foreman-plugin-puppetdb-ssl-ca-file CA certificate file which will be used to connect to the PuppetDB API. Defaults to client_ssl_ca (current: "/etc/puppetlabs/puppet/ssl/certs/ca.pem") --foreman-plugin-puppetdb-ssl-certificate Certificate file which will be used to connect to the PuppetDB API. Defaults to client_ssl_cert (current: "/etc/puppetlabs/puppet/ssl/certs/katello01.cs.ewerk.com.pem") --foreman-plugin-puppetdb-ssl-private-key Private key file which will be used to connect to the PuppetDB API. Defaults to client_ssl_key (current: "/etc/puppetlabs/puppet/ssl/private_keys/katello01.cs.ewerk.com.pem")
ssl_ca.pem -> same here it is the katello ca not my ca bundle file ... ???
openssl x509 -text -in /etc/foreman-proxy/ssl_ca.pem
--foreman-proxy-ssl-ca SSL CA to validate the client certificates used to access the proxy (current: "/etc/foreman-proxy/ssl_ca.pem") --foreman-proxy-ssl-cert SSL certificate to be used to run the foreman proxy via https. (current: "/etc/foreman-proxy/ssl_cert.pem") --foreman-proxy-ssl-disabled-ciphers List of OpenSSL cipher suite names that will be disabled from the default (current: []) --foreman-proxy-ssl-key Corresponding key to a ssl_cert certificate (current: "/etc/foreman-proxy/ssl_key.pem")
[root@katello01 s.vogel]# openssl x509 -text -in /etc/foreman-proxy/ssl_ca.pem Certificate: Data: Version: 3 (0x2) Serial Number: d9:34:53:80:95:de:92:b2 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=katello01.cs.ewerk.com Validity
openssl x509 -text -in /etc/foreman-proxy/ssl_cert.pem
[root@katello01 s.vogel]# openssl x509 -text -in /etc/foreman-proxy/ssl_cert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 04:1d:14:5c:ce:49:e3:ad:41:92:e0:e1:f2:34:e9:c3 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL TLS RSA CA G1 Validity
there are different questions.
1. why is /etc/pki/katello/certs/katello-default-ca.crt no our official ca bundle?
2. foreman-proxy-certs-generate --foreman-proxy-fqdn "katello-proxy01.cs.ewerk.com" --certs-tar "/root/cs.ewerk.com-certs.tar"
To finish the installation, follow these steps: If you do not have the smartproxy registered to the Katello instance, then please do the following: 1. yum -y localinstall http://katello01.cs.ewerk.com/pub/katello-ca-consumer-latest.noarch.rpm 2. subscription-manager register --org "Default_Organization" Once this is completed run the steps below to start the smartproxy installation: 1. Ensure that the foreman-installer-katello package is installed on the system. 2. Copy the following file /root/cs.ewerk.com-certs.tar to the system katello-proxy01.cs.ewerk.com at the following location /root/cs.ewerk.com-certs.tar scp /root/cs.ewerk.com-certs.tar root@katello-proxy01.cs.ewerk.com:/root/cs.ewerk.com-certs.tar 3. Run the following commands on the Foreman proxy (possibly with the customized parameters, see foreman-installer --scenario foreman-proxy-content --help and documentation for more info on setting up additional services): foreman-installer --scenario foreman-proxy-content\ --foreman-proxy-content-parent-fqdn "katello01.cs.ewerk.com"\ --foreman-proxy-register-in-foreman "true"\ --foreman-proxy-foreman-base-url "https://katello01.cs.ewerk.com"\ --foreman-proxy-trusted-hosts "katello01.cs.ewerk.com"\ --foreman-proxy-trusted-hosts "katello-proxy01.cs.ewerk.com"\ --foreman-proxy-oauth-consumer-key "XXX"\ --foreman-proxy-oauth-consumer-secret "XXX"\ --foreman-proxy-content-certs-tar "/root/cs.ewerk.com-certs.tar"\ --puppet-server-foreman-url "https://katello01.cs.ewerk.com" The full log is at /var/log/foreman-installer/foreman-proxy-certs-generate.log
3. we run this foreman-installer like above and get the following error
error from smartproxy katello-proxy01.cs.ewerk.com
[DEBUG 2018-10-17T09:29:57 verbose] Foreman_smartproxy[katello-proxy01.cs.ewerk.com](provider=rest_v3): Making get request to https://katello01.cs.ewerk.com/api/v2/smart_proxies?search=name=%22katello-proxy01.cs.ewerk.com%22 [ERROR 2018-10-17T09:29:57 verbose] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello-proxy01.cs.ewerk.com]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed in get request to: https://katello01.cs.ewerk.com/api/v2/smart_proxies?search=name=%22katello-proxy01.cs.ewerk.com%22
couriously because...
vim /etc/httpd/conf.d/28-katello-reverse-proxy.conf
on the proxy we get
[root@katello-proxy01 s.vogel]# openssl x509 -text -in /etc/pki/katello/certs/katello-apache.crt Certificate: Data: Version: 3 (0x2) Serial Number: d7:2d:3a:be:ec:37:be:17 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=North Carolina, L=Raleigh, O=Default_Organization, OU=SomeOrgUnit, CN=katello01.cs.ewerk.com Validity Not Before: Oct 9 13:46:28 2018 GMT Not After : Jan 18 13:46:29 2038 GMT Subject: C=US, ST=North Carolina, O=Default_Organization, OU=SomeOrgUnit, CN=katello-proxy01.cs.ewerk.com Subject Public Key Info:
why there is not the correct own certificate?!?!
Updated by John Mitsch over 5 years ago
- Category changed from Security to Installer
- Target version set to Katello 3.10.0
- Triaged changed from No to Yes
Updated by Sven Vogel over 5 years ago
Hi John,
do you need additional informations?
thanks
Sven
Updated by Christine Fouant over 5 years ago
- Target version changed from Katello 3.10.0 to Katello 3.11.0
Updated by Jonathon Turel over 5 years ago
- Target version deleted (
Katello 3.11.0) - Triaged changed from Yes to No
Updated by Eric Helms over 5 years ago
Howdy,
Some answers and notes:
1. why is /etc/pki/katello/certs/katello-default-ca.crt no our official ca bundle?
This certificate should always be the internally generated CA cert, even with custom certificates. When you supply custom certificates, the CA cert for the custom certificates is stored /etc/pki/katello/certs/katello-server-ca.crt . I would double check that you supplied it correctly, and that your answers file has "server_ca_cert: " pointed to your CA cert on disk.
Updated by Andrew Kofink over 5 years ago
- Status changed from New to Need more information
Updated by John Mitsch about 5 years ago
- Status changed from Need more information to Rejected
Since it's been two weeks with no activity, I'm going to close this for now, but feel free to reopen it and answer the question asked if you are still having this issue.