Bug #26978
open
Error occurred: Neither PUB key nor PRIV key: nested asn1 error (openscap)
Description
Problem:
we try to use openscap with Foreman/Katello and the installation looks good but we got the following error.
maybe there is a problem with the certificates. the system is registered with subscription-manager without any problem.
i found this article https://access.redhat.com/solutions/2175231 1 but its old and i think not more relevant. you can see my config files below.
maybe i need to change or reset something happen with the certificates.
any ideas or help?
Error occurred: Neither PUB key nor PRIV key: nested asn1 error
Expected outcome:
No Error :slight_smile:
Foreman and Proxy versions:
Foreman: 1.21.3
Katello: 3.11
OpenScap: 0.7.1
Foreman and Proxy plugin versions:
Proxy: 1.21.3
Other relevant data:
/etc/foreman_scap_client/config.yaml
# Client private key # It could be Puppet agent private key (e.g., '/var/lib/puppet/ssl/private_keys/myhost.example.com.pem') # Or (recommended for client reporting to Katello) consumer private key (e.g., '/etc/pki/consumer/key.pem') :host_private_key: '/etc/pki/consumer/key.pem' # policy (key is id as in Foreman) 3: :profile: 'xccdf_org.ssgproject.content_profile_stig-rhel7-disa' :content_path: '/var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml' # Download path # A path to download SCAP content from proxy :download_path: '/compliance/policies/3/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e' :tailoring_path: '' :tailoring_download_path: '' 4: :profile: 'xccdf_org.ssgproject.content_profile_hipaa' :content_path: '/var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml' # Download path # A path to download SCAP content from proxy :download_path: '/compliance/policies/4/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e' :tailoring_path: '' :tailoring_download_path: ''
--- :enabled: https # Log file for the forwarding script. :openscap_send_log_file: /var/log/foreman-proxy/openscap-send.log # Directory where OpenSCAP audits are stored # if they failed to post to Foreman. smart_proxy_openscap_send will # try to re-send them. :spooldir: /var/spool/foreman-proxy/openscap # Directory where OpenSCAP content XML are stored # So we will not request the XML from Foreman each time :contentdir: /var/lib/foreman-proxy/openscap/content # Directory where OpenSCAP report XML are stored # So Foreman can request arf xml reports :reportsdir: /var/lib/foreman-proxy/openscap/reports # Directory where OpenSCAP report XML are stored # In case sending to Foreman succeeded, yet failed to save to reportsdir :failed_dir: /var/lib/foreman-proxy/openscap/failed # Directory where corrupted OpenSCAP report XML are stored # when proxy cannot parse the report sent by client :corrupted_dir: /var/lib/foreman-proxy/openscap/corrupted # Proxy name to send to Foreman with parsed report # Foreman matches it against names of registered proxies to find the report source :registered_proxy_name: katello01.example.com # Proxy url to send to Foreman with parsed report # Foreman matches it against urls of registered proxies to find the report source :registered_proxy_url: https://katello01.example.com:9090 # Timeout to send ARF reports to Foreman, in seconds :timeout: 60
s_client is working
openssl s_client -connect katello01.example.com:9090 -CAfile /etc/rhsm/ca/katello-server-ca.pem -cert /etc/pki/consumer/cert.pem -key /etc/pki/consumer/key.pem
Updated by Sven Vogel over 5 years ago
i will get the message from the /var/log/foreman-proxy/proxy.log
2019-06-06T16:23:16 3ba56e3e [I] Started GET /policies/3/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e 2019-06-06T16:23:16 3ba56e3e [I] Creating directory to store SCAP file: /var/lib/foreman-proxy/openscap/content/3 2019-06-06T16:23:16 3ba56e3e [E] Error occurred: Neither PUB key nor PRIV key: nested asn1 error 2019-06-06T16:23:16 3ba56e3e [D] Error occurred: Neither PUB key nor PRIV key: nested asn1 error 2019-06-06T16:23:16 3ba56e3e [I] Finished GET /policies/3/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e with 500 (2.33 ms)
Updated by Sven Vogel over 5 years ago
- Found in Releases foreman_openscap 0.7.10, puppet-foreman_scap_client 0.3.19 added
Updated by Sven Vogel over 5 years ago
- Triaged changed from No to Yes
after some investigation i found the Solution. the error indicates that the problem seems to be something to do with the foreman/katello proxy private key.
We have different installations and it seems after a new install or reset of the certificates the installer dont set them correctly.
if you use katello with foreman the following should be set correctly in the file.
/etc/foreman-proxy/settings.yml
# SSL Setup # if enabled, all communication would be verified via SSL # NOTE that both certificates need to be signed by the same CA in order for this to work # see http://theforeman.org/projects/smart-proxy/wiki/SSL for more information :ssl_ca_file: /etc/foreman-proxy/ssl_ca.pem :ssl_certificate: /etc/foreman-proxy/ssl_cert.pem :ssl_private_key: /etc/foreman-proxy/ssl_key.pem # Use this option only if you need to disable certain cipher suites. # Note: we use the OpenSSL suite name, such as "RC4-MD5". # The complete list of cipher suite names can be found at: # https://www.openssl.org/docs/manmaster/man1/ciphers.html#CIPHER-SUITE-NAMES #:ssl_disabled_ciphers: [CIPHER-SUITE-1, CIPHER-SUITE-2] # Use this option only if you need to strictly specify TLS versions to be # disabled. SSLv3 and TLS v1.0 are always disabled and cannot be configured. # Specify versions like: '1.1', or '1.2' #:tls_disabled_versions: [] # the hosts which the proxy accepts connections from # commenting the following lines would mean every verified SSL connection allowed :trusted_hosts: - katello01.example.com # Endpoint for reverse communication :foreman_url: https://katello01.example.com # SSL settings for client authentication against Foreman. If undefined, the values # from general SSL options are used instead. Mainly useful when Foreman uses # different certificates for its web UI and for smart-proxy requests. :foreman_ssl_ca: /etc/foreman-proxy/foreman_ssl_ca.pem :foreman_ssl_cert: /etc/foreman-proxy/foreman_ssl_cert.pem :foreman_ssl_key: /etc/foreman-proxy/foreman_ssl_cert.pem
you will see the error here! cert and key are the same file.
:foreman_ssl_cert: /etc/foreman-proxy/foreman_ssl_cert.pem :foreman_ssl_key: /etc/foreman-proxy/foreman_ssl_cert.pem
should be cert and key.
:foreman_ssl_cert: /etc/foreman-proxy/foreman_ssl_cert.pem :foreman_ssl_key: /etc/foreman-proxy/foreman_ssl_key.pem
the strange problem is and its reproducable if you check the foreman-installer --full-help you will see its a base problem. you cant reset it to the correct value. normally it should.
--foreman-proxy-foreman-ssl-key Corresponding key to a foreman_ssl_cert certificate
When not specified, the ssl_key is used instead. (current: "/etc/foreman-proxy/foreman_ssl_cert.pem")
--reset-foreman-proxy-foreman-ssl-key Reset foreman_ssl_key to the default value (UNDEF) <-------- its undef???
foreman-installer --foreman-proxy-foreman-ssl-key="/etc/foreman-proxy/foreman_ssl_key.pem" -v
maybe anybody can classify a other category for this ticket and reproduce this.
Updated by Ondřej Pražák over 5 years ago
- Project changed from OpenSCAP to Installer
- Triaged changed from Yes to No
- Found in Releases 1.21.3 added
- Found in Releases deleted (
foreman_openscap 0.7.10, puppet-foreman_scap_client 0.3.19)
Thank you for a detailed bug report, moving to installer as it seems the default cert paths are not correctly set.
Updated by Zach Huntington-Meath over 4 years ago
- Triaged changed from No to Yes