Project

General

Profile

Bug #8787

GeoTrust/RapidSSL WildCard cert issue

Added by Brent Wells over 4 years ago. Updated 11 months ago.

Status:
Need more information
Priority:
Normal
Assignee:
-
Category:
Installer
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

I am trying to run "subscription-manager refresh" from my client server, running CentOS 7, but I get the below error. My katello server is also CentOS 7, but I have tried CentOS 6.6 and had the same problem.

[root@myclient ~]# subscription-manager refresh
Unable to verify server's identity: tlsv1 alert unknown ca

This is the error I am seeing in the rhsm.log file:

2014-12-16 03:25:03,477 [ERROR] rhsmd @cache.py:219 - Consumer certificate is invalid
2014-12-16 07:11:23,629 [DEBUG] subscription-manager @plugins.py:533 - loaded plugin modules: []
2014-12-16 07:11:23,630 [DEBUG] subscription-manager @plugins.py:534 - loaded plugins: {}
2014-12-16 07:11:23,657 [DEBUG] subscription-manager @identity.py:130 - Loading consumer info from identity certificates.
2014-12-16 07:11:23,663 [DEBUG] subscription-manager @profile.py:97 - Loading current RPM profile.
2014-12-16 07:11:23,693 [INFO] subscription-manager @managercli.py:288 - Client Versions: {'python-rhsm': '1.10.12-2.el7', 'subscription-manager': '1.10.14-9.el7.centos'}
2014-12-16 07:11:23,694 [INFO] subscription-manager @connection.py:663 - Using certificate authentication: key = /etc/pki/consumer/key.pem, cert = /etc/pki/consumer/cert.pem, ca = /etc/rhsm/ca/, insecure = False
2014-12-16 07:11:23,694 [INFO] subscription-manager @connection.py:674 - Connection Built: host: katello.office.mydomain.net, port: 443, handler: /rhsm
2014-12-16 07:11:23,694 [INFO] subscription-manager @connection.py:670 - Using no auth
2014-12-16 07:11:23,695 [INFO] subscription-manager @connection.py:674 - Connection Built: host: katello.office.mydomain.net, port: 443, handler: /rhsm
2014-12-16 07:11:23,696 [DEBUG] subscription-manager @connection.py:418 - Loaded CA certificates from /etc/rhsm/ca/: candlepin-local.pem, katello-server-ca.pem
2014-12-16 07:11:23,696 [DEBUG] subscription-manager @connection.py:450 - Making request: GET /rhsm/
2014-12-16 07:11:24,110 [DEBUG] subscription-manager @connection.py:473 - Response: status=200
2014-12-16 07:11:24,111 [DEBUG] subscription-manager @connection.py:690 - Server supports the following resources:
2014-12-16 07:11:24,111 [DEBUG] subscription-manager @connection.py:691 - {'available_releases': '/katello/api/available_releases', 'distributors': '/katello/api/distributors/', 'content_overrides': '/katello/api/content_overrides', 'environments': '/katello/api/environments/', 'content_views': '/katello/api/content_views/', 'content_view_filters': '/katello/api/content_view_filters/', 'puppet_modules': '/katello/api/puppet_modules/', 'host_collections': '/katello/api/host_collections/', 'guestids': '/katello/api/guestids', 'systems': '/katello/api/systems/', 'gpg_keys': '/katello/api/gpg_keys/', 'status': '/katello/api/status/', 'capsules': '/katello/api/capsules/', 'users': '/katello/api/users/', 'sync_plans': '/katello/api/sync_plans/', 'subscriptions': '/katello/api/subscriptions/', 'content_view_versions': '/katello/api/content_view_versions/', 'packages': '/katello/api/packages/', 'organizations': '/katello/api/organizations/', 'package_groups': '/katello/api/package_groups/', 'repository_sets': '/katello/api/repository_sets/', 'repositories': '/katello/api/repositories/', 'products': '/katello/api/products/', 'activation_keys': '/katello/api/activation_keys/', 'errata': '/katello/api/errata/'}
2014-12-16 07:11:24,112 [DEBUG] subscription-manager @connection.py:418 - Loaded CA certificates from /etc/rhsm/ca/: candlepin-local.pem, katello-server-ca.pem
2014-12-16 07:11:24,112 [DEBUG] subscription-manager @connection.py:450 - Making request: GET /rhsm/status
2014-12-16 07:11:24,259 [DEBUG] subscription-manager @connection.py:473 - Response: status=200
2014-12-16 07:11:24,260 [INFO] subscription-manager @managercli.py:299 - Server Versions: {'candlepin': '2.0.0-0.el7-Katello', 'server-type': 'Red Hat Subscription Management'}
2014-12-16 07:11:24,262 [DEBUG] subscription-manager @connection.py:418 - Loaded CA certificates from /etc/rhsm/ca/: candlepin-local.pem, katello-server-ca.pem
2014-12-16 07:11:24,262 [DEBUG] subscription-manager @connection.py:450 - Making request: GET /rhsm/consumers/7b0dc4c1-3e73-40dc-be52-1cdf14c5ee0e/certificates/serials
2014-12-16 07:11:24,285 [ERROR] subscription-manager @managercli.py:156 - Unable to perform refresh due to the following exception: tlsv1 alert unknown ca
2014-12-16 07:11:24,285 [ERROR] subscription-manager @managercli.py:157 - tlsv1 alert unknown ca
Traceback (most recent call last):
File "/usr/share/rhsm/subscription_manager/managercli.py", line 541, in _do_command
self.certlib.update()
File "/usr/share/rhsm/subscription_manager/certlib.py", line 69, in update
return self._do_update()
File "/usr/share/rhsm/subscription_manager/certlib.py", line 92, in _do_update
return action.perform(lock=self.lock)
File "/usr/share/rhsm/subscription_manager/certlib.py", line 235, in perform
expected = self._get_expected_serials(report)
File "/usr/share/rhsm/subscription_manager/certlib.py", line 322, in _get_expected_serials
exp = self.get_certificate_serials_list()
File "/usr/share/rhsm/subscription_manager/certlib.py", line 315, in get_certificate_serials_list
reply = self.uep.getCertificateSerials(self._get_consumer_id())
File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 916, in getCertificateSerials
return self.conn.request_get(method)
File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 554, in request_get
return self._request("GET", method)
File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 457, in _request
conn.request(request_type, handler, body=body, headers=headers)
File "/usr/lib64/python2.7/httplib.py", line 973, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python2.7/httplib.py", line 1007, in _send_request
self.endheaders(body)
File "/usr/lib64/python2.7/httplib.py", line 969, in endheaders
self._send_output(message_body)
File "/usr/lib64/python2.7/httplib.py", line 829, in _send_output
self.send(msg)
File "/usr/lib64/python2.7/httplib.py", line 791, in send
self.connect()
File "/usr/lib64/python2.7/site-packages/M2Crypto/httpslib.py", line 58, in connect
sock.connect((self.host, self.port))
File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 185, in connect
ret = self.connect_ssl()
File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 178, in connect_ssl
return m2.ssl_connect(self.ssl, self._timeout)
SSLError: tlsv1 alert unknown ca

If I run "subscription-manager list --available" I get:

2014-12-16 07:12:32,194 [ERROR] subscription-manager @managercli.py:156 - exception caught in subscription-manager
2014-12-16 07:12:32,195 [ERROR] subscription-manager @managercli.py:157 - Error updating system data on the server, see /var/log/rhsm/rhsm.log for more details.
Traceback (most recent call last):
File "/usr/sbin/subscription-manager", line 82, in <module>
sys.exit(abs(main() or 0))
File "/usr/sbin/subscription-manager", line 73, in main
return managercli.ManagerCLI().main()
File "/usr/share/rhsm/subscription_manager/managercli.py", line 2397, in main
return CLI.main(self)
File "/usr/share/rhsm/subscription_manager/cli.py", line 160, in main
return cmd.main()
File "/usr/share/rhsm/subscription_manager/managercli.py", line 424, in main
return_code = self._do_command()
File "/usr/share/rhsm/subscription_manager/managercli.py", line 2060, in do_command
uninstalled=self.options.match_installed)
File "/usr/share/rhsm/subscription_manager/managerlib.py", line 322, in get_available_entitlements
overlapping, uninstalled, text)
File "/usr/share/rhsm/subscription_manager/managerlib.py", line 526, in get_filtered_pools_list
self.identity.uuid, self.facts, active_on=active_on):
File "/usr/share/rhsm/subscription_manager/managerlib.py", line 291, in list_pools
facts.update_check(uep, consumer_uuid)
File "/usr/share/rhsm/subscription_manager/cache.py", line 183, in update_check
raise Exception(
("Error updating system data on the server, see /var/log/rhsm/rhsm.log "
Exception: Error updating system data on the server, see /var/log/rhsm/rhsm.log for more details.

I run a cert test from the client to my katello server and it verified fine:

verify depth is 32
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = G7FkiJIImQR-ZrMucXArQ-1Lc5QBn9XP, OU = GT87906819, OU = See www.rapidssl.com/resources/cps (c)14, OU = Domain Control Validated - RapidSSL(R), CN = *.office.mydomain.net
verify return:1

CONNECTED
---
Certificate chain
0 s:/serialNumber=G7FkiJIImQR-ZrMucXArQ-1Lc5QBn9XP/OU=GT87906819/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.office.mydomain.net
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
-----BEGIN CERTIFICATE-----
MIIFMjCCBBqgAwIBAgIDFQOxMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTQwOTAzMTE1NjQ4WhcNMTgxMTA0MDIzNjE2WjCBxTEpMCcGA1UEBRMgRzdG
a2lKSUltUVItWnJNdWNYQXJRLTFMYzVRQm45WFAxEzARBgNVBAsTCkdUODc5MDY4
MTkxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMR8wHQYDVQQDDBYqLm9mZmljZS53ZWJhc3NpZ24ubmV0MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzLmaTIoHo8bLA+E33YeJXwYZ+hRizkgD
6hUjFZaG5zHAw3V0Aosi9BDnhcuFiaBz3XOp9qOWWRT4MtB9ZFVmxPhnTTUF6m+V
xNtCfJbf1ehRS0DbddcxJtHMt6bj3Tv/Yt3/GL6FL7UIoZ4PuA2xGefR6y7nvSap
vwAZcdsTQPd0cv3/u+rQEsBcorVIythvziTF+h7heSBkuFcmA0o/aaRjUuvmpmJU
c+kifUvz+sE9AX+g9zJhO4AuEXi7K4LfXyLN6CgSVI1t44moWNceo+37vUlV6yKr
/qmWcXeBc593TuthLD31Pq5dNmBAugg4bsMXMYHZs6DURrdTccf8ewIDAQABo4IB
sTCCAa0wHwYDVR0jBBgwFoAUa2k9ahhCSt2PAmU5/TUkhniRFjAwDgYDVR0PAQH/
BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAhBgNVHREEGjAY
ghYqLm9mZmljZS53ZWJhc3NpZ24ubmV0MEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6
Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRzc2wuY3JsMB0G
A1UdDgQWBBSlaaWy/bml9DvX6QRzq36F3vNp8TAMBgNVHRMBAf8EAjAAMHgGCCsG
AQUFBwEBBGwwajAtBggrBgEFBQcwAYYhaHR0cDovL3JhcGlkc3NsLW9jc3AuZ2Vv
dHJ1c3QuY29tMDkGCCsGAQUFBzAChi1odHRwOi8vcmFwaWRzc2wtYWlhLmdlb3Ry
dXN0LmNvbS9yYXBpZHNzbC5jcnQwTAYDVR0gBEUwQzBBBgpghkgBhvhFAQc2MDMw
MQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291cmNlcy9j
cHMwDQYJKoZIhvcNAQEFBQADggEBABejfbuzXLqBTu0QAGr0oZ77yWH1Ok0hIzHF
qCqwwzFWjugc+FsSjPNli9q48wJqZNJW6VfOig4HabDJ8N/nYMH2pDSZf4OZC9Hb
ShoslRiYk+d5WxENyyLueMxgVhg0wXAQlPdJCxXo1iz2WLog+LOxCyLGLQnaqiqd
OfKX4YxrTUXfigLBSePYpgJKBk0mqPxVqrcCMiYmIliBf9SVbXv7H4zWth03aK6N
STLdtYRfAd8p2mGWcXPp4tvwwM9tb8nV06xzAlxpXEkhHZPNCx5u8/oE4I9MSjIC
tPbhxqKesRngC1ipuuGSIzWnmLiU5NKchmzurAQ9oLAhBOqNy4Y=
-----END CERTIFICATE-----
1 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
-----END CERTIFICATE-----
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----
3 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwMjE4MjI0NTA1WjA8MQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NM
IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0
l6P7oeYLUF9QqjraD/w9KSRDxhApwfxVQHLuverfn7ZB9EhLyG7+T1cSi1v6kt1e
6K3z8Buxe037z/3R5fjj3Of1c3/fAUnPjFbBvTfjW761T4uL8NpPx+PdVUdp3/Jb
ewdPPeWsIcHIHXro5/YPoar1b96oZU8QiZwD84l6pV4BcjPtqelaHnnzh8jfyMX8
N8iamte4dsywPuf95lTq319SQXhZV63xEtZ/vNWfcNMFbPqjfWdY3SZiHTGSDHl5
HI7PynvBZq+odEj7joLCniyZXHstXZu8W1eefDp6E63yoxhbK1kPzVw662gzxigd
gtFQiwIDAQABo4HZMIHWMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUa2k9ahhC
St2PAmU5/TUkhniRFjAwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4w
EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js
Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTANBgkqhkiG9w0B
AQUFAAOCAQEAq7y8Cl0YlOPBscOoTFXWvrSY8e48HM3P8yQkXJYDJ1j8Nq6iL4/x
/torAsMzvcjdSCIrYA+lAxD9d/jQ7ZZnT/3qRyBwVNypDFV+4ZYlitm12ldKvo2O
SUNjpWxOJ4cl61tt/qJ/OCjgNqutOaWlYsS3XFgsql0BYKZiZ6PAx2Ij9OdsRu61
04BqIhPSLT90T+qvjF+0OJzbrs6vhB6m9jRRWXnT43XcvNfzc9+S7NIgWW+c+5X4
knYYCnwPLKbK3opie9jzzl9ovY8+wXS7FXI6FoOpC+ZNmZzYV+yoAVHHb1c0XqtK
LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
-----END CERTIFICATE-----
4 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
---
Server certificate
subject=/serialNumber=G7FkiJIImQR-ZrMucXArQ-1Lc5QBn9XP/OU=GT87906819/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.office.mydomain.net
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
Acceptable client certificate CA names
/C=CN/O=CNNIC/CN=CNNIC ROOT
/C=FR/O=Dhimyotis/CN=Certigna
/O=TeliaSonera/CN=TeliaSonera Root CA v1
/C=ES/O=IZENPE S.A./CN=Izenpe.com
/C=FI/O=Sonera/CN=Sonera Class2 CA
/O=RSA Security Inc/OU=RSA Security 2048 V3
/C=RO/O=certSIGN/OU=certSIGN ROOT CA
/O=Cybertrust, Inc/CN=Cybertrust Global Root
/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
/CN=ComSign Secured CA/O=ComSign/C=IL
/CN=Atos TrustedRoot 2011/O=Atos/C=DE
/C=FR/O=Certplus/CN=Class 2 Primary CA
/C=PL/O=Unizeto Sp. z o.o./CN=Certum CA
/C=TW/O=Government Root Certification Authority
/O=Digital Signature Trust Co./CN=DST Root CA X3
/C=US/O=AffirmTrust/CN=AffirmTrust Premium
/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
/CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES
/C=DK/O=TDC Internet/OU=TDC Internet Root CA
/C=JP/O=Japanese Government/OU=ApplicationCA
/C=US/O=AffirmTrust/CN=AffirmTrust Commercial
/C=US/O=AffirmTrust/CN=AffirmTrust Networking
/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2
/CN=ACEDICOM Root/OU=PKI/O=EDICOM/C=ES
/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3
/C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2
/C=GB/O=Trustis Limited/OU=Trustis FPS Root CA
/C=US/O=AffirmTrust/CN=AffirmTrust Premium ECC
/C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA
/C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2
/C=HK/O=Hongkong Post/CN=Hongkong Post Root CA 1
/C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA 2
/C=US/O=SecureTrust Corporation/CN=SecureTrust CA
/C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig
/C=US/O=SecureTrust Corporation/CN=Secure Global CA
/C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 CA 1
/C=NO/O=Buypass AS-983163327/CN=Buypass Class 3 CA 1
/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
/C=DE/O=D-Trust GmbH/CN=D-TRUST Root Class 3 CA 2 2009
/C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 Root CA
/C=NO/O=Buypass AS-983163327/CN=Buypass Class 3 Root CA
/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
/C=DE/O=D-Trust GmbH/CN=D-TRUST Root Class 3 CA 2 EV 2009
/C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
/C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
/C=TW/O=TAIWAN-CA/OU=Root CA/CN=TWCA Global Root CA
/C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R1
/C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R2
/C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2
/C=US/O=Equifax Secure Inc./CN=Equifax Secure eBusiness CA-1
/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA
/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
/C=JP/O=Japan Certification Services, Inc./CN=SecureSign RootCA11
/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G2
/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
/C=US/O=Digital Signature Trust/OU=DST ACES/CN=DST ACES CA X6
/C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2
/emailAddress=pki@sk.ee/C=EE/O=AS Sertifitseerimiskeskus/CN=Juur-SK
/C=TW/O=Chunghwa Telecom Co., Ltd./OU=ePKI Root Certification Authority
/C=TW/O=TAIWAN-CA/OU=Root CA/CN=TWCA Root Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority
/C=FR/O=Certinomis/OU=0002 433998903/CN=Certinomis - Autorit\xC3\xA9 Racine
/C=US/O=America Online Inc./CN=America Online Root Certification Authority 1
/C=US/O=America Online Inc./CN=America Online Root Certification Authority 2
/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
/C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom Root CA 1
/C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom Root CA 2
/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Public CA Root
/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Class 1 CA Root
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
/C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom Root EV CA 2
/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Qualified CA Root
/C=ES/O=Generalitat Valenciana/OU=PKIGVA/CN=Root CA Generalitat Valenciana
/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
/C=IT/L=Milan/O=Actalis S.p.A./03358520967/CN=Actalis Authentication Root CA
/C=US/O=VISA/OU=Visa International Service Association/CN=Visa eCommerce Root
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
/C=HU/L=Budapest/O=Microsec Ltd./OU=e-Szigno CA/CN=Microsec e-Szigno Root CA
/C=EE/O=AS Sertifitseerimiskeskus/CN=EE Certification Centre Root CA/emailAddress=pki@sk.ee
/C=TR/O=Elektronik Bilgi Guvenligi A.S./CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
/C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 2 CA/CN=TC TrustCenter Class 2 CA II
/C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 3 CA/CN=TC TrustCenter Class 3 CA II
/C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Universal CA/CN=TC TrustCenter Universal CA I
/C=CO/O=Sociedad Cameral de Certificaci\xC3\xB3n Digital - Certic\xC3\xA1mara S.A./CN=AC Ra\xC3\xADz Certic\xC3\xA1mara S.A.
/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
/C=EU/O=AC Camerfirma SA CIF A82743287/OU=http://www.chambersign.org/CN=Global Chambersign Root
/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=Secure Certificate Services
/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
/C=EU/O=AC Camerfirma SA CIF A82743287/OU=http://www.chambersign.org/CN=Chambers of Commerce Root
/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=Trusted Certificate Services
/CN=EBG Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/O=EBG Bili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E./C=TR
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
/C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 2
/C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 3
/C=HU/L=Budapest/O=Microsec Ltd./CN=Microsec e-Szigno Root CA 2009/emailAddress=info@e-szigno.hu
/C=US/OU=www.xrampsecurity.com/O=XRamp Security Services Inc/CN=XRamp Global Certification Authority
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
/C=US/O=thawte, Inc./OU=(c) 2007 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G2
/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority
/C=US/O=Wells Fargo WellsSecure/OU=Wells Fargo Bank NA/CN=WellsSecure Public Root Certificate Authority
/C=CH/O=WISeKey/OU=Copyright (c) 2005/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GA CA
/C=CN/O=China Internet Network Information Center/CN=China Internet Network Information Center EV Certificates Root
/C=AT/O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH/OU=A-Trust-nQual-03/CN=A-Trust-nQual-03
/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
/C=GR/O=Hellenic Academic and Research Institutions Cert. Authority/CN=Hellenic Academic and Research Institutions RootCA 2011
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
/C=US/O=GeoTrust Inc./OU=(c) 2007 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G2
/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3
/C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Uzleti (Class B) Tanusitvanykiado
/C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Expressz (Class C) Tanusitvanykiado
/C=HU/L=Budapest/O=NetLock Kft./OU=Tan\xC3\xBAs\xC3\xADtv\xC3\xA1nykiad\xC3\xB3k (Certification Services)/CN=NetLock Arany (Class Gold) F\xC5\x91tan\xC3\xBAs\xC3\xADtv\xC3\xA1ny
/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
/C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Global Chambersign Root - 2008
/C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Chambers of Commerce Root - 2008
/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3
/C=HU/ST=Hungary/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado
/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
/C=TR/L=Ankara/O=E-Tu\xC4\x9Fra EBG Bili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E./OU=E-Tugra Sertifikasyon Merkezi/CN=E-Tugra Certification Authority
/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
/CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=ANKARA/O=(c) 2005 T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E.
/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 1 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 3 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, Inc. - For authorized use only/CN=VeriSign Universal Root Certification Authority
/CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=Ankara/O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. (c) Kas\xC4\xB1m 2005
/CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=Ankara/O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. (c) Aral\xC4\xB1k 2007
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=katello.office.mydomain.net/emailAddress=root@katello.office.mydomain.net
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 4 Public Primary Certification Authority - G3
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2007 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G4
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
/emailAddress=contacto@procert.net.ve/L=Chacao/ST=Miranda/OU=Proveedor de Certificados PROCERT/O=Sistema Nacional de Certificacion Electronica/C=VE/CN=PSCProcert
/C=ES/O=Agencia Catalana de Certificacio (NIF Q-0801176-I)/OU=Serveis Publics de Certificacio/OU=Vegeu https://www.catcert.net/verarrel (c)03/OU=Jerarquia Entitats de Certificacio Catalanes/CN=EC-ACC
/C=TR/L=Gebze - Kocaeli/O=T\xC3\xBCrkiye Bilimsel ve Teknolojik Ara\xC5\x9Ft\xC4\xB1rma Kurumu - T\xC3\x9CB\xC4\xB0TAK/OU=Ulusal Elektronik ve Kriptoloji Ara\xC5\x9Ft\xC4\xB1rma Enstit\xC3\xBCs\xC3\xBC - UEKAE/OU=Kamu Sertifikasyon Merkezi/CN=T\xC3\x9CB\xC4\xB0TAK UEKAE K\xC3\xB6k Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 - S\xC3\xBCr\xC3\xBCm 3
/serialNumber=G7FkiJIImQR-ZrMucXArQ-1Lc5QBn9XP/OU=GT87906819/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.office.mydomain.net
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 24002 bytes and written 387 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 8DAF1E415F409B8948B1D03310D4C316C1395391A87A6868EA257A97F21068CA
Session-ID-ctx:
Master-Key: E3DD943EEEBB69C053259BE459E9EC6B90D68ED2C997B50C6AB7044DEF9342104914779721CDDF0006B59348213D231A
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 74 0b 35 ff 80 39 d8 56-63 f0 bb b9 01 d2 a7 81 t.5..9.Vc.......
0010 - 84 f0 b5 c7 f7 c2 e5 05-3c 05 e8 41 66 68 07 6f ........<..Afh.o
0020 - 2b 21 dc 02 7e ad 9d 79-b5 6e 5d 3b 28 e1 1a a4 +!..~..y.n];(...
0030 - ac 37 17 09 9c 55 99 e9-47 0a ba 97 b8 8a c2 94 .7...U..G.......
0040 - 08 64 fd 23 4d 31 2d 6b-fb af e4 e1 2c 6d 1c 42 .d.#M1-k....,m.B
0050 - 5c f1 b1 60 25 13 d0 99-7e c2 5d 29 eb 26 88 04 \..`%...~.]).&..
0060 - b4 5e f1 4f aa 63 78 ce-84 35 90 f7 9d 35 94 85 .^.O.cx..5...5..
0070 - 2d ce ea bc e1 2a b4 32-f6 2d b8 50 ad 6c 01 9e ....*.2..P.l..
0080 - b0 06 c9 a0 ab 63 3b e1-75 a6 e6 3a 5e 69 e3 0a .....c;.u..:^i..
0090 - 00 38 b1 55 1c 7b 97 f8-84 94 05 0f af 9e ed a3 .8.U.{..........
00a0 - fb e4 68 db c6 f2 7c 4b-2e b7 b4 5b 10 46 fd 8a ..h...|K...[.F..
00b0 - 7f 2f 86 ee 5c 28 5c 14-ab 22 6b 62 12 19 0c dc ./..\(\.."kb....

Start Time: 1418677068
Timeout : 300 (sec)
Verify return code: 0 (ok)
---

I believe this is a problem with it being a wildcard certificate. I have tried multiple intermediate combinations and I continue to get the tlsv1 error. This error is basically keeping me from moving from Spacewalk, which works flawlessly. Thanks!

Brent

History

#1 Updated by Eric Helms over 4 years ago

  • Category set to Installer
  • Target version set to 63
  • Legacy Backlogs Release (now unused) set to 14
  • Triaged changed from No to Yes

#2 Updated by Brent Wells over 4 years ago

After more testing, looks like the problem is with the candlepin certificate. Here is the openssl test output using the candlepin certificate:

openssl s_client connect katello.office.mydomain.net:443 -showcerts -CAfile /etc/rhsm/ca/candlepin-local.pem
CONNECTED
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
--

Certificate chain
0 s:/serialNumber=G7FkiJIImQR-ZrMucXArQ-1Lc5QBn9XP/OU=GT87906819/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.office.mydomain.net
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
-----BEGIN CERTIFICATE-----
MIIFMjCCBBqgAwIBAgIDFQOxMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTQwOTAzMTE1NjQ4WhcNMTgxMTA0MDIzNjE2WjCBxTEpMCcGA1UEBRMgRzdG
a2lKSUltUVItWnJNdWNYQXJRLTFMYzVRQm45WFAxEzARBgNVBAsTCkdUODc5MDY4
MTkxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMR8wHQYDVQQDDBYqLm9mZmljZS53ZWJhc3NpZ24ubmV0MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzLmaTIoHo8bLA+E33YeJXwYZ+hRizkgD
6hUjFZaG5zHAw3V0Aosi9BDnhcuFiaBz3XOp9qOWWRT4MtB9ZFVmxPhnTTUF6m+V
xNtCfJbf1ehRS0DbddcxJtHMt6bj3Tv/Yt3/GL6FL7UIoZ4PuA2xGefR6y7nvSap
vwAZcdsTQPd0cv3/u+rQEsBcorVIythvziTF+h7heSBkuFcmA0o/aaRjUuvmpmJU
c+kifUvz+sE9AX+g9zJhO4AuEXi7K4LfXyLN6CgSVI1t44moWNceo+37vUlV6yKr
/qmWcXeBc593TuthLD31Pq5dNmBAugg4bsMXMYHZs6DURrdTccf8ewIDAQABo4IB
sTCCAa0wHwYDVR0jBBgwFoAUa2k9ahhCSt2PAmU5/TUkhniRFjAwDgYDVR0PAQH/
BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAhBgNVHREEGjAY
ghYqLm9mZmljZS53ZWJhc3NpZ24ubmV0MEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6
Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRzc2wuY3JsMB0G
A1UdDgQWBBSlaaWy/bml9DvX6QRzq36F3vNp8TAMBgNVHRMBAf8EAjAAMHgGCCsG
AQUFBwEBBGwwajAtBggrBgEFBQcwAYYhaHR0cDovL3JhcGlkc3NsLW9jc3AuZ2Vv
dHJ1c3QuY29tMDkGCCsGAQUFBzAChi1odHRwOi8vcmFwaWRzc2wtYWlhLmdlb3Ry
dXN0LmNvbS9yYXBpZHNzbC5jcnQwTAYDVR0gBEUwQzBBBgpghkgBhvhFAQc2MDMw
MQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291cmNlcy9j
cHMwDQYJKoZIhvcNAQEFBQADggEBABejfbuzXLqBTu0QAGr0oZ77yWH1Ok0hIzHF
qCqwwzFWjugc+FsSjPNli9q48wJqZNJW6VfOig4HabDJ8N/nYMH2pDSZf4OZC9Hb
ShoslRiYk+d5WxENyyLueMxgVhg0wXAQlPdJCxXo1iz2WLog+LOxCyLGLQnaqiqd
OfKX4YxrTUXfigLBSePYpgJKBk0mqPxVqrcCMiYmIliBf9SVbXv7H4zWth03aK6N
STLdtYRfAd8p2mGWcXPp4tvwwM9tb8nV06xzAlxpXEkhHZPNCx5u8/oE4I9MSjIC
tPbhxqKesRngC1ipuuGSIzWnmLiU5NKchmzurAQ9oLAhBOqNy4Y=
-----END CERTIFICATE-----
1 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
-----END CERTIFICATE-----
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----
3 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwMjE4MjI0NTA1WjA8MQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NM
IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0
l6P7oeYLUF9QqjraD/w9KSRDxhApwfxVQHLuverfn7ZB9EhLyG7+T1cSi1v6kt1e
6K3z8Buxe037z/3R5fjj3Of1c3/fAUnPjFbBvTfjW761T4uL8NpPx+PdVUdp3/Jb
ewdPPeWsIcHIHXro5/YPoar1b96oZU8QiZwD84l6pV4BcjPtqelaHnnzh8jfyMX8
N8iamte4dsywPuf95lTq319SQXhZV63xEtZ/vNWfcNMFbPqjfWdY3SZiHTGSDHl5
HI7PynvBZq+odEj7joLCniyZXHstXZu8W1eefDp6E63yoxhbK1kPzVw662gzxigd
gtFQiwIDAQABo4HZMIHWMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUa2k9ahhC
St2PAmU5/TUkhniRFjAwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4w
EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js
Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTANBgkqhkiG9w0B
AQUFAAOCAQEAq7y8Cl0YlOPBscOoTFXWvrSY8e48HM3P8yQkXJYDJ1j8Nq6iL4/x
/torAsMzvcjdSCIrYA+lAxD9d/jQ7ZZnT/3qRyBwVNypDFV+4ZYlitm12ldKvo2O
SUNjpWxOJ4cl61tt/qJ/OCjgNqutOaWlYsS3XFgsql0BYKZiZ6PAx2Ij9OdsRu61
04BqIhPSLT90T+qvjF+0OJzbrs6vhB6m9jRRWXnT43XcvNfzc9+S7NIgWW+c+5X4
knYYCnwPLKbK3opie9jzzl9ovY8+wXS7FXI6FoOpC+ZNmZzYV+yoAVHHb1c0XqtK
LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
-----END CERTIFICATE-----
4 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
---
Server certificate
subject=/serialNumber=G7FkiJIImQR-ZrMucXArQ-1Lc5QBn9XP/OU=GT87906819/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.office.mydomain.net
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
Acceptable client certificate CA names
/C=CN/O=CNNIC/CN=CNNIC ROOT
/C=FR/O=Dhimyotis/CN=Certigna
/O=TeliaSonera/CN=TeliaSonera Root CA v1
/C=ES/O=IZENPE S.A./CN=Izenpe.com
/C=FI/O=Sonera/CN=Sonera Class2 CA
/O=RSA Security Inc/OU=RSA Security 2048 V3
/C=RO/O=certSIGN/OU=certSIGN ROOT CA
/O=Cybertrust, Inc/CN=Cybertrust Global Root
/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
/CN=ComSign Secured CA/O=ComSign/C=IL
/CN=Atos TrustedRoot 2011/O=Atos/C=DE
/C=FR/O=Certplus/CN=Class 2 Primary CA
/C=PL/O=Unizeto Sp. z o.o./CN=Certum CA
/C=TW/O=Government Root Certification Authority
/O=Digital Signature Trust Co./CN=DST Root CA X3
/C=US/O=AffirmTrust/CN=AffirmTrust Premium
/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
/CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES
/C=DK/O=TDC Internet/OU=TDC Internet Root CA
/C=JP/O=Japanese Government/OU=ApplicationCA
/C=US/O=AffirmTrust/CN=AffirmTrust Commercial
/C=US/O=AffirmTrust/CN=AffirmTrust Networking
/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2
/CN=ACEDICOM Root/OU=PKI/O=EDICOM/C=ES
/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3
/C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2
/C=GB/O=Trustis Limited/OU=Trustis FPS Root CA
/C=US/O=AffirmTrust/CN=AffirmTrust Premium ECC
/C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA
/C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2
/C=HK/O=Hongkong Post/CN=Hongkong Post Root CA 1
/C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA 2
/C=US/O=SecureTrust Corporation/CN=SecureTrust CA
/C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig
/C=US/O=SecureTrust Corporation/CN=Secure Global CA
/C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 CA 1
/C=NO/O=Buypass AS-983163327/CN=Buypass Class 3 CA 1
/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
/C=DE/O=D-Trust GmbH/CN=D-TRUST Root Class 3 CA 2 2009
/C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 Root CA
/C=NO/O=Buypass AS-983163327/CN=Buypass Class 3 Root CA
/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
/C=DE/O=D-Trust GmbH/CN=D-TRUST Root Class 3 CA 2 EV 2009
/C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
/C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
/C=TW/O=TAIWAN-CA/OU=Root CA/CN=TWCA Global Root CA
/C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R1
/C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R2
/C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2
/C=US/O=Equifax Secure Inc./CN=Equifax Secure eBusiness CA-1
/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA
/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
/C=JP/O=Japan Certification Services, Inc./CN=SecureSign RootCA11
/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G2
/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
/C=US/O=Digital Signature Trust/OU=DST ACES/CN=DST ACES CA X6
/C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2
/emailAddress=pki@sk.ee/C=EE/O=AS Sertifitseerimiskeskus/CN=Juur-SK
/C=TW/O=Chunghwa Telecom Co., Ltd./OU=ePKI Root Certification Authority
/C=TW/O=TAIWAN-CA/OU=Root CA/CN=TWCA Root Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority
/C=FR/O=Certinomis/OU=0002 433998903/CN=Certinomis - Autorit\xC3\xA9 Racine
/C=US/O=America Online Inc./CN=America Online Root Certification Authority 1
/C=US/O=America Online Inc./CN=America Online Root Certification Authority 2
/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
/C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom Root CA 1
/C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom Root CA 2
/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Public CA Root
/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Class 1 CA Root
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
/C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom Root EV CA 2
/C=SE/O=AddTrust AB/OU=AddTrust TTP Network/CN=AddTrust Qualified CA Root
/C=ES/O=Generalitat Valenciana/OU=PKIGVA/CN=Root CA Generalitat Valenciana
/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
/C=IT/L=Milan/O=Actalis S.p.A./03358520967/CN=Actalis Authentication Root CA
/C=US/O=VISA/OU=Visa International Service Association/CN=Visa eCommerce Root
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
/C=HU/L=Budapest/O=Microsec Ltd./OU=e-Szigno CA/CN=Microsec e-Szigno Root CA
/C=EE/O=AS Sertifitseerimiskeskus/CN=EE Certification Centre Root CA/emailAddress=pki@sk.ee
/C=TR/O=Elektronik Bilgi Guvenligi A.S./CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
/C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 2 CA/CN=TC TrustCenter Class 2 CA II
/C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 3 CA/CN=TC TrustCenter Class 3 CA II
/C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Universal CA/CN=TC TrustCenter Universal CA I
/C=CO/O=Sociedad Cameral de Certificaci\xC3\xB3n Digital - Certic\xC3\xA1mara S.A./CN=AC Ra\xC3\xADz Certic\xC3\xA1mara S.A.
/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
/C=EU/O=AC Camerfirma SA CIF A82743287/OU=http://www.chambersign.org/CN=Global Chambersign Root
/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=Secure Certificate Services
/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
/C=EU/O=AC Camerfirma SA CIF A82743287/OU=http://www.chambersign.org/CN=Chambers of Commerce Root
/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=Trusted Certificate Services
/CN=EBG Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/O=EBG Bili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E./C=TR
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
/C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 2
/C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 3
/C=HU/L=Budapest/O=Microsec Ltd./CN=Microsec e-Szigno Root CA 2009/emailAddress=info@e-szigno.hu
/C=US/OU=www.xrampsecurity.com/O=XRamp Security Services Inc/CN=XRamp Global Certification Authority
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
/C=US/O=thawte, Inc./OU=(c) 2007 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G2
/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority
/C=US/O=Wells Fargo WellsSecure/OU=Wells Fargo Bank NA/CN=WellsSecure Public Root Certificate Authority
/C=CH/O=WISeKey/OU=Copyright (c) 2005/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GA CA
/C=CN/O=China Internet Network Information Center/CN=China Internet Network Information Center EV Certificates Root
/C=AT/O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH/OU=A-Trust-nQual-03/CN=A-Trust-nQual-03
/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
/C=GR/O=Hellenic Academic and Research Institutions Cert. Authority/CN=Hellenic Academic and Research Institutions RootCA 2011
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
/C=US/O=GeoTrust Inc./OU=(c) 2007 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G2
/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3
/C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Uzleti (Class B) Tanusitvanykiado
/C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Expressz (Class C) Tanusitvanykiado
/C=HU/L=Budapest/O=NetLock Kft./OU=Tan\xC3\xBAs\xC3\xADtv\xC3\xA1nykiad\xC3\xB3k (Certification Services)/CN=NetLock Arany (Class Gold) F\xC5\x91tan\xC3\xBAs\xC3\xADtv\xC3\xA1ny
/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
/C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Global Chambersign Root - 2008
/C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Chambers of Commerce Root - 2008
/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3
/C=HU/ST=Hungary/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado
/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
/C=TR/L=Ankara/O=E-Tu\xC4\x9Fra EBG Bili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E./OU=E-Tugra Sertifikasyon Merkezi/CN=E-Tugra Certification Authority
/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
/CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=ANKARA/O=(c) 2005 T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E.
/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 1 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 3 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, Inc. - For authorized use only/CN=VeriSign Universal Root Certification Authority
/CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=Ankara/O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. (c) Kas\xC4\xB1m 2005
/CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/C=TR/L=Ankara/O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E. (c) Aral\xC4\xB1k 2007
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
/serialNumber=G7FkiJIImQR-ZrMucXArQ-1Lc5QBn9XP/OU=GT87906819/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.office.mydomain.net
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=katello.office.mydomain.net/emailAddress=root@katello.office.mydomain.net
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 4 Public Primary Certification Authority - G3
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2007 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G4
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
/emailAddress=contacto@procert.net.ve/L=Chacao/ST=Miranda/OU=Proveedor de Certificados PROCERT/O=Sistema Nacional de Certificacion Electronica/C=VE/CN=PSCProcert
/C=ES/O=Agencia Catalana de Certificacio (NIF Q-0801176-I)/OU=Serveis Publics de Certificacio/OU=Vegeu https://www.catcert.net/verarrel (c)03/OU=Jerarquia Entitats de Certificacio Catalanes/CN=EC-ACC
/C=TR/L=Gebze - Kocaeli/O=T\xC3\xBCrkiye Bilimsel ve Teknolojik Ara\xC5\x9Ft\xC4\xB1rma Kurumu - T\xC3\x9CB\xC4\xB0TAK/OU=Ulusal Elektronik ve Kriptoloji Ara\xC5\x9Ft\xC4\xB1rma Enstit\xC3\xBCs\xC3\xBC - UEKAE/OU=Kamu Sertifikasyon Merkezi/CN=T\xC3\x9CB\xC4\xB0TAK UEKAE K\xC3\xB6k Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 - S\xC3\xBCr\xC3\xBCm 3
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 24002 bytes and written 387 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: FC6AF5131D838504527902AC0FFC5A028436B54044040A07D593636D30D9A349
Session-ID-ctx:
Master-Key: 26121F125FFE52473AA1061A94BDBC56F7B42FBCD49952D9F471A7EE08B24E9A794DDE575D32EA6D32BFDEF4A4613982
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 9a 79 81 9e 31 06 1c b9-c6 bc 62 3c 21 3f db 6b .y..1.....b<!?.k
0010 - 40 55 a2 76 ea 24 29 99-7d 05 4a 2b 0b 20 fe e4 @U.v.$).}.J+. ..
0020 - 1a 0a 20 30 f0 a6 66 e5-5c 05 d1 77 43 4b ea 58 .. 0..f.\..wCK.X
0030 - 3b a6 91 96 95 b1 7b 8a-44 11 1a b4 d4 ad 57 55 ;.....{.D.....WU
0040 - 19 98 3a a1 b9 63 56 3b-07 a4 3b 9b e7 5f 6e 30 ..:..cV;..;.._n0
0050 - bc 2c bf 47 51 02 ef 7f-d0 e4 83 a4 b9 0a 15 f6 .,.GQ...........
0060 - f4 88 de e9 7e ae 0b 35-03 23 1b bf 2e f6 8c 1a ....~..5.#......
0070 - 31 fc 57 46 92 d5 e6 47-54 9d d9 00 59 25 12 fd 1.WF...GT...Y%..
0080 - 0c ea 60 b5 50 d9 12 09-d2 32 57 7b f8 55 b8 eb ..`.P....2W{.U..
0090 - ac d8 8d 0e ce 39 3b b4-88 29 10 ec a3 8d 45 57 .....9;..)....EW
00a0 - 7d 7c 21 e3 5e c4 85 62-f0 dc 8e 77 27 15 55 af }|!.^..b...w'.U.
00b0 - a1 5b 74 97 70 85 d1 f5-1f be 57 9e ec 52 82 ea .[t.p.....W..R..

Start Time: 1420504213
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)

If I use the katello-server-ca.pem to test, the output says OK. Not sure what is missing on the candlepin portion.

#3 Updated by Eric Helms over 4 years ago

  • Target version changed from 63 to 66

#4 Updated by Brent Wells over 4 years ago

After looking at this further, the problem looks like rapidssl is not a being trusted even when I use the CA provided by rapidssl. If I use the ca-bundle.crt provided by the OS, passenger will not function properly but httpd will start and then you can use the candlepin certificate.

#5 Updated by Brent Wells over 4 years ago

If I set --certs-server-ca-cert and --foreman-server-ssl-ca to this file, https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem, I get this error while:

Could not set 'present' on ensure: 422 Unprocessable Entity at 12:/usr/share/katello-installer/modules/foreman_proxy/manifests/register.pp
Could not set 'present' on ensure: 422 Unprocessable Entity at 12:/usr/share/katello-installer/modules/foreman_proxy/manifests/register.pp
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello.office.mydomain.net]/ensure: change from absent to present failed: Could not set 'present' on ensure: 422 Unprocessable Entity at 12:/usr/share/katello-installer/modules/foreman_proxy/manifests/register.pp
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello.office.mydomain.net]: Failed to call refresh: missing param 'id' in parameters
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello.office.mydomain.net]: missing param 'id' in parameters

And if I test from my remote server using openssl,
openssl s_client -connect katello.office.mydomain.net:443 -verify 4 -showcerts -CAfile /etc/rhsm/ca/candlepin-local.pem
Verify return code: 27 (certificate not trusted)

But if I use the remote servers ca-bundle.crt to test,
openssl s_client -connect katello.office.mydomain.net:443 -verify 4 -showcerts -CAfile /etc/pki/tls/certs/ca-bundle.crt
Verify return code: 0 (ok)

Also, when I set the repo_ca to the ca-bundle.crt, subscription-manager totally ignores the settings and continues to look in the /etc/rhsm/ca directory

#6 Updated by Eric Helms over 4 years ago

  • Legacy Backlogs Release (now unused) changed from 14 to 33

#7 Updated by Eric Helms over 4 years ago

  • Legacy Backlogs Release (now unused) changed from 33 to 23

#8 Updated by Eric Helms over 4 years ago

  • Status changed from New to Need more information

Could you try bumping the SSL verify depth in rhsm.conf and seeing if that fixes the issue? If so we can deploy the bootstrap RPM to make that value higher.

#9 Updated by Adrian Likins over 4 years ago

Brent Wells wrote:

After more testing, looks like the problem is with the candlepin certificate. Here is the openssl test output using the candlepin certificate:

openssl s_client -connect katello.office.mydomain.net:443 -showcerts -CAfile /etc/rhsm/ca/candlepin-local.pem
CONNECTED
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=19:self signed certificate in certificate chain
verify return:0

Acceptable client certificate CA names
/C=CN/O=CNNIC/CN=CNNIC ROOT

< cut lots of CA dn's >

/serialNumber=G7FkiJIImQR-ZrMucXArQ-1Lc5QBn9XP/OU=GT87906819/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.office.mydomain.net
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=katello.office.mydomain.net/emailAddress=
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3

Normally I'd expect the acceptable CA list to include the candlepin/katello ca certs here.

The katello server cert will be signed by rapidssl, and subscription-manager will be ok if the ca cert for that issuer is in /etc/rhsm/ca/*.pem
and if client can find the issuing CA cert within 3 levels of a cert in /etc/rhsm/ca/*.pem. So at least the rapidssl immediate issuer CA cert
needs to be in a bundle in /etc/rhsm/ca/*.pem. [/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=katello.office.mydomain.net/emailAddress= if I'm reading the info provided correctly].

But also, the server that is verifying the subscription-manager consumer client cert (/etc/pki/consumer/cert.pem on the system running subscription-manager), needs to have the CA that issued that client certificate in the CA bundle it's checking client certs against (and ideally, only that CA bundle). The s_client output looks like the servers ca bundle for checking client certificates includes the systems ca bundle (with verisign/digicert/rapidssl etc).

[I'm unsure if the wildcard certs could be an issue. Afaik, they should be ok for the katello server cert, but I can't rule that out...]

Start Time: 1420504213
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)


If I use the katello-server-ca.pem to test, the output says OK. Not sure what is missing on the candlepin portion.

#10 Updated by Eric Helms over 4 years ago

  • Target version changed from 66 to 67

#11 Updated by Eric Helms over 4 years ago

  • Target version changed from 67 to 68

#12 Updated by Eric Helms about 4 years ago

I wonder if you could try this with 2.2 as we now provide a utility for checking that a custom certificate will work prior to using it.

#13 Updated by Eric Helms about 4 years ago

  • Target version deleted (68)

#14 Updated by Brent Wells about 4 years ago

Eric, below is the output from the install. Looks like the check works, my problem is that I am probably going to have to get a new certificate. RapidSSL looks like it is not going to work. If you have any ideas, let me know. Thanks!

/Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]: Failed to call refresh: /usr/sbin/foreman-rake db:migrate returned 1 instead of one of [0]
/Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]: /usr/sbin/foreman-rake db:migrate returned 1 instead of one of [0]
/Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]: Failed to call refresh: /usr/sbin/foreman-rake db:seed returned 1 instead of one of [0]
/Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]: /usr/sbin/foreman-rake db:seed returned 1 instead of one of [0]
/Stage[main]/Foreman::Database/Foreman::Rake[apipie:cache]/Exec[foreman-rake-apipie:cache]: Failed to call refresh: /usr/sbin/foreman-rake apipie:cache returned 1 instead of one of [0]
/Stage[main]/Foreman::Database/Foreman::Rake[apipie:cache]/Exec[foreman-rake-apipie:cache]: /usr/sbin/foreman-rake apipie:cache returned 1 instead of one of [0]
Could not start Service[foreman-tasks]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait start foreman-tasks' returned 1: Redirecting to /bin/systemctl start foreman-tasks.service
/Stage[main]/Foreman::Plugin::Tasks/Service[foreman-tasks]/ensure: change from stopped to running failed: Could not start Service[foreman-tasks]: Execution of '/usr/share/katello-installer/modules/service_wait/bin/service-wait start foreman-tasks' returned 1: Redirecting to /bin/systemctl start foreman-tasks.service
/usr/share/foreman/script/foreman-rake config -- k ssl_ca_file -v '/etc/foreman/proxy_ca.pem' -k ssl_certificate -v '/etc/foreman/client_cert.pem' -k ssl_priv_key -v '/etc/foreman/client_key.pem' returned 1 instead of one of [0]
/Stage[main]/Certs::Foreman/Exec[foreman_certs_config]/returns: change from notrun to 0 failed: /usr/share/foreman/script/foreman-rake config -
-k ssl_ca_file -v '/etc/foreman/proxy_ca.pem' -k ssl_certificate -v '/etc/foreman/client_cert.pem' -k ssl_priv_key -v '/etc/foreman/client_key.pem' returned 1 instead of one of [0]
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello.office.mydomain.net]: Could not evaluate: Could not load data from https://katello.office.mydomain.net
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello.office.mydomain.net]: Failed to call refresh: Could not load data from https://katello.office.mydomain.net
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello.office.mydomain.net]: Could not load data from https://katello.office.mydomain.net

#15 Updated by Eric Helms about 4 years ago

Been trying to produce a re-producer by generating certificates with openssl to mimic tihs situation with no luck so far. Anything special with respect to the wildcard cert or just like any other but with a wild card common name?

#16 Updated by Eric Helms about 4 years ago

  • Legacy Backlogs Release (now unused) changed from 23 to 51

#17 Updated by Brent Wells about 4 years ago

Eric,
I have changed to a startssl certificate and did not get any errors during the installation process. That seems to be fine. The issue I am getting not is this error on the client:

tlsv1 alert unknown ca

The certificate is a SHA256 cert, which I had to move to due to a Google Chrome issue. I did use the openssl command and verified that the ca that I got from startssl works. It comes back with

Start Time: 1429537830
Timeout : 300 (sec)
Verify return code: 0 (ok)

Here is the traceback from the rhsm.log file:

Traceback (most recent call last):
File "/usr/share/rhsm/subscription_manager/cache.py", line 142, in update_check
self._sync_with_server(uep, consumer_uuid)
File "/usr/share/rhsm/subscription_manager/facts.py", line 154, in _sync_with_server
uep.updateConsumer(consumer_uuid, facts=self.get_facts())
File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 824, in updateConsumer
ret = self.conn.request_put(method, params)
File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 582, in request_put
return self._request("PUT", method, params)
File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 476, in _request
conn.request(request_type, handler, body=body, headers=headers)
File "/usr/lib64/python2.7/httplib.py", line 973, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python2.7/httplib.py", line 1007, in _send_request
self.endheaders(body)
File "/usr/lib64/python2.7/httplib.py", line 969, in endheaders
self._send_output(message_body)
File "/usr/lib64/python2.7/httplib.py", line 829, in _send_output
self.send(msg)
File "/usr/lib64/python2.7/httplib.py", line 791, in send
self.connect()
File "/usr/lib64/python2.7/site-packages/M2Crypto/httpslib.py", line 58, in connect
sock.connect((self.host, self.port))
File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 185, in connect
ret = self.connect_ssl()
File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 178, in connect_ssl
return m2.ssl_connect(self.ssl, self._timeout)
SSLError: tlsv1 alert unknown ca

Thanks!

#18 Updated by Eric Helms about 4 years ago

What OS is the client? Do you get this error on registration or another command post registration? The bootstrap RPM installed without issue?

#19 Updated by Brent Wells about 4 years ago

CentOS 7.1. Yes, I did get the, SSLError: tlsv1 alert unknown ca, when I registered. Yes, I installed the rpm that is provided by my Katello install.

#20 Updated by Brent Wells about 4 years ago

As a test, I disabled certificate validation and it still fails.

It appears that it ignores that option in the /etc/rhsm/rhsm.conf file. Is this set somewhere else?

Traceback (most recent call last):
File "/usr/share/rhsm/subscription_manager/cache.py", line 142, in update_check
self._sync_with_server(uep, consumer_uuid)
File "/usr/share/rhsm/subscription_manager/facts.py", line 154, in sync_with_server
uep.updateConsumer(consumer_uuid, facts=self.get_facts())
File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 824, in updateConsumer
ret = self.conn.request_put(method, params)
File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 582, in request_put
return self._request("PUT", method, params)
File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 476, in _request
conn.request(request_type, handler, body=body, headers=headers)
File "/usr/lib64/python2.7/httplib.py", line 973, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python2.7/httplib.py", line 1007, in _send_request
self.endheaders(body)
File "/usr/lib64/python2.7/httplib.py", line 969, in endheaders
self._send_output(message_body)
File "/usr/lib64/python2.7/httplib.py", line 829, in _send_output
self.send(msg)
File "/usr/lib64/python2.7/httplib.py", line 791, in send
self.connect()
File "/usr/lib64/python2.7/site-packages/M2Crypto/httpslib.py", line 58, in connect
sock.connect((self.host, self.port))
File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 185, in connect
ret = self.connect_ssl()
File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 178, in connect_ssl
return m2.ssl_connect(self.ssl, self._timeout)
SSLError: tlsv1 alert unknown ca
2015-04-20 11:24:11,520 [ERROR] subscription-manager @managercli.py:160 - exception caught in subscription-manager
2015-04-20 11:24:11,521 [ERROR] subscription-manager @managercli.py:161 - Error updating system data on the server, see /var/log/rhsm/rhsm.log for more details.
Traceback (most recent call last):
File "/usr/sbin/subscription-manager", line 82, in <module>
sys.exit(abs(main() or 0))
File "/usr/sbin/subscription-manager", line 73, in main
return managercli.ManagerCLI().main()
File "/usr/share/rhsm/subscription_manager/managercli.py", line 2603, in main
return CLI.main(self)
File "/usr/share/rhsm/subscription_manager/cli.py", line 160, in main
return cmd.main()
File "/usr/share/rhsm/subscription_manager/managercli.py", line 484, in main
return_code = self._do_command()
File "/usr/share/rhsm/subscription_manager/managercli.py", line 2203, in _do_command
filter_string=self.options.filter_string)
File "/usr/share/rhsm/subscription_manager/managerlib.py", line 312, in get_available_entitlements
overlapping, uninstalled, text, filter_string)
File "/usr/share/rhsm/subscription_manager/managerlib.py", line 517, in get_filtered_pools_list
self.identity.uuid, self.facts, active_on=active_on, filter_string=filter_string):
File "/usr/share/rhsm/subscription_manager/managerlib.py", line 267, in list_pools
facts.update_check(uep, consumer_uuid)
File "/usr/share/rhsm/subscription_manager/cache.py", line 152, in update_check
raise Exception(
("Error updating system data on the server, see /var/log/rhsm/rhsm.log "
Exception: Error updating system data on the server, see /var/log/rhsm/rhsm.log for more details.

#21 Updated by Brent Wells about 4 years ago

Eric,
Now I believe there is more to this problem. I got a dedicate certificate, no wildcard, for my katello install. I used that when I installed my server. I had no errors during install. I then created my environment in Katello; created products, gpg keys, activiation keys, content views, and lifecyle environments. I then attempted to subscribe my server to my katello instance. I received this error:

The system has been registered with ID: c551ef26-0d70-4183-b729-9eec774782a6
Unable to verify server's identity: tlsv1 alert unknown ca

I then ran this:
subscription-manager list --available
Error updating system data on the server, see /var/log/rhsm/rhsm.log for more details.

In the foreman httpd logs I am getting this:
Certificate Verification: Error (20): unable to get local issuer certificate

But if I using this, /etc/rhsm/ca/katello-server-ca.pem, from the test server I get an OK from openssl.

The only time I have been able to get katello to work is using the certs that katello creates by default instead of using my own. I am required by my company to use a certificate that is trusted, so I cannot use a self signed cert.

Thanks for all your help.

#22 Updated by Eric Helms about 4 years ago

Brent,

Good info to have -- this may be a scenario in testing custom certificates that we overlooked. I'll spend some time over the next few days generating my own custom certificates and importing them to test this scenario.

#23 Updated by Brent Wells about 4 years ago

Eric,
In order to get around this, I had to change the SSLVerifyClient entry in the 05-foreman-ssl.conf file to:
SSLVerifyClient optional_no_ca

This worked, but I am not sure how secure it is.

Thanks!
Brent

#24 Updated by Ivan Necas about 4 years ago

Could you describe more on what precedure are you using to configure Katello to use your certificates? Also, how does your 05-foreman-ssl.conf look like?

#25 Updated by Brent Wells about 4 years ago

Ivan,
This is all I am doing to configure katello, I run the below:
katello-installer --certs-server-ca-cert /etc/pki/mydomain/startssl-ca.pem --certs-server-cert /etc/pki/mydomain/katello.office.mydomain.net.crt --certs-server-cert-req /etc/pki/mydomain/katello.office.mydomain.net.csr --certs-server-key /etc/pki/mydomain/katello.office.mydomain.net.key --foreman-server-ssl-ca /etc/pki/mydomain/startssl-ca.pem --foreman-server-ssl-cert /etc/pki/mydomain/katello.office.mydomain.net.crt --foreman-server-ssl-chain /etc/pki/mydomain/startssl-ca.pem --foreman-server-ssl-key /etc/pki/mydomain/katello.office.mydomain.net.key

I then go in and setup all my products, gpg keys, content views, lifecyles, and repos.

Below is my 05-foreman-ssl.conf file. All I changed was the SSLVerifyClient to optional_no_ca:

# ************************************
# Vhost template in module puppetlabs-apache
# Managed by Puppet
# ************************************

<VirtualHost *:443>
  ServerName katello.office.mydomain.net

  ## Vhost docroot
  DocumentRoot "/usr/share/foreman/public" 

  ## Directories, there should at least be a declaration for /usr/share/foreman/public

  <Directory "/usr/share/foreman/public">
    Options SymLinksIfOwnerMatch
    AllowOverride None
    Require all granted
  </Directory>

  ## Load additional static includes

  ## Logging
  ErrorLog "/var/log/httpd/foreman-ssl_error_ssl.log" 
  ServerSignature Off
  CustomLog "/var/log/httpd/foreman-ssl_access_ssl.log" combined

  ## Server aliases
  ServerAlias foreman

  ## SSL directives
  SSLEngine on
  SSLCertificateFile      "/etc/pki/mydomain/katello.office.mydomain.net.crt" 
  SSLCertificateKeyFile   "/etc/pki/mydomain/katello.office.mydomain.net.key" 
  SSLCertificateChainFile "/etc/pki/mydomain/startssl-ca.pem" 
  SSLCACertificatePath    "/etc/pki/tls/certs" 
  SSLCACertificateFile    "/etc/pki/mydomain/startssl-ca.pem" 
  SSLVerifyClient         optional_no_ca
  SSLVerifyDepth          3
  SSLOptions +StdEnvVars

  ## Custom fragment
PassengerAppRoot /usr/share/foreman
PassengerRuby /usr/bin/ruby193-ruby
PassengerMinInstances 1
PassengerStartTimeout 600

AddDefaultCharset UTF-8
# Static public dir serving
<Directory /usr/share/foreman/public>

  <IfVersion < 2.4>
    Allow from all
  </IfVersion>
  <IfVersion >= 2.4>
    Require all granted
  </IfVersion>

</Directory>

<Directory /usr/share/foreman/public/assets>

  # Use standard http expire header for assets instead of ETag
  <IfModule mod_expires.c>
    Header unset ETag
    FileETag None
    ExpiresActive On
    ExpiresDefault "access plus 1 year" 
  </IfModule>

  # Return compressed assets if they are precompiled
  <IfModule mod_rewrite.c>
    RewriteEngine on
    # Make sure the browser supports gzip encoding and file with .gz added
    # does exist on disc before we rewrite with the extension
    RewriteCond %{HTTP:Accept-Encoding} \b(x-)?gzip\b
    RewriteCond %{REQUEST_FILENAME}.gz -s
    RewriteRule ^(.+) $1.gz [L]
    # Set headers for all possible assets which are compressed
    <FilesMatch \.css\.gz$>
      ForceType text/css
      Header set Content-Encoding gzip
      SetEnv no-gzip
    </FilesMatch>
    <FilesMatch \.js\.gz$>
      ForceType text/javascript
      Header set Content-Encoding gzip
      SetEnv no-gzip
    </FilesMatch>
  </IfModule>

</Directory>

<IfVersion < 2.4>
  Include /etc/httpd/conf.d/05-foreman-ssl.d/*.conf
</IfVersion>
<IfVersion >= 2.4>
  IncludeOptional /etc/httpd/conf.d/05-foreman-ssl.d/*.conf
</IfVersion>
PassengerPreStart https://katello.office.mydomain.net

</VirtualHost>

#26 Updated by Eric Helms about 4 years ago

  • Legacy Backlogs Release (now unused) changed from 51 to 55

#27 Updated by Eric Helms about 4 years ago

  • Legacy Backlogs Release (now unused) changed from 55 to 31

#28 Updated by Stephen Benjamin almost 4 years ago

  • Legacy Backlogs Release (now unused) changed from 31 to 70

Mass move to 2.4.0

#29 Updated by Eric Helms over 3 years ago

  • Legacy Backlogs Release (now unused) changed from 70 to 86

#30 Updated by Eric Helms over 3 years ago

  • Legacy Backlogs Release (now unused) changed from 86 to 114

Also available in: Atom PDF