[root@henson ~]# lsof -Pni | grep 8443 java 1371 tomcat 47u IPv6 24336 0t0 TCP *:8443 (LISTEN) [root@henson ~]# ps aux | grep 1371 tomcat 1371 1.1 15.3 3644872 617928 ? Ssl 15:05 0:31 java -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
openssl output shows what looks to be the self signed cert that was not changed as you mention. Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=henson.in.example.com Validity Not Before: Aug 11 19:08:40 2016 GMT Not After : Jan 17 19:08:40 2038 GMT Subject: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=henson.in.example.com As for commands, I have a snapshot where everything is "working" with self signed certs in place having used './setup.rb --version 1.12 --scenario katello'. I quote working because CentOS 7.2 defaults to HSTS so neither Chrome nor Firefox will allow you to add the certificate as an exception. However, using IE, I am able to log in with the default admin and all seems well. I then perform the following: katello-certs-check -c henson.in.example.com.crt -k henson.in.example.com.key -r henson.in.example.com.csr -b exampleroot.pem This reports Validation succeeded and outputs the next steps. I then used the section for existing installations of katello: foreman-installer --scenario katello\ --certs-server-cert "henson.in.example.com.crt"\ --certs-server-cert-req "henson.in.example.com.csr"\ --certs-server-key "henson.in.example.com.key"\ --certs-server-ca-cert "exampleroot.pem"\ --certs-update-server --certs-update-server-ca The installer completes and outputs this: Marking certificate /root/ssl-build/henson.in.example.com/henson.in.example.com-apache for update Marking certificate /root/ssl-build/henson.in.example.com/henson.in.example.com-foreman-proxy for update Marking certificate /root/ssl-build/katello-server-ca for update Installing Done [100%] [...........................................................................] Success! * Katello is running at https://henson.in.example.com * To install additional capsule on separate machine continue by running: capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar" The full log is at /var/log/foreman-installer/katello.log It is at this point I begin to get the certificate error. I get the login prompt, enter the admin credentials, and then am taken to the error message originally posted. I'm guessing at this point I may need to tell katello to trust the self signed cert tomcat is using somewhere since I've told it to trust our internal root CA with the configure script with --server-ca-cert. However, I'm having trouble sorting out the large number of cert related flags in the installer as well as any relevant config files. post scriptum: No, i'm not really using example.com. I replaced the domain to comply with company policy. On Tuesday, August 16, 2016 at 1:58:28 AM UTC-5, Ivan Necas wrote: > > When dealing with custom certs, the candlepin communication should not > really be affected. > > I would recommand checking, what's runnin on port 8443: > > netstat -tulpan | grep 8443 > > check which cert it is using: > > openssl s_client -connect $(hostname -f):8443 | openssl x509 -text > -noout | less > > Also, > > could you write what commands exactly have you run, for further > investigation? > > -- Ivan > > On Mon, Aug 15, 2016 at 10:00 PM, Ciarán Taog <port...@gmail.com > <javascript:>> wrote: > > I am getting the following errors just after logging into katello after > > installing certificates signed by our internal authority. > > > > Oops, we're sorry but something went wrong > > Katello::Resources::Candlepin::OwnerInfo: SSL_connect returned=1 errno=0 > > state=SSLv3 read server certificate B: certificate verify failed (GET > > /candlepin/owners/Default_Organization/info) > > > > > > RestClient::SSLCertificateNotVerified > > Katello::Resources::Candlepin::OwnerInfo: SSL_connect returned=1 errno=0 > > state=SSLv3 read server certificate B: certificate verify failed (GET > > /candlepin/owners/Default_Organization/info) > > > > > > I used the instructions provided here: > > https://github.com/Katello/katello-installer#certificates > > > > I've also tried the workaround mentioned in > > https://bugzilla.redhat.com/show_bug.cgi?id=1218251#c0 > > > > katello-certs-check reported everything was fine and I used the > installer > > commands it provided. It appears to have configured apache correctly to > use > > the new certs but some other piece apparently did not. I'm completely > lost > > as to which one given the error message. This is on a CentOS 7.2.1511 > > system. Is there a way to determine which service (and it's cert) > katello is > > attempting to connect to? > > > > > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "Foreman users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to foreman-user...@googlegroups.com <javascript:>. > > To post to this group, send email to forema...@googlegroups.com > <javascript:>. > > Visit this group at https://groups.google.com/group/foreman-users. > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscr...@googlegroups.com. To post to this group, send email to foreman-users@googlegroups.com. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.