[root@henson ~]# lsof -Pni | grep 8443
java 1371 tomcat 47u IPv6 24336 0t0 TCP *:8443
(LISTEN)
[root@henson ~]# ps aux | grep 1371
tomcat 1371 1.1 15.3 3644872 617928 ? Ssl 15:05 0:31 java
-classpath
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
-Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp
-Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
org.apache.catalina.startup.Bootstrap start
openssl output shows what looks to be the self signed cert that was not
changed as you mention.
Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello,
OU=SomeOrgUnit, CN=henson.in.example.com
Validity
Not Before: Aug 11 19:08:40 2016 GMT
Not After : Jan 17 19:08:40 2038 GMT
Subject: C=US, ST=North Carolina, L=Raleigh, O=Katello,
OU=SomeOrgUnit, CN=henson.in.example.com
As for commands, I have a snapshot where everything is "working" with self
signed certs in place having used './setup.rb --version 1.12 --scenario
katello'. I quote working because CentOS 7.2 defaults to HSTS so neither
Chrome nor Firefox will allow you to add the certificate as an exception.
However, using IE, I am able to log in with the default admin and all seems
well.
I then perform the following:
katello-certs-check -c henson.in.example.com.crt -k
henson.in.example.com.key -r henson.in.example.com.csr -b exampleroot.pem
This reports Validation succeeded and outputs the next steps. I then used
the section for existing installations of katello:
foreman-installer --scenario katello\
--certs-server-cert "henson.in.example.com.crt"\
--certs-server-cert-req "henson.in.example.com.csr"\
--certs-server-key "henson.in.example.com.key"\
--certs-server-ca-cert "exampleroot.pem"\
--certs-update-server --certs-update-server-ca
The installer completes and outputs this:
Marking certificate
/root/ssl-build/henson.in.example.com/henson.in.example.com-apache for
update
Marking certificate
/root/ssl-build/henson.in.example.com/henson.in.example.com-foreman-proxy
for update
Marking certificate /root/ssl-build/katello-server-ca for update
Installing Done
[100%]
[...........................................................................]
Success!
* Katello is running at https://henson.in.example.com
* To install additional capsule on separate machine continue by running:
capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar
"~/$CAPSULE-certs.tar"
The full log is at /var/log/foreman-installer/katello.log
It is at this point I begin to get the certificate error. I get the login
prompt, enter the admin credentials, and then am taken to the error message
originally posted.
I'm guessing at this point I may need to tell katello to trust the self
signed cert tomcat is using somewhere since I've told it to trust our
internal root CA with the configure script with --server-ca-cert. However,
I'm having trouble sorting out the large number of cert related flags in
the installer as well as any relevant config files.
post scriptum:
No, i'm not really using example.com. I replaced the domain to comply with
company policy.
On Tuesday, August 16, 2016 at 1:58:28 AM UTC-5, Ivan Necas wrote:
>
> When dealing with custom certs, the candlepin communication should not
> really be affected.
>
> I would recommand checking, what's runnin on port 8443:
>
> netstat -tulpan | grep 8443
>
> check which cert it is using:
>
> openssl s_client -connect $(hostname -f):8443 | openssl x509 -text
> -noout | less
>
> Also,
>
> could you write what commands exactly have you run, for further
> investigation?
>
> -- Ivan
>
> On Mon, Aug 15, 2016 at 10:00 PM, Ciarán Taog <[email protected]
> <javascript:>> wrote:
> > I am getting the following errors just after logging into katello after
> > installing certificates signed by our internal authority.
> >
> > Oops, we're sorry but something went wrong
> > Katello::Resources::Candlepin::OwnerInfo: SSL_connect returned=1 errno=0
> > state=SSLv3 read server certificate B: certificate verify failed (GET
> > /candlepin/owners/Default_Organization/info)
> >
> >
> > RestClient::SSLCertificateNotVerified
> > Katello::Resources::Candlepin::OwnerInfo: SSL_connect returned=1 errno=0
> > state=SSLv3 read server certificate B: certificate verify failed (GET
> > /candlepin/owners/Default_Organization/info)
> >
> >
> > I used the instructions provided here:
> > https://github.com/Katello/katello-installer#certificates
> >
> > I've also tried the workaround mentioned in
> > https://bugzilla.redhat.com/show_bug.cgi?id=1218251#c0
> >
> > katello-certs-check reported everything was fine and I used the
> installer
> > commands it provided. It appears to have configured apache correctly to
> use
> > the new certs but some other piece apparently did not. I'm completely
> lost
> > as to which one given the error message. This is on a CentOS 7.2.1511
> > system. Is there a way to determine which service (and it's cert)
> katello is
> > attempting to connect to?
> >
> >
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups
> > "Foreman users" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > To post to this group, send email to [email protected]
> <javascript:>.
> > Visit this group at https://groups.google.com/group/foreman-users.
> > For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
