[root@henson ~]# lsof -Pni | grep 8443
java 1371 tomcat 47u IPv6 24336 0t0 TCP *:8443
(LISTEN)
[root@henson ~]# ps aux | grep 1371
tomcat 1371 1.1 15.3 3644872 617928 ? Ssl 15:05 0:31 java
-classpath /usr/share/tomcat/bin/
bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
-Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp
-Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
org.apache.catalina.startup.Bootstrap start
openssl output shows what looks to be the self signed cert that was not
changed as you mention.
Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello,
OU=SomeOrgUnit, CN=henson.in.example.com
Validity
Not Before: Aug 11 19:08:40 2016 GMT
Not After : Jan 17 19:08:40 2038 GMT
Subject: C=US, ST=North Carolina, L=Raleigh, O=Katello,
OU=SomeOrgUnit, CN=henson.in.example.com
As for commands, I have a snapshot where everything is "working" with self
signed certs in place having used './setup.rb --version 1.12 --scenario
katello'. I quote working because CentOS 7.2 defaults to HSTS so neither
Chrome nor Firefox will allow you to add the certificate as an exception.
However, using IE, I am able to log in with the default admin and all seems
well.
I then perform the following:
katello-certs-check -c henson.in.example.com.crt -k
henson.in.example.com.key -r henson.in.example.com.csr -b exampleroot.pem
This reports Validation succeeded and outputs the next steps. I then used
the section for existing installations of katello:
foreman-installer --scenario katello\
--certs-server-cert "henson.in.example.com.crt"\
--certs-server-cert-req "henson.in.example.com.csr"\
--certs-server-key "henson.in.example.com.key"\
--certs-server-ca-cert "exampleroot.pem"\
--certs-update-server --certs-update-server-ca
The installer completes and outputs this:
Marking certificate /root/ssl-build/
henson.in.example.com/henson.in.example.com-apache for update
Marking certificate /root/ssl-build/
henson.in.example.com/henson.in.example.com-foreman-proxy for update
Marking certificate /root/ssl-build/katello-server-ca for update
Installing Done
[100%]
[...........................................................................]
Success!
* Katello is running at https://henson.in.example.com
* To install additional capsule on separate machine continue by running:
capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar
"~/$CAPSULE-certs.tar"
The full log is at /var/log/foreman-installer/katello.log
It is at this point I begin to get the certificate error. I get the login
prompt, enter the admin credentials, and then am taken to the error message
originally posted.
I'm guessing at this point I may need to tell katello to trust the self
signed cert tomcat is using somewhere since I've told it to trust our
internal root CA with the configure script with --server-ca-cert. However,
I'm having trouble sorting out the large number of cert related flags in
the installer as well as any relevant config files.
post scriptum:
No, i'm not really using example.com. I replaced the domain to comply with
company policy.
Thank you for your help with this. It is greatly appreciated.
On Tuesday, August 16, 2016 at 1:58:28 AM UTC-5, Ivan Necas wrote:
>
> When dealing with custom certs, the candlepin communication should not
> really be affected.
>
> I would recommand checking, what's runnin on port 8443:
>
> netstat -tulpan | grep 8443
>
> check which cert it is using:
>
> openssl s_client -connect $(hostname -f):8443 | openssl x509 -text
> -noout | less
>
> Also,
>
> could you write what commands exactly have you run, for further
> investigation?
>
> -- Ivan
>
--
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
