On Monday, September 19, 2016 at 6:25:04 AM UTC-5, prasu...@gmail.com wrote:
This issue still exists for Katello 3.1. Without the workaround mentioned 
by Claran, it's not possible to use custom SSL certificates for katello.  

I too have run into this issue. Copying the default-ca into the system 
trust seems to address the issue.

Unfortunately I believe the smart proxy installer is similarly broken. It 
is unable to complete install using a custom cert for capsule.acme.com. 

[ INFO 2016-09-19 11:33:26 verbose]  Class[Foreman_proxy::Register]: 
Scheduling refresh of Foreman_smartproxy[capsule.acme.com]
[ERROR 2016-09-19 11:33:26 verbose]  Proxy capsule.acme.com cannot be 
registered: Unable to communicate with the proxy: ERF12-2530 
[ProxyAPI::ProxyException]: Un
able to detect features ([RestClient::SSLCertificateNotVerified]: 
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: 
certificate verif...) for pr
oxy https://capsule.acme.com:9090/features Please check the proxy is 
configured and running on the host.
[ INFO 2016-09-19 11:33:26 verbose] 
/usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:23:in
 
`create'

Adding the katello-default-ca to the system store does not address the 
problem. The capsule's proxy log shows a client ca issue.
E, [2016-09-19T11:33:26.811258 #9849] ERROR -- : OpenSSL::SSL::SSLError: 
SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1 
alert unknown ca
        /usr/share/ruby/openssl/ssl.rb:226:in `accept'

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Reply via email to