Prasun Gera, I was working with jsherril on IRC earlier and might have a potential work-around.
On the foreman master, the /etc/foreman/proxy_ca.pem file likely has the custom certificate chain, try swapping it out for your default-ca (the internal self-signed). This appears to have addressed my issue. I restarted foreman-proxy on the master, you will likely need to as well. Note: I am at home, so I might not have the exact path. On Mon, Sep 19, 2016 at 7:07 PM Prasun Gera <[email protected]> wrote: > Yes, I can confirm that foreman-proxy doesn't start with the same errors. > > On Mon, Sep 19, 2016 at 1:25 PM, Danny Kimsey <[email protected]> wrote: > >> >> On Monday, September 19, 2016 at 6:25:04 AM UTC-5, [email protected] >> wrote: >> This issue still exists for Katello 3.1. Without the workaround mentioned >> by Claran, it's not possible to use custom SSL certificates for katello. >> >> I too have run into this issue. Copying the default-ca into the system >> trust seems to address the issue. >> >> Unfortunately I believe the smart proxy installer is similarly broken. It >> is unable to complete install using a custom cert for capsule.acme.com. >> >> [ INFO 2016-09-19 11:33:26 verbose] Class[Foreman_proxy::Register]: >> Scheduling refresh of Foreman_smartproxy[capsule.acme.com] >> [ERROR 2016-09-19 11:33:26 verbose] Proxy capsule.acme.com cannot be >> registered: Unable to communicate with the proxy: ERF12-2530 >> [ProxyAPI::ProxyException]: Un >> able to detect features ([RestClient::SSLCertificateNotVerified]: >> SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: >> certificate verif...) for pr >> oxy https://capsule.acme.com:9090/features Please check the proxy is >> configured and running on the host. >> [ INFO 2016-09-19 11:33:26 verbose] >> /usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:23:in >> `create' >> >> Adding the katello-default-ca to the system store does not address the >> problem. The capsule's proxy log shows a client ca issue. >> E, [2016-09-19T11:33:26.811258 #9849] ERROR -- : OpenSSL::SSL::SSLError: >> SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1 >> alert unknown ca >> /usr/share/ruby/openssl/ssl.rb:226:in `accept' >> > -- >> You received this message because you are subscribed to the Google Groups >> "Foreman users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> > >> To post to this group, send email to [email protected]. >> Visit this group at https://groups.google.com/group/foreman-users. >> For more options, visit https://groups.google.com/d/optout. >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "Foreman users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/foreman-users/BCfKbTUl_ic/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/d/optout. > -- -- Danny. Beware! The mind of the believer stagnates. It fails to grow outward into an unlimited, infinite universe. Frank Herbert, Heretics of Dune -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
