Prasun Gera, I was working with jsherril on IRC earlier and might have a potential work-around.
On the foreman master, the /etc/foreman/proxy_ca.pem file likely has the custom certificate chain, try swapping it out for your default-ca (the internal self-signed). This appears to have addressed my issue. I restarted foreman-proxy on the master, you will likely need to as well. Note: I am at home, so I might not have the exact path. On Mon, Sep 19, 2016 at 7:07 PM Prasun Gera <prasun.g...@gmail.com> wrote: > Yes, I can confirm that foreman-proxy doesn't start with the same errors. > > On Mon, Sep 19, 2016 at 1:25 PM, Danny Kimsey <dekim...@gmail.com> wrote: > >> >> On Monday, September 19, 2016 at 6:25:04 AM UTC-5, prasu...@gmail.com >> wrote: >> This issue still exists for Katello 3.1. Without the workaround mentioned >> by Claran, it's not possible to use custom SSL certificates for katello. >> >> I too have run into this issue. Copying the default-ca into the system >> trust seems to address the issue. >> >> Unfortunately I believe the smart proxy installer is similarly broken. It >> is unable to complete install using a custom cert for capsule.acme.com. >> >> [ INFO 2016-09-19 11:33:26 verbose] Class[Foreman_proxy::Register]: >> Scheduling refresh of Foreman_smartproxy[capsule.acme.com] >> [ERROR 2016-09-19 11:33:26 verbose] Proxy capsule.acme.com cannot be >> registered: Unable to communicate with the proxy: ERF12-2530 >> [ProxyAPI::ProxyException]: Un >> able to detect features ([RestClient::SSLCertificateNotVerified]: >> SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: >> certificate verif...) for pr >> oxy https://capsule.acme.com:9090/features Please check the proxy is >> configured and running on the host. >> [ INFO 2016-09-19 11:33:26 verbose] >> /usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:23:in >> `create' >> >> Adding the katello-default-ca to the system store does not address the >> problem. The capsule's proxy log shows a client ca issue. >> E, [2016-09-19T11:33:26.811258 #9849] ERROR -- : OpenSSL::SSL::SSLError: >> SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1 >> alert unknown ca >> /usr/share/ruby/openssl/ssl.rb:226:in `accept' >> > -- >> You received this message because you are subscribed to the Google Groups >> "Foreman users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to foreman-users+unsubscr...@googlegroups.com. >> > >> To post to this group, send email to foreman-users@googlegroups.com. >> Visit this group at https://groups.google.com/group/foreman-users. >> For more options, visit https://groups.google.com/d/optout. >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "Foreman users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/foreman-users/BCfKbTUl_ic/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > foreman-users+unsubscr...@googlegroups.com. > To post to this group, send email to foreman-users@googlegroups.com. > Visit this group at https://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/d/optout. > -- -- Danny. Beware! The mind of the believer stagnates. It fails to grow outward into an unlimited, infinite universe. Frank Herbert, Heretics of Dune -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscr...@googlegroups.com. To post to this group, send email to foreman-users@googlegroups.com. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
