Great, confirmation is a wonderful thing! I've written a ticket regarding these issues which I've submitted. Let me know if I missed anything.
http://projects.theforeman.org/issues/16620 On Monday, September 19, 2016 at 8:13:18 PM UTC-5, [email protected] wrote: > > Hi Danny, > Thanks! That worked. Here's what I did: > > cd /etc/foreman > cp proxy_ca.pem proxy_ca_bkp.pem > cp /root/ssl-build/katello-default-ca.crt ./proxy_ca.pem > > Regards, > Prasun > > On Mon, Sep 19, 2016 at 8:57 PM, Danny Kimsey <[email protected] > <javascript:>> wrote: > >> Prasun Gera, I was working with jsherril on IRC earlier and might have a >> potential work-around. >> >> On the foreman master, the /etc/foreman/proxy_ca.pem file likely has the >> custom certificate chain, try swapping it out for your default-ca (the >> internal self-signed). This appears to have addressed my issue. I restarted >> foreman-proxy on the master, you will likely need to as well. >> >> Note: I am at home, so I might not have the exact path. >> >> On Mon, Sep 19, 2016 at 7:07 PM Prasun Gera <[email protected] >> <javascript:>> wrote: >> >>> Yes, I can confirm that foreman-proxy doesn't start with the same >>> errors. >>> >>> On Mon, Sep 19, 2016 at 1:25 PM, Danny Kimsey <[email protected] >>> <javascript:>> wrote: >>> >>>> >>>> On Monday, September 19, 2016 at 6:25:04 AM UTC-5, [email protected] >>>> wrote: >>>> This issue still exists for Katello 3.1. Without the workaround >>>> mentioned by Claran, it's not possible to use custom SSL certificates for >>>> katello. >>>> >>>> I too have run into this issue. Copying the default-ca into the system >>>> trust seems to address the issue. >>>> >>>> Unfortunately I believe the smart proxy installer is similarly broken. >>>> It is unable to complete install using a custom cert for >>>> capsule.acme.com. >>>> >>>> [ INFO 2016-09-19 11:33:26 verbose] Class[Foreman_proxy::Register]: >>>> Scheduling refresh of Foreman_smartproxy[capsule.acme.com] >>>> [ERROR 2016-09-19 11:33:26 verbose] Proxy capsule.acme.com cannot be >>>> registered: Unable to communicate with the proxy: ERF12-2530 >>>> [ProxyAPI::ProxyException]: Un >>>> able to detect features ([RestClient::SSLCertificateNotVerified]: >>>> SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: >>>> certificate verif...) for pr >>>> oxy https://capsule.acme.com:9090/features Please check the proxy is >>>> configured and running on the host. >>>> [ INFO 2016-09-19 11:33:26 verbose] >>>> /usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:23:in >>>> >>>> `create' >>>> >>>> Adding the katello-default-ca to the system store does not address the >>>> problem. The capsule's proxy log shows a client ca issue. >>>> E, [2016-09-19T11:33:26.811258 #9849] ERROR -- : >>>> OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read >>>> client certificate A: tlsv1 alert unknown ca >>>> /usr/share/ruby/openssl/ssl.rb:226:in `accept' >>>> >>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Foreman users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected] <javascript:>. >>>> >>> >>>> To post to this group, send email to [email protected] >>>> <javascript:>. >>>> Visit this group at https://groups.google.com/group/foreman-users. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "Foreman users" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/foreman-users/BCfKbTUl_ic/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected] <javascript:>. >>> To post to this group, send email to [email protected] >>> <javascript:>. >>> Visit this group at https://groups.google.com/group/foreman-users. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- >> >> -- >> Danny. >> >> Beware! The mind of the believer stagnates. It fails to grow outward into >> an unlimited, infinite universe. >> >> Frank Herbert, Heretics of Dune >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Foreman users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> Visit this group at https://groups.google.com/group/foreman-users. >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
