That's a great summary, and it also highlights the other problem of
renewals, at least with let's encrypt certs. Since katello expects the root
to be included, it adds one more step to the process during cert renewals
because LE doesn't include the root in the cert. It only goes up to DST X3,
and you need to manually download DST X3's cert and concatenate it.
Incidentally, I remember facing some similar issues with freeipa too for
installing 3rd party http certs.

On Tue, Sep 20, 2016 at 11:31 AM, Danny Kimsey <dekim...@gmail.com> wrote:

> Great, confirmation is a wonderful thing!
>
> I've written a ticket regarding these issues which I've submitted. Let me
> know if I missed anything.
>
> http://projects.theforeman.org/issues/16620
>
> On Monday, September 19, 2016 at 8:13:18 PM UTC-5, prasu...@gmail.com
> wrote:
>>
>> Hi Danny,
>> Thanks! That worked. Here's what I did:
>>
>> cd /etc/foreman
>> cp proxy_ca.pem proxy_ca_bkp.pem
>> cp /root/ssl-build/katello-default-ca.crt ./proxy_ca.pem
>>
>> Regards,
>> Prasun
>>
>> On Mon, Sep 19, 2016 at 8:57 PM, Danny Kimsey <deki...@gmail.com> wrote:
>>
>>> Prasun Gera, I was working with jsherril on IRC earlier and might have a
>>> potential work-around.
>>>
>>> On the foreman master, the /etc/foreman/proxy_ca.pem file likely has the
>>> custom certificate chain, try swapping it out for your default-ca (the
>>> internal self-signed). This appears to have addressed my issue. I restarted
>>> foreman-proxy on the master, you will likely need to as well.
>>>
>>> Note: I am at home, so I might not have the exact path.
>>>
>>> On Mon, Sep 19, 2016 at 7:07 PM Prasun Gera <prasu...@gmail.com> wrote:
>>>
>>>> Yes, I can confirm that foreman-proxy doesn't start with the same
>>>> errors.
>>>>
>>>> On Mon, Sep 19, 2016 at 1:25 PM, Danny Kimsey <deki...@gmail.com>
>>>> wrote:
>>>>
>>>>>
>>>>> On Monday, September 19, 2016 at 6:25:04 AM UTC-5, prasu...@gmail.com
>>>>> wrote:
>>>>> This issue still exists for Katello 3.1. Without the workaround
>>>>> mentioned by Claran, it's not possible to use custom SSL certificates for
>>>>> katello.
>>>>>
>>>>> I too have run into this issue. Copying the default-ca into the system
>>>>> trust seems to address the issue.
>>>>>
>>>>> Unfortunately I believe the smart proxy installer is similarly broken.
>>>>> It is unable to complete install using a custom cert for
>>>>> capsule.acme.com.
>>>>>
>>>>> [ INFO 2016-09-19 11:33:26 verbose]  Class[Foreman_proxy::Register]:
>>>>> Scheduling refresh of Foreman_smartproxy[capsule.acme.com]
>>>>> [ERROR 2016-09-19 11:33:26 verbose]  Proxy capsule.acme.com cannot be
>>>>> registered: Unable to communicate with the proxy: ERF12-2530
>>>>> [ProxyAPI::ProxyException]: Un
>>>>> able to detect features ([RestClient::SSLCertificateNotVerified]:
>>>>> SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
>>>>> certificate verif...) for pr
>>>>> oxy https://capsule.acme.com:9090/features Please check the proxy is
>>>>> configured and running on the host.
>>>>> [ INFO 2016-09-19 11:33:26 verbose] /usr/share/foreman-installer/m
>>>>> odules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:23:in
>>>>> `create'
>>>>>
>>>>> Adding the katello-default-ca to the system store does not address the
>>>>> problem. The capsule's proxy log shows a client ca issue.
>>>>> E, [2016-09-19T11:33:26.811258 #9849] ERROR -- :
>>>>> OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read
>>>>> client certificate A: tlsv1 alert unknown ca
>>>>>         /usr/share/ruby/openssl/ssl.rb:226:in `accept'
>>>>>
>>>> --
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "Foreman users" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to foreman-user...@googlegroups.com.
>>>>>
>>>>
>>>>> To post to this group, send email to forema...@googlegroups.com.
>>>>> Visit this group at https://groups.google.com/group/foreman-users.
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>> --
>>>> You received this message because you are subscribed to a topic in the
>>>> Google Groups "Foreman users" group.
>>>> To unsubscribe from this topic, visit https://groups.google.com/d/to
>>>> pic/foreman-users/BCfKbTUl_ic/unsubscribe.
>>>> To unsubscribe from this group and all its topics, send an email to
>>>> foreman-user...@googlegroups.com.
>>>> To post to this group, send email to forema...@googlegroups.com.
>>>> Visit this group at https://groups.google.com/group/foreman-users.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>> --
>>>
>>> --
>>> Danny.
>>>
>>> Beware! The mind of the believer stagnates. It fails to grow outward
>>> into an unlimited, infinite universe.
>>>
>>> Frank Herbert, Heretics of Dune
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Foreman users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to foreman-user...@googlegroups.com.
>>> To post to this group, send email to forema...@googlegroups.com.
>>> Visit this group at https://groups.google.com/group/foreman-users.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to foreman-users+unsubscr...@googlegroups.com.
> To post to this group, send email to foreman-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Reply via email to