Hi Everyone I'm trying to install Katello with custom certificates. To generate the SSL certificate I have tried using FreeIPA 4.2 and also tried generating the certificate using this guide to create a CA and a server cetrificate https://jamielinux.com/docs/openssl-certificate-authority/. Both methods end with the same result. I'm not sure where I am going wrong or even how to troubleshoot this one.
Then following the these instructions https://github.com/Katello/katello-installer#certificates on a clean Centos 7.3 install I get the following error: [root@katello ssl-freeipa]# foreman-installer --scenario katello\ > --certs-server-cert "/root/ssl-freeipa/katello.example.com.crt"\ > --certs-server-cert-req "/root/ssl-freeipa/katello.example.com.csr"\ > --certs-server-key "/root/ssl-freeipa/katello.example.com.key"\ > --certs-server-ca-cert "/root/ssl-freeipa/ca.crt" /Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]: Failed to call refresh: /usr/sbin/foreman-rake db:seed returned 1 instead of one of [0] /Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]: /usr/sbin/foreman-rake db:seed returned 1 instead of one of [0] Proxy katello.example.com cannot be registered: unknown error (response 500) /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[katello.example.com]/ensure: change from absent to present failed: Proxy katello.example.com cannot be registered: unknown error (response 500) Installing Done [100%] [.........................................] Something went wrong! Check the log for ERROR-level output The full log is at /var/log/foreman-installer/katello.log The certificate verification works: [root@katello ssl-freeipa]# katello-certs-check -c /root/ssl-freeipa/katello.example.com.crt -k /root/ssl-freeipa/katello.example.com.key -b /root/ssl-freeipa/ca.crt -r katello.example.com.csr Validating the certificate subject= /O=EXAMPLE.COM/CN=katello.example.com Check private key matches the certificate: [OK] Check ca bundle verifies the cert file: [OK] Validation succeeded. To install the Katello main server with the custom certificates, run: foreman-installer --scenario katello\ --certs-server-cert "/root/ssl-freeipa/katello.example.com.crt"\ --certs-server-cert-req "/root/ssl-freeipa/katello.example.com.csr"\ --certs-server-key "/root/ssl-freeipa/katello.example.com.key"\ --certs-server-ca-cert "/root/ssl-freeipa/ca.crt" To update the certificates on a currently running Katello installation, run: foreman-installer --scenario katello\ --certs-server-cert "/root/ssl-freeipa/katello.example.com.crt"\ --certs-server-cert-req "/root/ssl-freeipa/katello.example.com.csr"\ --certs-server-key "/root/ssl-freeipa/katello.example.com.key"\ --certs-server-ca-cert "/root/ssl-freeipa/ca.crt"\ --certs-update-server --certs-update-server-ca To use them inside a $CAPSULE, run this command INSTEAD: capsule-certs-generate --capsule-fqdn ""\ --certs-tar "~/-certs.tar"\ --server-cert "/root/ssl-freeipa/katello.example.com.crt"\ --server-cert-req "/root/ssl-freeipa/katello.example.com.csr"\ --server-key "/root/ssl-freeipa/katello.example.com.key"\ --server-ca-cert "/root/ssl-freeipa/ca.crt"\ --certs-update-server Certificates were generated using the following process: mkdir ~/ssl-freeipa semanage fcontext -a -t cert_t "/root/ssl-freeipa(/.*)?" restorecon -FvvR /root/ssl-freeipa openssl genrsa -out katello.example.com.key 2048 openssl req -new -sha256 -key katello.example.com.key -out katello.example.com.csr On IPA server: ipa service-add-host HTTP/katello.example.com --host katello.example.com ipa cert-request --principal=HTTP/katello.example.com katello.example.com.csr ipa cert-show 22 --out=katello.example.com.crt Copy ca.crt and katello.example.com.crt back to katello.example.com. Then run the certificate check and installer. Looking through /var/log/foreman-installer/katello.log the first sign of trouble I see is: [ WARN 2016-11-17 23:06:48 main] /Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]/returns: rake aborted! [ WARN 2016-11-17 23:06:48 main] /Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]/returns: There was an issue with the backend service candlepin: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed Thanks for any help. I'm happy to attach the logs if they would be useful. Tim -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
