Hi,
I'm trying to install the latest Katello using freeipa as external SSL CA.
The certificates were generate using ipa-getcert and stored at
/etc/pki/katelli-ipa.
I've used the following installer options:
foreman-installer --scenario katello \
--certs-server-cert='/etc/pki/katello-ipa/certs/katello.pem' \
--certs-server-cert-req='/etc/pki/katello-ipa/certs/katello.req' \
--certs-server-key='/etc/pki/katello-ipa/private/katello.key' \
--certs-server-ca-cert='/etc/pki/katello-ipa/certs/ca-certs.pem' \
--certs-update-server \
--certs-update-server-ca \
--certs-update-all \
--enable-foreman-plugin-ansible \
--enable-foreman-plugin-hooks \
--enable-foreman-plugin-remote-execution \
--enable-foreman-plugin-tasks \
--enable-foreman-proxy-plugin-ansible \
--enable-foreman-proxy-plugin-remote-execution-ssh \
--foreman-email-delivery-method='smtp' \
--foreman-email-smtp-address='localhost' \
--foreman-email-smtp-domain='<domain>' \
--foreman-ipa-authentication=true \
--foreman-proxy-dhcp=true \
--foreman-proxy-dhcp-gateway='xx.xx.xx.xx \
--foreman-proxy-dhcp-nameservers='xx.xx.xx.xx,yy.yy.yy.yy' \
--foreman-proxy-dhcp-option-domain='xxxxxx' \
--foreman-proxy-dhcp-search-domains='xxxxxx' \
--foreman-proxy-dhcp-subnets='yy.yy.yy.yy/255.255.255.0' \
--foreman-proxy-puppet-ssl-ca='/etc/pki/katello-ipa/certs/ca-certs.pem' \
--foreman-proxy-puppet-ssl-cert='/etc/pki/katello-ipa/certs/puppetmaster.pem'
\
--foreman-proxy-puppet-ssl-key='/etc/pki/katello-ipa/private/puppetmaster.key'
\
--foreman-proxy-puppetca=false \
--foreman-proxy-realm=true \
--foreman-proxy-realm-keytab='/etc/foreman-proxy/freeipa.keytab' \
--foreman-proxy-realm-principal='<user>@<REALM>' \
--foreman-proxy-realm-provider=freeipa \
--foreman-proxy-ssl=true \
--foreman-proxy-ssl-ca='/etc/pki/katello-ipa/certs/ca-certs.pem' \
--foreman-proxy-ssl-cert='/etc/pki/katello-ipa/certs/foreman-proxy.pem' \
--foreman-proxy-ssl-key='/etc/pki/katello-ipa/private/foreman-proxy.key' \
--foreman-proxy-tftp-listen-on=both \
--enable-foreman-plugin-discovery \
--foreman-proxy-freeipa-remove-dns
and I get the following error
Proxy <hostname-fqdn> cannot be registered: Unable to communicate with the
proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read
server session ticket A: tlsv1 alert un...) for proxy
https://<hostname-fqdn>:9090/features Please check the proxy is configured
and running on the host.
The foreman proxy is running:
systemctl status foreman-proxy.service
● foreman-proxy.service - Foreman Proxy
Loaded: loaded (/usr/lib/systemd/system/foreman-proxy.service; enabled;
vendor preset: disabled)
Active: active (running) since Fri 2017-05-19 11:53:44 CEST; 3min 14s ago
Main PID: 11223 (ruby)
CGroup: /system.slice/foreman-proxy.service
└─11223 ruby /usr/share/foreman-proxy/bin/smart-proxy
May 19 11:53:44 spfy-tfm systemd[1]: Starting Foreman Proxy...
May 19 11:53:44 spfy-tfm systemd[1]: PID file
/run/foreman-proxy/foreman-proxy.pid not readable (yet?) after start.
May 19 11:53:44 spfy-tfm systemd[1]: Started Foreman Proxy.
The external Root CA are distributed systemwide and also
in /etc/pki/katello-ipa/certs/ca-certs.pem
Any Idea what I did wrong or missing?
Thanks for any help/hint
Rgds, Arsène
--
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
