Bug #34024: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain) - Foreman

Actions

Copy link

Bug #34024

open

Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)

Added by Kailash Kumawat over 2 years ago.

Status:

New

Priority:

High

Assignee:

Category:

Target version:

Difficulty:

hard

Triaged:

Bugzilla link:

Pull request:

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

I have freshly installed foreman with katello, its get successfully installed but getting error while updating the certificate.
Whereas I am able to validate the certificate using katello-certs-check

Please find the below katello-certs-check output
#katello-certs-check -t foreman -c /etc/pki/tls/certs/spdji_spgi_cert.crt -k /etc/pki/tls/certs/spdji_spgi.key -b /etc/pki/tls/certs/ROOTCA-CA_spdji_spgi.crt
Checking server certificate encoding:
[OK]

Checking expiration of certificate:
[OK]

Checking expiration of CA bundle:
[OK]

Checking if server certificate has CA:TRUE flag
[OK]

Checking for private key passphrase:
[OK]

Checking to see if the private key matches the certificate:
[OK]

Checking CA bundle against the certificate file:
[OK]

Checking CA bundle size: 2
[OK]

Checking Subject Alt Name on certificate
[OK]

Checking if any Subject Alt Name on certificate matches the Subject CN
[OK]

Checking Key Usage extension on certificate for Key Encipherment
[OK]

Checking for use of shortname as CN
[OK]

Validation succeeded

To install the Katello server with the custom certificates, run:

foreman-installer --scenario katello \
                      --certs-server-cert "/etc/pki/tls/certs/spdji_spgi_cert.crt" \
                      --certs-server-key "/etc/pki/tls/certs/spdji_spgi.key" \
                      --certs-server-ca-cert "/etc/pki/tls/certs/ROOTCA-CA_spdji_spgi.crt"

To update the certificates on a currently running Katello installation, run:

foreman-installer --scenario katello \
                      --certs-server-cert "/etc/pki/tls/certs/spdji_spgi_cert.crt" \
                      --certs-server-key "/etc/pki/tls/certs/spdji_spgi.key" \
                      --certs-server-ca-cert "/etc/pki/tls/certs/ROOTCA-CA_spdji_spgi.crt" \
                      --certs-update-server --certs-update-server-ca

To use them inside a NEW $FOREMAN_PROXY, rerun this command with -t foreman-proxy

#foreman-installer --scenario katello
2021-11-28 10:06:08 [NOTICE] [root] Loading installer configuration. This will take some time.
2021-11-28 10:06:14 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2021-11-28 10:06:14 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
2021-11-28 10:11:27 [NOTICE] [configure] Starting system configuration.
2021-11-28 10:13:38 [NOTICE] [configure] 250 configuration steps out of 1690 steps complete.
2021-11-28 10:14:52 [NOTICE] [configure] 500 configuration steps out of 1690 steps complete.
2021-11-28 10:14:53 [NOTICE] [configure] 750 configuration steps out of 1694 steps complete.
2021-11-28 10:16:20 [NOTICE] [configure] 1000 configuration steps out of 1707 steps complete.
2021-11-28 10:16:23 [NOTICE] [configure] 1250 configuration steps out of 1721 steps complete.
2021-11-28 10:24:08 [NOTICE] [configure] 1500 configuration steps out of 1721 steps complete.
2021-11-28 10:27:33 [NOTICE] [configure] System configuration has finished.
Executing: foreman-rake upgrade:run =============================================
Upgrade Step 1/7: katello:correct_repositories. This may take a long while. =============================================
Upgrade Step 2/7: katello:clean_backend_objects. This may take a long while.
0 orphaned consumer id(s) found in candlepin.
Candlepin orphaned consumers: [] =============================================
Upgrade Step 3/7: katello:upgrades:4.0:remove_ostree_puppet_content. =============================================
Upgrade Step 4/7: katello:upgrades:4.1:sync_noarch_content. =============================================
Upgrade Step 5/7: katello:upgrades:4.1:fix_invalid_pools. I, [2021-11-28T10:27:47.392093 #22582] INFO -- : Corrected 0 invalid pools
I, [2021-11-28T10:27:47.392143 #22582] INFO -- : Removed 0 orphaned pools =============================================
Upgrade Step 6/7: katello:upgrades:4.1:reupdate_content_import_export_perms. =============================================
Upgrade Step 7/7: katello:upgrades:4.2:remove_checksum_values. Success! * Foreman is running at https://frm.infra.spdji.spgi
Initial credentials are admin / ############## * To install an additional Foreman proxy on separate machine continue by running:foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY" --certs-tar "/root/$FOREMAN_PROXY-certs.tar"

Foreman Proxy is running at https://frm.infra.spdji.spgi:9090

The full log is at /var/log/foreman-installer/katello.log

While running with custom certificate I get the subjected error:

oreman-installer --scenario katello --certs-server-cert "/etc/pki/tls/certs/spdji_spgi_cert.crt" --certs-server-key "/etc/pki/tls/certs/spdji_spgi.key" --certs-server-ca-cert "/etc/pki/tls/certs/ROOTCA-CA_spdji_spgi.crt" --certs-update-server --certs-update-server-ca
2021-11-28 10:50:57 [NOTICE] [root] Loading installer configuration. This will take some time.
2021-11-28 10:51:02 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2021-11-28 10:51:02 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
Executing: katello-certs-check -c "/etc/pki/tls/certs/spdji_spgi_cert.crt" -k "/etc/pki/tls/certs/spdji_spgi.key" -b "/etc/pki/tls/certs/ROOTCA-CA_spdji_spgi.crt"
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Checking server certificate encoding: [OK]

Checking expiration of certificate: [OK]

Checking expiration of CA bundle: [OK]

Checking if server certificate has CA:TRUE flag [OK]

Checking for private key passphrase: [OK]

Checking to see if the private key matches the certificate: [OK]

Checking CA bundle against the certificate file: [OK]

Checking CA bundle size: 2
[OK]

Checking Subject Alt Name on certificate [OK]

Checking if any Subject Alt Name on certificate matches the Subject CN
[OK]

Checking Key Usage extension on certificate for Key Encipherment [OK]

Checking for use of shortname as CN
[OK]

Validation succeeded

To install the Katello server with the custom certificates, run:

foreman-installer --scenario katello \
                      --certs-server-cert "/etc/pki/tls/certs/spdji_spgi_cert.crt" \
                      --certs-server-key "/etc/pki/tls/certs/spdji_spgi.key" \
                      --certs-server-ca-cert "/etc/pki/tls/certs/ROOTCA-CA_spdji_spgi.crt"

To update the certificates on a currently running Katello installation, run:

foreman-installer --scenario katello \
                      --certs-server-cert "/etc/pki/tls/certs/spdji_spgi_cert.crt" \
                      --certs-server-key "/etc/pki/tls/certs/spdji_spgi.key" \
                      --certs-server-ca-cert "/etc/pki/tls/certs/ROOTCA-CA_spdji_spgi.crt" \
                      --certs-update-server --certs-update-server-ca

To use them inside a NEW $FOREMAN_PROXY, rerun this command with -t foreman-proxy
Marking certificate /root/ssl-build/frm.infra.spdji.spgi/frm.infra.spdji.spgi-apache for update
Marking certificate /root/ssl-build/frm.infra.spdji.spgi/frm.infra.spdji.spgi-foreman-proxy for update
Marking certificate /root/ssl-build/katello-server-ca for update
2021-11-28 10:51:16 [NOTICE] [configure] Starting system configuration.
2021-11-28 10:51:33 [NOTICE] [configure] 250 configuration steps out of 1690 steps complete.
2021-11-28 10:51:44 [NOTICE] [configure] 500 configuration steps out of 1690 steps complete.
2021-11-28 10:51:45 [NOTICE] [configure] 750 configuration steps out of 1694 steps complete.
2021-11-28 10:51:48 [NOTICE] [configure] 1000 configuration steps out of 1701 steps complete.
2021-11-28 10:51:49 [NOTICE] [configure] 1250 configuration steps out of 1702 steps complete.
2021-11-28 10:58:36 [NOTICE] [configure] 1500 configuration steps out of 1702 steps complete.
2021-11-28 10:59:31 [ERROR ] [configure] /Stage[main]/Foreman::Register/Foreman_host[foreman-frm.infra.spdji.spgi]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain) in get request to: https://frm.infra.spdji.spgi/api/v2/hosts?search=name%3D%22frm.infra.spdji.spgi%22
2021-11-28 10:59:31 [ERROR ] [configure] Wrapped exception:
2021-11-28 10:59:31 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
2021-11-28 11:00:26 [NOTICE] [configure] System configuration has finished.

There were errors detected during install.
  Please address the errors and re-run the installer to ensure the system is properly configured.
  Failing to do so is likely to result in broken functionality.

The full log is at /var/log/foreman-installer/katello.log

No data to display

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Custom queries

Bug #34024

Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)