cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
d-cubed Mission Specialist
Mission Specialist
  • 244 Views

Third party cert - subscription manager

My school uses Fortigate requiring an ssl cert. i've added it to /etc/pki/ca-trust/source/anchors/ - did update-ca-trust

However, there are still issues with subscription manager - (how) can I fix this?

 

0 Kudos
7 Replies
JangoJeff Flight Engineer
Flight Engineer
  • 236 Views

Re: Third party cert - subscription manager

The Forigate is just a firewall. Having the cert is just telling your computer it is trustworthy. It has nothing to do with subscription-manager. It could however be blocking ports needed to connect to subscription-manager.

Also how does your school manage subscriptions? Is it done going directly to Red Hat or do they use Red Hat Satellite or Katello? If one of the latter two then you need to point it to their Satellite or Katello server. Someone at the school should know this information.

Sent from my iPhone
0 Kudos
Reply
Loading...
d-cubed Mission Specialist
Mission Specialist
  • 235 Views

Re: Third party cert - subscription manager

It is indeed just a firewall. My lab is the only one in the school with Red Hat machines and I am on my own vlan (under the overarching restrictions of the school district).

Which ports need to be open and is there a convenient subscription manager tool to check?

I can run these commands with no problem (as far as I recall - I am not at school):

curl -v -k https://subscription.rhn.redhat.com/subscription/ --cacert /etc/rhsm/ca/redhat-uep.pem
curl --key /etc/pki/consumer/key.pem --cert /etc/pki/consumer/cert.pem --cacert redhat-uep.pem https://subscription.rhn.redhat.com/subscription/users/SUBSCRIBER/owners

 

0 Kudos
Reply
Loading...
JangoJeff Flight Engineer
Flight Engineer
  • 229 Views

Re: Third party cert - subscription manager

It uses port 443. I put some links below for you, the first being about accessing it via firewall proxy. The other is about subscription-manager itself. However you will need the schools network team to make the needed changes to the firewall. Hope this helps.

https://access.redhat.com/solutions/65300
https://access.redhat.com/documentation/en-us/red_hat_subscription_management/1/html-single/rhsm/ind...

Sent from my iPad
0 Kudos
Reply
Loading...
d-cubed Mission Specialist
Mission Specialist
  • 228 Views

Re: Third party cert - subscription manager

To clarify - port 443 is open. HTTPS traffic works fine - on web browsers and repos updates on other *nixes.  After accepting the Fortigate cert as an authority and after using update-ca-certs

However, it fails in subscription manager - the port is open but the Fortigate is basically showing up as a MITM attack because of the ssl cert.

2019-09-18 09:09:01,885 [ERROR] rhsmd:30923:MainThread @cache.py:217 - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)

2019-09-18 14:50:51,144 [ERROR] dnf:7125:MainThread @repolib.py:359 - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
2019-09-18 14:50:51,347 [ERROR] dnf:7125:MainThread @cache.py:217 - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
2019-09-18 15:15:49,811 [ERROR] dnf:8194:MainThread @repolib.py:359 - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
2019-09-18 15:15:49,999 [ERROR] dnf:8194:MainThread @cache.py:217 - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
2019-09-18 16:33:02,751 [ERROR] dnf:9616:MainThread @repolib.py:359 - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
2019-09-18 16:33:03,129 [ERROR] dnf:9616:MainThread @cache.py:217 - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)

0 Kudos
Reply
Loading...
JangoJeff Flight Engineer
Flight Engineer
  • 214 Views

Re: Third party cert - subscription manager

Port 443 may be opened. However the site would still need to be on the firewall’s allow list for you to connect to it.

You can try the below steps. I assume from your original post step one is done.

Copy the CA.crt to /etc/pki/ca-trust/source/anchors/
update-ca-trust force-enable
update-ca-trust extract

You can look at the man page for update-ca-trust for more info on it.

If you still have issues you may need to install certifi, which is a python package.

You can read more here where I found the above info.

https://stackoverflow.com/questions/27835619/urllib-and-ssl-certificate-verify-failed-error

Sent from my iPhone
0 Kudos
Reply
Loading...
d-cubed Mission Specialist
Mission Specialist
  • 193 Views

Re: Third party cert - subscription manager

Thank you. I have installed certifi and will check on Monday to see if that helps.

0 Kudos
Reply
Loading...
d-cubed Mission Specialist
Mission Specialist
  • 80 Views

Re: Third party cert - subscription manager

It did not work.  I'll see if I can get the district to turn off deep packet inspection for Red Hat.

0 Kudos
Reply
Loading...
Join the discussion
You must log in to join this conversation.