cancel
Showing results for 
Search instead for 
Did you mean: 
d-cubed
Flight Engineer
Flight Engineer
  • 3,945 Views

Third party cert - subscription manager

My school uses Fortigate requiring an ssl cert. i've added it to /etc/pki/ca-trust/source/anchors/ - did update-ca-trust

However, there are still issues with subscription manager - (how) can I fix this?

 

0 Kudos
7 Replies
JangoJeff
Flight Engineer Flight Engineer
Flight Engineer
  • 3,937 Views

The Forigate is just a firewall. Having the cert is just telling your computer it is trustworthy. It has nothing to do with subscription-manager. It could however be blocking ports needed to connect to subscription-manager.

Also how does your school manage subscriptions? Is it done going directly to Red Hat or do they use Red Hat Satellite or Katello? If one of the latter two then you need to point it to their Satellite or Katello server. Someone at the school should know this information.

Sent from my iPhone
0 Kudos
d-cubed
Flight Engineer
Flight Engineer
  • 3,936 Views

It is indeed just a firewall. My lab is the only one in the school with Red Hat machines and I am on my own vlan (under the overarching restrictions of the school district).

Which ports need to be open and is there a convenient subscription manager tool to check?

I can run these commands with no problem (as far as I recall - I am not at school):

curl -v -k https://subscription.rhn.redhat.com/subscription/ --cacert /etc/rhsm/ca/redhat-uep.pem
curl --key /etc/pki/consumer/key.pem --cert /etc/pki/consumer/cert.pem --cacert redhat-uep.pem https://subscription.rhn.redhat.com/subscription/users/SUBSCRIBER/owners

 

0 Kudos
JangoJeff
Flight Engineer Flight Engineer
Flight Engineer
  • 3,930 Views

It uses port 443. I put some links below for you, the first being about accessing it via firewall proxy. The other is about subscription-manager itself. However you will need the schools network team to make the needed changes to the firewall. Hope this helps.

https://access.redhat.com/solutions/65300
https://access.redhat.com/documentation/en-us/red_hat_subscription_management/1/html-single/rhsm/ind...

Sent from my iPad
0 Kudos
d-cubed
Flight Engineer
Flight Engineer
  • 3,929 Views

To clarify - port 443 is open. HTTPS traffic works fine - on web browsers and repos updates on other *nixes.  After accepting the Fortigate cert as an authority and after using update-ca-certs

However, it fails in subscription manager - the port is open but the Fortigate is basically showing up as a MITM attack because of the ssl cert.

2019-09-18 09:09:01,885 [ERROR] rhsmd:30923:MainThread @cache.py:217 - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)

2019-09-18 14:50:51,144 [ERROR] dnf:7125:MainThread @repolib.py:359 - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
2019-09-18 14:50:51,347 [ERROR] dnf:7125:MainThread @cache.py:217 - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
2019-09-18 15:15:49,811 [ERROR] dnf:8194:MainThread @repolib.py:359 - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
2019-09-18 15:15:49,999 [ERROR] dnf:8194:MainThread @cache.py:217 - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
2019-09-18 16:33:02,751 [ERROR] dnf:9616:MainThread @repolib.py:359 - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
2019-09-18 16:33:03,129 [ERROR] dnf:9616:MainThread @cache.py:217 - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)

0 Kudos
JangoJeff
Flight Engineer Flight Engineer
Flight Engineer
  • 3,915 Views

Port 443 may be opened. However the site would still need to be on the firewall’s allow list for you to connect to it.

You can try the below steps. I assume from your original post step one is done.

Copy the CA.crt to /etc/pki/ca-trust/source/anchors/
update-ca-trust force-enable
update-ca-trust extract

You can look at the man page for update-ca-trust for more info on it.

If you still have issues you may need to install certifi, which is a python package.

You can read more here where I found the above info.

https://stackoverflow.com/questions/27835619/urllib-and-ssl-certificate-verify-failed-error

Sent from my iPhone
0 Kudos
d-cubed
Flight Engineer
Flight Engineer
  • 3,894 Views

Thank you. I have installed certifi and will check on Monday to see if that helps.

0 Kudos
d-cubed
Flight Engineer
Flight Engineer
  • 3,781 Views

It did not work.  I'll see if I can get the district to turn off deep packet inspection for Red Hat.

0 Kudos
Join the discussion
You must log in to join this conversation.