4

I'm using Foreman for RedHat 6.0 booting over ipxe (but that shouldn't matter ;)

The kernel parameters used for booting are: 

kernel http://192.168.1.5/dist/rhel/6.0/os/x86_64/images/pxeboot/vmlinuz ks=https://puppet.at.internal/unattended/provision ksdevice=bootif network kssendmac

When anaconda tries to load the KS file it gives me this error:

Error downloading https://puppet.at.internal/unattended/provision: Problem with the SSL CA cert (path? access rights?)

Unfortunately google is as helpful as the Redhat docs - there's no information on how to turn off SSL verification :( Since I am using at.internal as domain I also cannot get an official certificate but, due to the company restrictions i must use https...

It would be also okay if it would be possible to add the CA (or certfile) as a bootcmd.

Thanks in advance for your help!

EEAA
  • 109,363
  • 18
  • 175
  • 245
cyberkov
  • 49
  • 1
  • 1
  • 4

5 Answers5

4

Use the anaconda option noverifyssl to disable SSL certificate checking

specifically in the DEFAULT file for pxebooting, in the APPEND section, list inst.noverifyssl before the initrd line. It should look like this:

APPEND inst.noverifyssl initrd=/<path to your kernel> ks=https://<path to your repo>
Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
Brennan
  • 1,398
  • 6
  • 18
2

After I stumbled about this, it seems that the configuration option to turn off ssl verification was renamed to 

md.noverifyssl

See http://man7.org/linux/man-pages/man7/dracut.cmdline.7.html

Mandragor
  • 221
  • 2
  • 11
1

As far as I have found, testing with CentOS 7 and a kickstart file hosted on an improperly SSL cert-ed URL, noverifyssl cannot be specified where you were trying to, in the kernel line.

noverifyssl is an Anaconda flag, but Anaconda does not parse this command, initrd.img does.

I tried the following tests:

.. will indicate this line as it remained the same in all tests

vmlinuz initrd=initrd.img inst.stage2=[auto-populated stage 2 path]

 

.. ks=https://my.badly.certd-url.com/dummy/url.ks noverifyssl

Result: curl error over insecure CA cert, ignored the flag 

.. ks=https://my.badly.certd-url.com/dummy/url.ks --noverifyssl

Result: curl error over insecure CA cert, ignored the flag 

.. ks="https://my.badly.certd-url.com/dummy/url.ks -k"

I tried this to see if i could pass the -k flag to curl, allowing an insecure connection. Result: curl error, could not parse because of quotes

.. ks=https://my.badly.certd-url.com/dummy/url.ks\ -k

I tried this to see if i could pass the -k flag to curl, allowing an insecure connection. Result: curl error over insecure CA cert, ignored the flag

After am error, when my install process dumped to dracut emergency shell i executed

> curl -k https://my.badly.certd-url.com/dummy/url.ks

and it returned my .ks file.

I solved this problem for myself by avoiding it entirely and rehosting my script on another server with proper certs. I used a github repo and pointed at the raw url for the .ks file.

Will Barnwell
  • 760
  • 6
  • 9
0

Specifically in the DEFAULT file for pxebooting, in the APPEND section, list inst.noverifyssl before the initrd line. It should look like this:

APPEND inst.noverifyssl initrd=/<path to your kernel> ks=https://<path to your repo>
Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
Cessna182
  • 1
0

Make sure you've CA certificates to allow SSL-based applications to check for the authenticity of SSL connections. They can be installed by:

sudo apt-get install ca-certificates openssl

If you have it, consider reinstalling it

Related:

kenorb
  • 6,499
  • 2
  • 46
  • 54