Home / server / Questions / 391463
In Process
cyberkov
Asked: 2012-05-23 06:48:21 +0800 CST

How to turn off SSL certificate verification for RedHat Kickstartfile downloading

  • 772

I'm using Foreman for RedHat 6.0 booting over ipxe (but that shouldn't matter ;)

The kernel parameters used for booting are: 

kernel http://192.168.1.5/dist/rhel/6.0/os/x86_64/images/pxeboot/vmlinuz ks=https://puppet.at.internal/unattended/provision ksdevice=bootif network kssendmac

When anaconda tries to load the KS file it gives me this error:

Error downloading https://puppet.at.internal/unattended/provision: Problem with the SSL CA cert (path? access rights?)

Unfortunately google is as helpful as the Redhat docs - there's no information on how to turn off SSL verification :( Since I am using at.internal as domain I also cannot get an official certificate but, due to the company restrictions i must use https...

It would be also okay if it would be possible to add the CA (or certfile) as a bootcmd.

Thanks in advance for your help!

linux redhat ssl kickstart

5 Answers

  1. Use the anaconda option noverifyssl to disable SSL certificate checking

    specifically in the DEFAULT file for pxebooting, in the APPEND section, list inst.noverifyssl before the initrd line. It should look like this:

    APPEND inst.noverifyssl initrd=/<path to your kernel> ks=https://<path to your repo>
    • 4

  2. After I stumbled about this, it seems that the configuration option to turn off ssl verification was renamed to 

    md.noverifyssl

    See http://man7.org/linux/man-pages/man7/dracut.cmdline.7.html

    • 2

  3. As far as I have found, testing with CentOS 7 and a kickstart file hosted on an improperly SSL cert-ed URL, noverifyssl cannot be specified where you were trying to, in the kernel line.

    noverifyssl is an Anaconda flag, but Anaconda does not parse this command, initrd.img does.

    I tried the following tests:

    .. will indicate this line as it remained the same in all tests

    vmlinuz initrd=initrd.img inst.stage2=[auto-populated stage 2 path]

     

    .. ks=https://my.badly.certd-url.com/dummy/url.ks noverifyssl

    Result: curl error over insecure CA cert, ignored the flag 

    .. ks=https://my.badly.certd-url.com/dummy/url.ks --noverifyssl

    Result: curl error over insecure CA cert, ignored the flag 

    .. ks="https://my.badly.certd-url.com/dummy/url.ks -k"

    I tried this to see if i could pass the -k flag to curl, allowing an insecure connection. Result: curl error, could not parse because of quotes

    .. ks=https://my.badly.certd-url.com/dummy/url.ks\ -k

    I tried this to see if i could pass the -k flag to curl, allowing an insecure connection. Result: curl error over insecure CA cert, ignored the flag

    After am error, when my install process dumped to dracut emergency shell i executed

    > curl -k https://my.badly.certd-url.com/dummy/url.ks

    and it returned my .ks file.

    I solved this problem for myself by avoiding it entirely and rehosting my script on another server with proper certs. I used a github repo and pointed at the raw url for the .ks file.

    • 1

  4. Make sure you've CA certificates to allow SSL-based applications to check for the authenticity of SSL connections. They can be installed by:

    sudo apt-get install ca-certificates openssl

    If you have it, consider reinstalling it

    Related:

    • 0

  5. Specifically in the DEFAULT file for pxebooting, in the APPEND section, list inst.noverifyssl before the initrd line. It should look like this:

    APPEND inst.noverifyssl initrd=/<path to your kernel> ks=https://<path to your repo>
    • 0