How to turn off SSL certificate verification for RedHat Kickstartfile downloading
Solution 1
Use the anaconda option noverifyssl to disable SSL certificate checking
specifically in the DEFAULT file for pxebooting, in the APPEND section, list inst.noverifyssl before the initrd line. It should look like this:
APPEND inst.noverifyssl initrd=/<path to your kernel> ks=https://<path to your repo>
Solution 2
After I stumbled about this, it seems that the configuration option to turn off ssl verification was renamed to
md.noverifyssl
See http://man7.org/linux/man-pages/man7/dracut.cmdline.7.html
Solution 3
As far as I have found, testing with CentOS 7 and a kickstart file hosted on an improperly SSL cert-ed URL, noverifyssl cannot be specified where you were trying to, in the kernel line.
noverifyssl is an Anaconda flag, but Anaconda does not parse this command, initrd.img does.
I tried the following tests:
.. will indicate this line as it remained the same in all tests
vmlinuz initrd=initrd.img inst.stage2=[auto-populated stage 2 path]
.. ks=https://my.badly.certd-url.com/dummy/url.ks noverifyssl
Result: curl error over insecure CA cert, ignored the flag
.. ks=https://my.badly.certd-url.com/dummy/url.ks --noverifyssl
Result: curl error over insecure CA cert, ignored the flag
.. ks="https://my.badly.certd-url.com/dummy/url.ks -k"
I tried this to see if i could pass the -k flag to curl, allowing an insecure connection.
Result: curl error, could not parse because of quotes
.. ks=https://my.badly.certd-url.com/dummy/url.ks\ -k
I tried this to see if i could pass the -k flag to curl, allowing an insecure connection.
Result: curl error over insecure CA cert, ignored the flag
After am error, when my install process dumped to dracut emergency shell i executed
> curl -k https://my.badly.certd-url.com/dummy/url.ks
and it returned my .ks file.
I solved this problem for myself by avoiding it entirely and rehosting my script on another server with proper certs. I used a github repo and pointed at the raw url for the .ks file.
Related videos on Youtube
39 : 09
13 : 40
01 : 21
03 : 16
10 : 13
cyberkov
Updated on September 18, 2022Comments
-
cyberkov almost 2 years
I'm using Foreman for RedHat 6.0 booting over ipxe (but that shouldn't matter ;)
The kernel parameters used for booting are:
kernel http://192.168.1.5/dist/rhel/6.0/os/x86_64/images/pxeboot/vmlinuz ks=https://puppet.at.internal/unattended/provision ksdevice=bootif network kssendmacWhen anaconda tries to load the KS file it gives me this error:
Error downloading https://puppet.at.internal/unattended/provision: Problem with the SSL CA cert (path? access rights?)
Unfortunately google is as helpful as the Redhat docs - there's no information on how to turn off SSL verification :( Since I am using at.internal as domain I also cannot get an official certificate but, due to the company restrictions i must use https...
It would be also okay if it would be possible to add the CA (or certfile) as a bootcmd.
Thanks in advance for your help!