How to turn off SSL certificate verification for RedHat Kickstartfile downloading
Use the anaconda option noverifyssl
to disable SSL certificate checking
specifically in the DEFAULT file for pxebooting, in the APPEND section, list inst.noverifyssl
before the initrd line. It should look like this:
APPEND inst.noverifyssl initrd=/<path to your kernel> ks=https://<path to your repo>
After I stumbled about this, it seems that the configuration option to turn off ssl verification was renamed to
md.noverifyssl
See http://man7.org/linux/man-pages/man7/dracut.cmdline.7.html
As far as I have found, testing with CentOS 7 and a kickstart file hosted on an improperly SSL cert-ed URL, noverifyssl
cannot be specified where you were trying to, in the kernel line.
noverifyssl
is an Anaconda flag, but Anaconda does not parse this command, initrd.img does.
I tried the following tests:
..
will indicate this line as it remained the same in all tests
vmlinuz initrd=initrd.img inst.stage2=[auto-populated stage 2 path]
.. ks=https://my.badly.certd-url.com/dummy/url.ks noverifyssl
Result: curl error over insecure CA cert, ignored the flag
.. ks=https://my.badly.certd-url.com/dummy/url.ks --noverifyssl
Result: curl error over insecure CA cert, ignored the flag
.. ks="https://my.badly.certd-url.com/dummy/url.ks -k"
I tried this to see if i could pass the -k
flag to curl, allowing an insecure connection.
Result: curl error, could not parse because of quotes
.. ks=https://my.badly.certd-url.com/dummy/url.ks\ -k
I tried this to see if i could pass the -k
flag to curl, allowing an insecure connection.
Result: curl error over insecure CA cert, ignored the flag
After am error, when my install process dumped to dracut emergency shell i executed
> curl -k https://my.badly.certd-url.com/dummy/url.ks
and it returned my .ks
file.
I solved this problem for myself by avoiding it entirely and rehosting my script on another server with proper certs. I used a github repo and pointed at the raw url for the .ks
file.