Can't register Landscape client with on-prem server

Question

I have the Landscape Server 18.03 installed on an Ubuntu 18.04 VM, and merrily monitoring itself. So that side seems to work.

I'm trying to register another 18.04 VM with

sudo landscape-config --computer-title "landscape client" --account-name standalone --url https://landscape.localhost/message-system --ping-url http://landscape.localhost/ping

and getting

We were unable to contact the server.
Your internet connection may be down. The landscape client will continue to try and contact the server periodically.

broker.log contains

sudo tail -n 19 /var/log/landscape/broker.log 
2018-08-11 20:45:00,394 INFO     [MainThread] Starting urgent message exchange with https://landscape.localhost/message-system.
2018-08-11 20:45:00,400 ERROR    [PoolThread-twisted.internet.reactor-0] Error contacting the server at https://landscape.localhost/message-system.
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/landscape/lib/fetch.py", line 116, in fetch
    curl.perform()
pycurl.error: (77, '')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/landscape/client/broker/transport.py", line 82, in exchange
    message_api)
  File "/usr/lib/python3/dist-packages/landscape/client/broker/transport.py", line 56, in _curl
    headers=headers, cainfo=self._pubkey, curl=curl))
  File "/usr/lib/python3/dist-packages/landscape/lib/fetch.py", line 118, in fetch
    raise PyCurlError(e.args[0], e.args[1])
landscape.lib.fetch.PyCurlError: Error 77: 
2018-08-11 20:45:00,401 INFO     [MainThread] Message exchange failed.
2018-08-11 20:45:00,402 INFO     [MainThread] Message exchange completed in 0.01s.

Both of

http://landscape.localhost/ping
curl -k https://landscape.localhost/message-system

work but

curl https://landscape.localhost/message-system

does not, but if I copy across the ca certificate from the Landscape server then

sudo curl https://landscape.localhost/message-system --cacert /etc/ssl/certs/landscape.localhost_ca.pem

works

From How do I install Landscape for personal use?

I've tried pointing the ssl_public_key in client.conf at both the ca certificate and the server certificate but neither seems to work.

Answer 1

Curl's error 77 is CURLE_SSL_CACERT_BADFILE, indicating that it's an issue with the provided cacert file. Your curl --cacert command confirms that the file isn't corrupt or in a wrong format.

Therefore, it's most likely a file permissions issue; maybe it can be read/write by owner/group but not by others, so it can be read when you sudo curl as root, but not when read by the landscape user.

chmod o+r /etc/ssl/certs/landscape.localhost_ca.pem should fix it.

Answer 2

Try restarting the client service after you installed the cert, using this command:

sudo /etc/init.d/landscape-client restart

The exact same situation you described happened to me. Curl worked with the cert, perms on the copied cert were correct, but still didn't work... Remembered to restart (I had changed the config file, after all!), and voila!