About replacing foreman's web ssl certificate

Hello,

About replacing foreman’s web ssl certificate describe in the below link:
https://theforeman.org/2015/11/foreman-ssl.html

Managing with puppet

If you use manage your foreman and puppet install with the theforeman/puppet and theforeman/foreman modules, you can configure all the above with the following hiera data:

foreman::ssl: true
puppet::server_foreman_ssl_ca: '/etc/pki/tls/certs/cachain.crt'
puppet::server_foreman_url: 'https://puppet.example.com'
foreman::server_ssl_key: '/etc/pki/tls/private/puppet.example.com.key'
foreman::server_ssl_cert: '/etc/pki/tls/certs/puppet.example.com.crt'
foreman::server_ssl_chain: '/etc/pki/tls/certs/cachain.crt'
foreman::servername: 'puppet.example.com'
foreman::foreman_url: 'https://puppet.example.com'
foreman::websockets_ssl_key: '/etc/pki/tls/private/puppet.example.key'
foreman::websockets_ssl_cert: '/etc/pki/tls/certs/puppet.example.crt'

The /etc/pki/tls/certs/cachain.crt file is a bundle of certs. What is the order of the certificates in the bundle and what certificates do I place?

Nobody? :smiley:

This is a standard openssl x509 PEM file. I don’t know if there’s an order, but you should place the root CA that signed the certificate there. You can check this with openssl s_client -connect puppet.example.com:port -CAfile /etc/pki/tls/certs/cachain.crt

Appear connected, but have this error “verify error:num=19:self signed certificate in certificate chain”

openssl s_client -connect puppet.sertao.ifrs.edu.br:8443 -CAfile /etc/puppetlabs/puppet/ssl/certs_2020/ca_join_icpedu.crt 
CONNECTED(00000003)
depth=1 CN = Puppet CA: puppet.sertao.ifrs.edu.br
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 CN = Puppet CA: puppet.sertao.ifrs.edu.br
verify return:1
depth=0 CN = puppet.sertao.ifrs.edu.br
verify return:1
---
Certificate chain
 0 s:CN = puppet.sertao.ifrs.edu.br
   i:CN = Puppet CA: puppet.sertao.ifrs.edu.br
 1 s:CN = Puppet CA: puppet.sertao.ifrs.edu.br
   i:CN = Puppet CA: puppet.sertao.ifrs.edu.br
---

Same error that occurs in proxy.log when I execute a remote command.

2020-03-13T16:57:34 8e84bcf4 [I] Started GET /dynflow/tasks/count state=running
2020-03-13T16:57:34 8e84bcf4 [I] Finished GET /dynflow/tasks/count with 200 (1.71 ms)
2020-03-13T16:57:34 e81ecba0 [I] Started GET /version 
2020-03-13T16:57:34 e81ecba0 [I] Finished GET /version with 200 (0.42 ms)
2020-03-13T16:57:35 8688be0a [I] Started POST /dynflow/tasks/launch 
2020-03-13T16:57:35 8688be0a [I] Finished POST /dynflow/tasks/launch with 404 (1.17 ms)
2020-03-13T16:57:35 b240cb7d [I] Started POST /dynflow/tasks/ 
2020-03-13T16:57:35 b240cb7d [I] Finished POST /dynflow/tasks/ with 200 (556.23 ms)
2020-03-13T16:57:38  [W] Error details: <RestClient::SSLCertificateNotVerified>: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
/usr/lib/ruby/vendor_ruby/restclient/request.rb:758:in `rescue in transmit'
/usr/lib/ruby/vendor_ruby/restclient/request.rb:642:in `transmit'
/usr/lib/ruby/vendor_ruby/restclient/request.rb:145:in `execute'
/usr/lib/ruby/vendor_ruby/restclient/request.rb:52:in `execute'
/usr/lib/ruby/vendor_ruby/restclient/resource.rb:67:in `post'
/usr/lib/ruby/vendor_ruby/smart_proxy_dynflow_core/callback.rb:51:in `callback'
/usr/lib/ruby/vendor_ruby/smart_proxy_dynflow_core/callback.rb:15:in `send_to_foreman_tasks'
/usr/lib/ruby/vendor_ruby/smart_proxy_dynflow_core/callback.rb:72:in `run'
/usr/lib/ruby/vendor_ruby/dynflow/action.rb:563:in `block (3 levels) in execute_run'
/usr/lib/ruby/vendor_ruby/dynflow/middleware/stack.rb:27:in `pass'
/usr/lib/ruby/vendor_ruby/dynflow/middleware.rb:19:in `pass'
/usr/lib/ruby/vendor_ruby/dynflow/action/progress.rb:31:in `with_progress_calculation'
/usr/lib/ruby/vendor_ruby/dynflow/action/progress.rb:17:in `run'
/usr/lib/ruby/vendor_ruby/dynflow/middleware/stack.rb:23:in `call'
/usr/lib/ruby/vendor_ruby/dynflow/middleware/stack.rb:27:in `pass'
/usr/lib/ruby/vendor_ruby/dynflow/middleware.rb:19:in `pass'
/usr/lib/ruby/vendor_ruby/dynflow/middleware.rb:32:in `run'
/usr/lib/ruby/vendor_ruby/dynflow/middleware/stack.rb:23:in `call'
/usr/lib/ruby/vendor_ruby/dynflow/middleware/world.rb:31:in `execute'
/usr/lib/ruby/vendor_ruby/dynflow/action.rb:562:in `block (2 levels) in execute_run'
/usr/lib/ruby/vendor_ruby/dynflow/action.rb:561:in `catch'
/usr/lib/ruby/vendor_ruby/dynflow/action.rb:561:in `block in execute_run'
/usr/lib/ruby/vendor_ruby/dynflow/action.rb:475:in `block in with_error_handling'
/usr/lib/ruby/vendor_ruby/dynflow/action.rb:475:in `catch'
/usr/lib/ruby/vendor_ruby/dynflow/action.rb:475:in `with_error_handling'
/usr/lib/ruby/vendor_ruby/dynflow/action.rb:556:in `execute_run'
/usr/lib/ruby/vendor_ruby/dynflow/action.rb:285:in `execute'
/usr/lib/ruby/vendor_ruby/dynflow/execution_plan/steps/abstract_flow_step.rb:18:in `block (2 levels) in execute'
/usr/lib/ruby/vendor_ruby/dynflow/execution_plan/steps/abstract.rb:167:in `with_meta_calculation'
/usr/lib/ruby/vendor_ruby/dynflow/execution_plan/steps/abstract_flow_step.rb:17:in `block in execute'
/usr/lib/ruby/vendor_ruby/dynflow/execution_plan/steps/abstract_flow_step.rb:32:in `open_action'
/usr/lib/ruby/vendor_ruby/dynflow/execution_plan/steps/abstract_flow_step.rb:16:in `execute'
/usr/lib/ruby/vendor_ruby/dynflow/director.rb:68:in `execute'
/usr/lib/ruby/vendor_ruby/dynflow/executors/parallel/worker.rb:15:in `block in on_message'
/usr/lib/ruby/vendor_ruby/dynflow/executors.rb:12:in `run_user_code'
/usr/lib/ruby/vendor_ruby/dynflow/executors/parallel/worker.rb:14:in `on_message'
/usr/lib/ruby/vendor_ruby/concurrent/actor/context.rb:46:in `on_envelope'
/usr/lib/ruby/vendor_ruby/concurrent/actor/behaviour/executes_context.rb:7:in `on_envelope'
/usr/lib/ruby/vendor_ruby/concurrent/actor/behaviour/abstract.rb:25:in `pass'
/usr/lib/ruby/vendor_ruby/dynflow/actor.rb:106:in `on_envelope'
/usr/lib/ruby/vendor_ruby/concurrent/actor/behaviour/abstract.rb:25:in `pass'
/usr/lib/ruby/vendor_ruby/concurrent/actor/behaviour/awaits.rb:15:in `on_envelope'
/usr/lib/ruby/vendor_ruby/concurrent/actor/behaviour/abstract.rb:25:in `pass'
/usr/lib/ruby/vendor_ruby/concurrent/actor/behaviour/sets_results.rb:14:in `on_envelope'
/usr/lib/ruby/vendor_ruby/dynflow/actor.rb:47:in `block in on_envelope'
/usr/lib/ruby/vendor_ruby/dynflow/actor.rb:59:in `with_backtrace'
/usr/lib/ruby/vendor_ruby/dynflow/actor.rb:47:in `on_envelope'
/usr/lib/ruby/vendor_ruby/concurrent/actor/behaviour/abstract.rb:25:in `pass'
/usr/lib/ruby/vendor_ruby/concurrent/actor/behaviour/buffer.rb:38:in `process_envelope'
/usr/lib/ruby/vendor_ruby/concurrent/actor/behaviour/buffer.rb:31:in `process_envelopes?'
/usr/lib/ruby/vendor_ruby/concurrent/actor/behaviour/buffer.rb:20:in `on_envelope'
/usr/lib/ruby/vendor_ruby/concurrent/actor/behaviour/abstract.rb:25:in `pass'
/usr/lib/ruby/vendor_ruby/concurrent/actor/behaviour/termination.rb:55:in `on_envelope'
/usr/lib/ruby/vendor_ruby/concurrent/actor/behaviour/abstract.rb:25:in `pass'
/usr/lib/ruby/vendor_ruby/concurrent/actor/behaviour/removes_child.rb:10:in `on_envelope'
/usr/lib/ruby/vendor_ruby/concurrent/actor/behaviour/abstract.rb:25:in `pass'
/usr/lib/ruby/vendor_ruby/concurrent/actor/behaviour/sets_results.rb:14:in `on_envelope'
/usr/lib/ruby/vendor_ruby/concurrent/actor/core.rb:162:in `process_envelope'
/usr/lib/ruby/vendor_ruby/concurrent/actor/core.rb:96:in `block in on_envelope'
/usr/lib/ruby/vendor_ruby/concurrent/actor/core.rb:119:in `block (2 levels) in schedule_execution'
/usr/lib/ruby/vendor_ruby/concurrent/synchronization/mutex_lockable_object.rb:41:in `block in synchronize'
/usr/lib/ruby/vendor_ruby/concurrent/synchronization/mutex_lockable_object.rb:41:in `synchronize'
/usr/lib/ruby/vendor_ruby/concurrent/synchronization/mutex_lockable_object.rb:41:in `synchronize'
/usr/lib/ruby/vendor_ruby/concurrent/actor/core.rb:116:in `block in schedule_execution'
/usr/lib/ruby/vendor_ruby/concurrent/executor/serialized_execution.rb:18:in `call'
/usr/lib/ruby/vendor_ruby/concurrent/executor/serialized_execution.rb:96:in `work'
/usr/lib/ruby/vendor_ruby/concurrent/executor/serialized_execution.rb:77:in `block in call_job'
/usr/lib/ruby/vendor_ruby/concurrent/executor/ruby_thread_pool_executor.rb:353:in `run_task'
/usr/lib/ruby/vendor_ruby/concurrent/executor/ruby_thread_pool_executor.rb:342:in `block (3 levels) in create_worker'
/usr/lib/ruby/vendor_ruby/concurrent/executor/ruby_thread_pool_executor.rb:325:in `loop'
/usr/lib/ruby/vendor_ruby/concurrent/executor/ruby_thread_pool_executor.rb:325:in `block (2 levels) in create_worker'
/usr/lib/ruby/vendor_ruby/concurrent/executor/ruby_thread_pool_executor.rb:324:in `catch'
/usr/lib/ruby/vendor_ruby/concurrent/executor/ruby_thread_pool_executor.rb:324:in `block in create_worker'
/usr/lib/ruby/vendor_ruby/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'
2020-03-13T16:57:38  [E] SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain) (RestClient::SSLCertificateNotVerified)

hello @infomatico, I had the same issue and I just figured out how to fix it.
The ca-bundle must be taken from your authority provider ( in my case GlobalSign).

Finally the root ca is not enough.
You should add also the puppet root CA, so my final ca-bundle file contains first my GlobalSign RootCA and after the PuppetServer CA ( /etc/puppetlabs/puppet/ssl/certs/ca.pem).

My configuration is done with puppet, the detail is below:
My foreman_url is signed by a well-known certificate authority : Global Sign.
chain.crt => Global Sign certificate chain
tls.crt => Global Sign certificate for my foreman_url ( https://puppetserver-6.example.com)
tls.key => Certificate private key ( https://puppetserver-6.example.com )
ca.crt => Global Sign RootCA + Puppet Root CA ( /etc/puppetlabs/puppet/ssl/certs/ca.pem)
trusted_hosts => Must contains your new foreman base url ( puppetserver-6.example.com)

Foreman

 class { 'foreman':
  server_ssl_chain    => '/etc/puppetlabs/puppet/ssl/chain.crt',
  server_ssl_cert     => '/etc/puppetlabs/puppet/ssl/tls.crt',
  server_ssl_key      => '/etc/puppetlabs/puppet/ssl/tls.key',
  client_ssl_ca       => '/etc/puppetlabs/puppet/ssl/ca.crt',
  websockets_ssl_cert => '/etc/puppetlabs/puppet/ssl/tls.crt',
  websockets_ssl_key  => '/etc/puppetlabs/puppet/ssl/tls.key',
}

foreman-proxy

class { 'foreman_proxy':
    trusted_hosts    => $trusted_hosts,
    foreman_ssl_ca   => '/etc/puppetlabs/puppet/ssl/ca.crt',
    foreman_ssl_cert => '/etc/puppetlabs/puppet/ssl/tls.crt',
    foreman_ssl_key  => '/etc/puppetlabs/puppet/ssl/tls.crt',
    foreman_base_url => 'https://puppetserver-6.example.com',
  }

Puppetserver

class { 'puppet:
    server_foreman_url         => $server_foreman_url,
    server_foreman_ssl_ca      => '/etc/puppetlabs/puppet/ssl/ca.crt',
  }