Browse to WebUI with HSTS

Can’t get to login page due to Browser HSTS error in Firefox and Chrome.
Expected outcome:
WebUI would load
Foreman and Proxy versions:

Foreman and Proxy plugin versions:

Other relevant data:

Good chance that I’m just a fool here, but how are we getting past this problem (Attached Screenshot) at the moment? Until recently, I was still able to hit it with Chrome but not Firefox. Now both browsers are giving me the same error. Is there a root CA that is created that I need to import, or whats the approach here?

There is a setting to enable/disable HSTS:

I just found I was able to do this by importing the cert located here:


After installing the katello-ca-consumer-latest.noarch.rpm

For anyone else having an issue, just go to Authorities in the Certificate management section of firefox and import this file.

That is the better solution. Note that for Foreman without Katello the CA is different. The CA location is in /etc/httpd/conf.d/05-foreman-ssl.conf on EL7 or equivalent Apache location for your OS. Note that you should do this on all your clients.

So, I did try this. Is there something that needs to be run other than just restarting httpd after changes have been made to settings.yaml?

I changed hsts_enabled: false and also the require_ssl one. But it didn’t seem to have any effect.

require_ssl should be fine and doesn’t need to be touched. HSTS is cached by browsers which can explain why you saw no difference. Note you still need to accept the self-signed certificate.

Beware, this can easily render a hostname/certificate as unusable if used incorrectly. I think we do not enable this by default via installer.

We do:

Once your browser gets the HSTS header, it will require all future communication with that host to be over HTTPS. After disabling the header you will still need to reset the browser’s memory to get access to the web ui - has a nice explanation.

1 Like