Certificates! Arrrgh Certificates again!

Problem:
I run Katello on Rocky Linux and use Certbot to generate valid certificates. When Certbot does a rewnewal the certificates are placed in /etc/letsencrypt/archive//. However it increments the Certificate with a number and then a symbolic link is created in /etc/letsencrypt/live//. When I go to run a certificate update on Foreman I run the suggested command that comes from the katello-certs-check command:

foreman-installer --scenario katello \
                      --certs-server-cert "/etc/letsencrypt/live/<DNS Name>/fullchain.pem" \
                      --certs-server-key "/etc/letsencrypt/live/<DNS Name>/privkey.pem" \
                      --certs-server-ca-cert "/etc/letsencrypt/live/<DNS Name>/bundle-ca-cert.pem" \
                      --certs-update-server --certs-update-server-ca

However this seems to fail as the symbolic link in the /live/ folder is passed and Foreman-Installer cannot find the file. This seems to stem from the fact that the symbolic link is a relative path and not an absolute path. The symbolic links use …/…/archive// as their path If I recreate the symbolic link with an absolute path instead the process seems to work properly. Also I noticed that the custom server commands created a ssl-build folder in my /root directory which also uses the relative path until I updated it.

Expected outcome:
Foreman-installer should be passing the absolute path not the relative path. I fully understand that this may be a problem with how Certbot sets up the certificates but I think foreman-installer should be able to pass the full path as it creates problems automating the renewal.

Foreman and Proxy versions:
3.12.0

Foreman and Proxy plugin versions:
foreman-tasks 9.2.3
foreman_ansible 14.2.1
foreman_fog_proxmox 0.16.2
foreman_puppet 7.0.0
foreman_remote_execution 13.2.5
katello 4.14.0

Distribution and version:
Rocky Linux 9.4

I hope there is a way to account for this or if there is a better way to issue the certificates that would be great. Any Guidance on how to work with LetsEncrypt would be great. Hopefully implementation of Letsencrypt into the system is on the roadmap.

Well, that seems to be the problem: foreman-installer seems to copy the file system object passed. If it’s a symlink to copies the symlink. foreman-installer should instead copy the content of the file to the destination file.

I would say, this is a bug.

Thanks. I don’t remember it causing this issue in the past so I am not sure if this is the result of some code changes. I submitted a bug report as such. Hopefully it gets validated.

The files are copied with puppet file resources.

It was different before. I have just tested it:

$ puppet apply -e "file { '/tmp/foreman-cert.crt': ensure => file, source => '/etc/pki/tls/certs/foreman8.crt' }"

Will simply copy whatever /etc/pki/tls/certs/foreman8.crt' may be (using puppet 8). If it’s a symlink it copies the symlink, which is somewhat unexpected because you have an ensure for file and not symlink.

Either way: the foreman-installer currently copies whatever is a that path. In case of a relative symlink it most likely breaks…

@ehelms I think you made that commit above. You can verify, please?