I would like to reach foreman on foreman.mydomain.com
For this I have a wildcard certificate.
I just want to change the certificate for the web part, not for smart proxy.
I see that in /etc/foreman/settings.yaml I need to change :
Websockets
:websockets_encrypt: on
:websockets_ssl_key: /etc/foreman/ssl/domain.fr.key
:websockets_ssl_cert: /etc/foreman/ssl/domain.fr.crt
But this doesn’t change the apache configuration.
What should I do to update the apache configuration ?
I can do it manually but the file seems managed by foreman-installer in someway.
Can you tell me what is the best way for this ?
the SSL certificates for the Web UI can be changed in the Apache configuration for the Foreman VirtualHost. On RHEL based distributions this would be /etc/httpd/conf.d/05-foreman-ssl.conf.
Are you using Katello or just straight Foreman? If you are using Katello running custom SSL certificates is very complicated due to the fact that Katello needs two separate CAs. The instructions to change the Foreman SSL certificate will not work on a Foreman/Katello installation.
sorry for the delay.
I look a bit at my issue. When I switch the apache2 configuration to my wildcard certificate the issue come from my puppet master
#/etc/puppetlabs/puppet/node.rb client.domain.local
During fact upload occured an exception: SSL_connect returned=1 errno=0 state=error: certificate verify failed
/etc/puppetlabs/puppet/node.rb:383: warning: constant ::TimeoutError is deprecated
class or module required for rescue clause
I just modify url from /etc/puppetlabs/puppet/foreman.yaml but doesn’t solve the issue.
Any idea ?
In that same file we also specify SSL certs. You must change the CA cert there as well because it checks that against what the master presents. The client cert and key shouldn’t be changed - those are still used to identify the client.
It’s the ssl_ca parameter I mean. That should be the CA that on the Apache 2 side is configured and matches the SSLCertificateFile.
We explicitly use it for the second paragraph:
This should be used alternatively and/or additionally to SSLCACertificatePath for explicitly constructing the server certificate chain which is sent to the browser in addition to the server certificate. It is especially useful to avoid conflicts with CA certificates when using client authentication. Because although placing a CA certificate of the server certificate chain into SSLCACertificatePath has the same effect for the certificate chain construction, it has the side-effect that client certificates issued by this same CA certificate are also accepted on client authentication.
Using this makes sure we serve the application using Letsencrypt certificates but not accepting them as client certificates, which would open up a huge security hole. We set that to a different CA (Puppet in the Foreman scenario, a custom one in the Katello scenario).
In Replacing self-signed certificates - #2 by ekohl I’ve described how to I set this up for me. Note that you missed two parameters. You are more strict in your chain file, which is probably more secure.
I give a try by syncing ca between foreman server and node.rb, I got the following error :
/etc/puppetlabs/puppet/node.rb:383: warning: constant ::TimeoutError is deprecated
class or module required for rescue clause
Does the node.rb identify using a certificate ? because by changing the CA for the webui seems that this broke SSL certificate authentification which make sense.
I need a different CA for Authentification VS CA for https
but I’m having hard time each time I use installer. that’s why I would like to find my way to configure apache2.
I run the installer and has expected failed with ssl error. I should do something wrong.
foreman-installer \
–foreman-server-ssl-cert /etc/foreman/ssl/publicdomain.fr.crt
–foreman-server-ssl-chain /etc/puppetlabs/puppet/ssl/certs/gandi.pem
–foreman-server-ssl-key /etc/foreman/ssl/publicdomain.fr.key
–puppet-server-foreman-ssl-ca /etc/puppetlabs/puppet/ssl/certs/ca.pem
–foreman-proxy-foreman-ssl-ca /etc/puppetlabs/puppet/ssl/certs/ca.pem
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foreman.domain.local]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed in get request to: https://foreman.domain.local/api/v2/smart_proxies?search=name="foreman.domain.local"
I actually got the same error yesterday. After many tries, I ended up resetting the foreman-proxy-ssl* values to their original values with this command:
And then proceeded to change just the SSLCertificateFile, SSLCertificateKeyFile & SSLCertificateChainFile values only with the flags that I posted above:
I may have also rebooted the host to force everything to re-read its configuration from disk. I was concerned that some things may have been storing the certificate in memory, and I didn’t understand the relationship between Apache, the Foreman Server, the Foreman Smart Proxy and the Puppet CA itself.
In the end, the Apache file /etc/apache2/sites-available/05-foreman-ssl.conf contained:
Thanks for sharing.
I finaly was able to make it work with same setup as yours but on /etc/puppetlabs/puppet/foreman.yaml for node.rb I had to remove :ssl_ca: parameter ! crazy stuff can’t really understand why. Anyway from my point of view the client doesn’t need the CA.
Just to share the yaml conf file looks like this :
