Change Foreman web SSL certificate

Hi,

I would like to reach foreman on foreman.mydomain.com
For this I have a wildcard certificate.

I just want to change the certificate for the web part, not for smart proxy.

I see that in /etc/foreman/settings.yaml I need to change :

Websockets

:websockets_encrypt: on
:websockets_ssl_key: /etc/foreman/ssl/domain.fr.key
:websockets_ssl_cert: /etc/foreman/ssl/domain.fr.crt

But this doesn’t change the apache configuration.
What should I do to update the apache configuration ?
I can do it manually but the file seems managed by foreman-installer in someway.
Can you tell me what is the best way for this ?

Thank you

Hi,

the SSL certificates for the Web UI can be changed in the Apache configuration for the Foreman VirtualHost. On RHEL based distributions this would be /etc/httpd/conf.d/05-foreman-ssl.conf.

There is also an article about how to replace the certificates:
https://theforeman.org/2015/11/foreman-ssl.html

Cheers,
Martin

Are you using Katello or just straight Foreman? If you are using Katello running custom SSL certificates is very complicated due to the fact that Katello needs two separate CAs. The instructions to change the Foreman SSL certificate will not work on a Foreman/Katello installation.

Have a look at

I’ll try.
last time I changed the apache2 configuration. The web server was Ok, but it brokes the communication with my puppet server.

Hi,

sorry for the delay.
I look a bit at my issue. When I switch the apache2 configuration to my wildcard certificate the issue come from my puppet master

#/etc/puppetlabs/puppet/node.rb client.domain.local
During fact upload occured an exception: SSL_connect returned=1 errno=0 state=error: certificate verify failed
/etc/puppetlabs/puppet/node.rb:383: warning: constant ::TimeoutError is deprecated
class or module required for rescue clause  

I just modify url from /etc/puppetlabs/puppet/foreman.yaml but doesn’t solve the issue.
Any idea ?

In that same file we also specify SSL certs. You must change the CA cert there as well because it checks that against what the master presents. The client cert and key shouldn’t be changed - those are still used to identify the client.

I’m running into the same issue. Is this article still up to date? SSLCertificateChainFile is obsolete, isn’t it?

BTW, I was able to change the webserver certificate for the Web interface with the following foreman-installer flags:

foreman-installer \
--foreman-server-ssl-cert /etc/ssl/certs/foreman.example.org-cert.pem \
--foreman-server-ssl-key /etc/ssl/private/foreman.example.org-key.pem \
--foreman-server-ssl-chain /etc/ssl/certs/gd_bundle-g2-g1.crt
2 Likes

Hi @ekohl,

just to be clear on apache2 side I need to switch only :

SSLCertificateFile      "/etc/foreman/ssl/domainmain.fr.crt"
SSLCertificateKeyFile   "/etc/foreman/ssl/domain.fr.key"

SSLCertificateChainFile and SSLCACertificateFile remain the current CA for authentification.

On node.rb switch URL to :

:url: "https://foreman.domain.local"
:ssl_ca:"/etc/puppetlabs/puppet/ssl/certs/ca.pem"

What about ssl_ca paramater should be CA from domain.local or the one from SSLCACertificateFile ?

Thank you

It’s the ssl_ca parameter I mean. That should be the CA that on the Apache 2 side is configured and matches the SSLCertificateFile.

We explicitly use it for the second paragraph:

This should be used alternatively and/or additionally to SSLCACertificatePath for explicitly constructing the server certificate chain which is sent to the browser in addition to the server certificate. It is especially useful to avoid conflicts with CA certificates when using client authentication. Because although placing a CA certificate of the server certificate chain into SSLCACertificatePath has the same effect for the certificate chain construction, it has the side-effect that client certificates issued by this same CA certificate are also accepted on client authentication.

Using this makes sure we serve the application using Letsencrypt certificates but not accepting them as client certificates, which would open up a huge security hole. We set that to a different CA (Puppet in the Foreman scenario, a custom one in the Katello scenario).

In Replacing self-signed certificates I’ve described how to I set this up for me. Note that you missed two parameters. You are more strict in your chain file, which is probably more secure.

I give a try by syncing ca between foreman server and node.rb, I got the following error :

/etc/puppetlabs/puppet/node.rb:383: warning: constant ::TimeoutError is deprecated
class or module required for rescue clause

Does the node.rb identify using a certificate ? because by changing the CA for the webui seems that this broke SSL certificate authentification which make sense.

I need a different CA for Authentification VS CA for https

Yes it does. It uses a cache which may mask some issues, until you need updated data.

So is there a way to configure apache2 for serving https with my certificate and allowing SSL authentification from another CA ?

Have you looked at what the installer configures? That does exactly that. It has been posted 3 times in this thread.

Sorry,

but I’m having hard time each time I use installer. that’s why I would like to find my way to configure apache2.
I run the installer and has expected failed with ssl error. I should do something wrong.

foreman-installer \

–foreman-server-ssl-cert /etc/foreman/ssl/publicdomain.fr.crt
–foreman-server-ssl-chain /etc/puppetlabs/puppet/ssl/certs/gandi.pem
–foreman-server-ssl-key /etc/foreman/ssl/publicdomain.fr.key
–puppet-server-foreman-ssl-ca /etc/puppetlabs/puppet/ssl/certs/ca.pem
–foreman-proxy-foreman-ssl-ca /etc/puppetlabs/puppet/ssl/certs/ca.pem
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foreman.domain.local]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed in get request to: https://foreman.domain.local/api/v2/smart_proxies?search=name="foreman.domain.local"

The --{puppet,foreman-proxy}-foreman-ssl-ca value should match what you pass in for the chain.

I actually got the same error yesterday. After many tries, I ended up resetting the foreman-proxy-ssl* values to their original values with this command:

foreman-installer --reset-foreman-proxy-ssl-cert --reset-foreman-proxy-ssl-key --reset-foreman-proxy-ssl-ca

And then proceeded to change just the SSLCertificateFile, SSLCertificateKeyFile & SSLCertificateChainFile values only with the flags that I posted above:

I may have also rebooted the host to force everything to re-read its configuration from disk. I was concerned that some things may have been storing the certificate in memory, and I didn’t understand the relationship between Apache, the Foreman Server, the Foreman Smart Proxy and the Puppet CA itself.

In the end, the Apache file /etc/apache2/sites-available/05-foreman-ssl.conf contained:

  SSLEngine on
  SSLCertificateFile      "/etc/ssl/certs/foreman.example.org-cert.pem"
  SSLCertificateKeyFile   "/etc/ssl/private/foreman.example.org-key.pem"
  SSLCertificateChainFile "/etc/ssl/certs/gd_bundle.crt"
  SSLVerifyClient         optional
  SSLCACertificateFile    "/etc/puppetlabs/puppet/ssl/certs/ca.pem"
  SSLCARevocationFile     "/etc/puppetlabs/puppet/ssl/crl.pem"
  SSLVerifyDepth          3
  SSLCARevocationCheck    "chain"
  SSLOptions +StdEnvVars +ExportCertData
1 Like

Thanks for sharing.
I finaly was able to make it work with same setup as yours but on /etc/puppetlabs/puppet/foreman.yaml for node.rb I had to remove :ssl_ca: parameter ! crazy stuff can’t really understand why. Anyway from my point of view the client doesn’t need the CA.

Just to share the yaml conf file looks like this :

:url: “https://foreman.domain.local
#:ssl_ca: “/etc/puppetlabs/puppet/ssl/certs/ca.pem”
:ssl_cert: /etc/puppetlabs/puppet/ssl/certs/puppetmaster.domain.local.pem
:ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/puppetmaster.domain.local.pem

Removing it simply disables CA checking altogether which means you trust any cert, including self signed ones.

If you want to trace this, I’d look at why it can’t connect manually:

# Using curl
curl --cacert /etc/ssl/certs/gd_bundle.crt --cert /etc/puppetlabs/puppet/ssl/certs/puppetmaster.domain.local.pem --key /etc/puppetlabs/puppet/ssl/private_keys/puppetmaster.domain.local.pem https://foreman.domain.local
# Using openssl
openssl s_client -connect foreman.domain.local:443 -CAfile /etc/ssl/certs/gd_bundle.crt -cert /etc/puppetlabs/puppet/ssl/certs/puppetmaster.domain.local.pem -key /etc/puppetlabs/puppet/ssl/private_keys/puppetmaster.domain.local.pem https://foreman.domain.local