I just want to change the certificate for the web part, not for smart proxy.
I see that in /etc/foreman/settings.yaml I need to change :
But this doesn’t change the apache configuration.
What should I do to update the apache configuration ?
I can do it manually but the file seems managed by foreman-installer in someway.
Can you tell me what is the best way for this ?
Are you using Katello or just straight Foreman? If you are using Katello running custom SSL certificates is very complicated due to the fact that Katello needs two separate CAs. The instructions to change the Foreman SSL certificate will not work on a Foreman/Katello installation.
sorry for the delay.
I look a bit at my issue. When I switch the apache2 configuration to my wildcard certificate the issue come from my puppet master
During fact upload occured an exception: SSL_connect returned=1 errno=0 state=error: certificate verify failed
/etc/puppetlabs/puppet/node.rb:383: warning: constant ::TimeoutError is deprecated
class or module required for rescue clause
I just modify url from /etc/puppetlabs/puppet/foreman.yaml but doesn’t solve the issue.
Any idea ?
In that same file we also specify SSL certs. You must change the CA cert there as well because it checks that against what the master presents. The client cert and key shouldn’t be changed - those are still used to identify the client.
It’s the ssl_ca parameter I mean. That should be the CA that on the Apache 2 side is configured and matches the SSLCertificateFile.
We explicitly use it for the second paragraph:
This should be used alternatively and/or additionally to SSLCACertificatePath for explicitly constructing the server certificate chain which is sent to the browser in addition to the server certificate. It is especially useful to avoid conflicts with CA certificates when using client authentication. Because although placing a CA certificate of the server certificate chain into SSLCACertificatePath has the same effect for the certificate chain construction, it has the side-effect that client certificates issued by this same CA certificate are also accepted on client authentication.
Using this makes sure we serve the application using Letsencrypt certificates but not accepting them as client certificates, which would open up a huge security hole. We set that to a different CA (Puppet in the Foreman scenario, a custom one in the Katello scenario).
In Replacing self-signed certificates I’ve described how to I set this up for me. Note that you missed two parameters. You are more strict in your chain file, which is probably more secure.
but I’m having hard time each time I use installer. that’s why I would like to find my way to configure apache2.
I run the installer and has expected failed with ssl error. I should do something wrong.
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foreman.domain.local]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed in get request to: https://foreman.domain.local/api/v2/smart_proxies?search=name="foreman.domain.local"
And then proceeded to change just the SSLCertificateFile, SSLCertificateKeyFile & SSLCertificateChainFile values only with the flags that I posted above:
I may have also rebooted the host to force everything to re-read its configuration from disk. I was concerned that some things may have been storing the certificate in memory, and I didn’t understand the relationship between Apache, the Foreman Server, the Foreman Smart Proxy and the Puppet CA itself.
In the end, the Apache file /etc/apache2/sites-available/05-foreman-ssl.conf contained:
Thanks for sharing.
I finaly was able to make it work with same setup as yours but on /etc/puppetlabs/puppet/foreman.yaml for node.rb I had to remove :ssl_ca: parameter ! crazy stuff can’t really understand why. Anyway from my point of view the client doesn’t need the CA.
Just to share the yaml conf file looks like this :