Change the web interface certificate

Hello,

today I try to change the SSL certificate of web interface on apache.
my configuration was:

··· ======================= ServerName foreman.mydomain.com ServerAlias foreman

RailsAutoDetect On
DocumentRoot /usr/share/foreman/public
PassengerAppRoot /usr/share/foreman

Use puppet certificates for SSL

SSLEngine On
SSLCertificateFile /etc/ssl/certs/foreman.crt
SSLCertificateKeyFile /etc/ssl/private/foreman.pem
SSLCertificateChainFile /etc/ssl/certs/startsslsub.class1.server.ca.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /etc/ssl/certs/startsslca.pem
SSLVerifyClient optional
SSLOptions +StdEnvVars
SSLVerifyDepth 3

# To eliminate BEAST vulnerability - by VHS 07/12/2012
SSLHonorCipherOrder On
SSLCipherSuite 

ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

work (or maybe work good), but:

  • when I try to conect any old client to foreman I receive this error:
    ==============
    Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
    Could not find node ‘valin.mydomain.com’; cannot compile
    Warning: Not using cache on failed catalog
    Error: Could not retrieve catalog; skipping run
    ==============

and if I delete the client certificate (on client and on server) and
recreate and re-sign it… so, all work again.

my question is:

  • what is the correct way to configure foreman with a “valid” certificate ??
  • when the certificate will expire, we need to re-sign all the clients ??
    what is the process ??

PS: I readed the FAQ and other documentation in the foreman website… but,
I didnt found help there.

I believe that is all for now.

thanks

> Hello,
>
> today I try to change the SSL certificate of web interface on apache.
> my configuration was:
>
> =======================
> <VirtualHost 192.168.37.250:443>
> ServerName foreman.mydomain.com
> ServerAlias foreman
>
> RailsAutoDetect On
> DocumentRoot /usr/share/foreman/public
> PassengerAppRoot /usr/share/foreman
>
> # Use puppet certificates for SSL
>
> SSLEngine On
> SSLCertificateFile /etc/ssl/certs/foreman.crt
> SSLCertificateKeyFile /etc/ssl/private/foreman.pem
> SSLCertificateChainFile /etc/ssl/certs/startsslsub.class1.server.ca.pem
> SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
> SSLCACertificateFile /etc/ssl/certs/startsslca.pem

These should instead be:

SSLCertificateChainFile /etc/ssl/certs/startsslca.pem
SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem

The first is the CA of the server's certificate, but the second is the
CA of the client certificates (which is used by node.rb to authenticate).

> SSLVerifyClient optional
> SSLOptions +StdEnvVars
> SSLVerifyDepth 3
>
> # To eliminate BEAST vulnerability - by VHS 07/12/2012
> SSLHonorCipherOrder On
> SSLCipherSuite
> ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
>
> </VirtualHost>
> =======================
>
> work (or maybe work good), but:
>
> - when I try to conect any old client to foreman I receive this error:
> ==============
> Error: Could not retrieve catalog from remote server: Error 400 on
> SERVER: Could not find node 'valin.mydomain.com'; cannot compile
> Warning: Not using cache on failed catalog
> Error: Could not retrieve catalog; skipping run
> ==============
>
> and if I delete the client certificate (on client and on server) and
> recreate and re-sign it… so, all work again.

The /etc/puppet/node.rb script usually contains a path to the CA
certificate of the Foreman server that it uses to validate it. You
probably need to update the path here.

You should still be using Puppet certs to authenticate to Foreman, so
leave the SSL key and cert settings alone.

If you still get problems, run:

sudo -u puppet /etc/puppet/node.rb valin.mydomain.com

And paste the output, along with the settings you've specified and
updated httpd config.

> my question is:
>
> - what is the correct way to configure foreman with a "valid" certificate ??
> - when the certificate will expire, we need to re-sign all the clients
> ?? what is the process ??

Your client certificates aren't signed by the startssl cert you're
adding, so if that expires, you just replace it on Foreman and if the CA
changes, update the path in node.rb as above.

Puppet certs do expire after five years though, that would need re-signing.

··· On 25/06/13 17:16, Victor Hugo dos Santos wrote:


Dominic Cleal
Red Hat Engineering