Hello,
today I try to change the SSL certificate of web interface on apache.
my configuration was:
···
======================= ServerName foreman.mydomain.com ServerAlias foremanRailsAutoDetect On
DocumentRoot /usr/share/foreman/public
PassengerAppRoot /usr/share/foreman
Use puppet certificates for SSL
SSLEngine On
SSLCertificateFile /etc/ssl/certs/foreman.crt
SSLCertificateKeyFile /etc/ssl/private/foreman.pem
SSLCertificateChainFile /etc/ssl/certs/startsslsub.class1.server.ca.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /etc/ssl/certs/startsslca.pem
SSLVerifyClient optional
SSLOptions +StdEnvVars
SSLVerifyDepth 3
# To eliminate BEAST vulnerability - by VHS 07/12/2012
SSLHonorCipherOrder On
SSLCipherSuite
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
work (or maybe work good), but:
- when I try to conect any old client to foreman I receive this error:
==============
Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
Could not find node ‘valin.mydomain.com’; cannot compile
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
==============
and if I delete the client certificate (on client and on server) and
recreate and re-sign it… so, all work again.
my question is:
- what is the correct way to configure foreman with a “valid” certificate ??
- when the certificate will expire, we need to re-sign all the clients ??
what is the process ??
PS: I readed the FAQ and other documentation in the foreman website… but,
I didnt found help there.
I believe that is all for now.
thanks