I followed the guide in https://www.theforeman.org/2015/11/foreman-ssl.html
and changed the certs in SSLCertificateFile
"/etc/pki/tls/certs/puppet.example.com.crt"
SSLCertificateKeyFile "/etc/pki/tls/private/puppet.example.com.key" but,
after making this change another puppet host cant connect after running
puppet agent -t
I get this error: puppetpuppet agent unable to fetch my node definition
error 400 agent unable to fetch my node definition error 400
Make sure to include all the intermediate certificates in the root chain.
···
On Wednesday, June 15, 2016 at 11:30:46 PM UTC+2, johny casanova wrote:
>
> helo,
>
> I followed the guide in
> https://www.theforeman.org/2015/11/foreman-ssl.html and changed the certs
> in SSLCertificateFile "/etc/pki/tls/certs/puppet.example.com.crt"
> SSLCertificateKeyFile "/etc/pki/tls/private/puppet.example.com.key" but,
> after making this change another puppet host cant connect after running
> puppet agent -t
>
>
> I get this error: puppetpuppet agent unable to fetch my node definition
> error 400 agent unable to fetch my node definition error 400
>
thanks for the info. I just tried it and I still get the same error
···
On Thursday, June 16, 2016 at 9:28:40 AM UTC-4, Sandro Roth wrote:
>
> I suggest changing this via foreman-installer. This ensures that updates
> won't break your configuration.
>
> foreman-installer -v \
> --foreman-foreman-url=puppet.example.com \
> --foreman-server-ssl-cert=/etc/pki/tls/certs/puppet.example.com.crt \
> --foreman-server-ssl-key=/etc/pki/tls/private/puppet.example.com.key \
> --foreman-server-ssl-chain /etc/pki/tls/example.com.root.pem
>
> Make sure to include all the intermediate certificates in the root chain.
>
> On Wednesday, June 15, 2016 at 11:30:46 PM UTC+2, johny casanova wrote:
>>
>> helo,
>>
>> I followed the guide in
>> https://www.theforeman.org/2015/11/foreman-ssl.html and changed the
>> certs in SSLCertificateFile "/etc/pki/tls/certs/puppet.example.com.crt"
>> SSLCertificateKeyFile "/etc/pki/tls/private/puppet.example.com.key" but,
>> after making this change another puppet host cant connect after running
>> puppet agent -t
>>
>>
>> I get this error: puppetpuppet agent unable to fetch my node definition
>> error 400 agent unable to fetch my node definition error 400
>>
>
To Create the ca_combo.crt file, cat all CAs into a file, from the
intermediate CA (the one signed your HTTPS cert), one by one until root CA,
say,
if you domain cert is signed by intermediate CA ICA1, and ICA1 is signed
by ICA2, ICA2 is signed by rootCA , then run the following command will be
used to create the ca_combo.crt above:
cat ICA1 ICA2 … rootCA >ca_combo.crt
to find the ICA1, ICA2, …, rootCA, you can use firefox to see the CA
chain and export them one by one, For me, I'm just check the ca-bundle on
Linux box.
The settings will show up in /etc/httpd/conf.d/05-foreman-ssl.conf, and
/etc/puppet/foreman.yaml. The problem here seems like that the foreman.yaml
doesn't have correct :ssl_ca: value.
In fact, if you comment out :ssl_ca: from the file, or set an empty value,
then it will work as well – though you need to remember to make same
manual change after foreman upgrade next time.
Have fun.
···
On Monday, June 20, 2016 at 5:55:53 AM UTC-7, johny casanova wrote:
>
> thanks for the info. I just tried it and I still get the same error :(
>
> On Thursday, June 16, 2016 at 9:28:40 AM UTC-4, Sandro Roth wrote:
>>
>> I suggest changing this via foreman-installer. This ensures that updates
>> won't break your configuration.
>>
>> foreman-installer -v \
>> --foreman-foreman-url=puppet.example.com \
>> --foreman-server-ssl-cert=/etc/pki/tls/certs/puppet.example.com.crt \
>> --foreman-server-ssl-key=/etc/pki/tls/private/puppet.example.com.key \
>> --foreman-server-ssl-chain /etc/pki/tls/example.com.root.pem
>>
>> Make sure to include all the intermediate certificates in the root chain.
>>
>> On Wednesday, June 15, 2016 at 11:30:46 PM UTC+2, johny casanova wrote:
>>>
>>> helo,
>>>
>>> I followed the guide in
>>> https://www.theforeman.org/2015/11/foreman-ssl.html and changed the
>>> certs in SSLCertificateFile "/etc/pki/tls/certs/puppet.example.com.crt"
>>> SSLCertificateKeyFile "/etc/pki/tls/private/puppet.example.com.key" but,
>>> after making this change another puppet host cant connect after running
>>> puppet agent -t
>>>
>>>
>>> I get this error: puppetpuppet agent unable to fetch my node definition
>>> error 400 agent unable to fetch my node definition error 400
>>>
>>
Any ideas what is wrong ? Is this a bug in 1.12 RC2 ?
Thanks
Adrian
···
On Thursday, 23 June 2016 19:03:34 UTC+1, Thomas Cheng wrote:
>
>
>
> On Monday, June 20, 2016 at 5:55:53 AM UTC-7, johny casanova wrote:
>>
>> thanks for the info. I just tried it and I still get the same error :(
>>
>> On Thursday, June 16, 2016 at 9:28:40 AM UTC-4, Sandro Roth wrote:
>>>
>>> I suggest changing this via foreman-installer. This ensures that updates
>>> won't break your configuration.
>>>
>>> foreman-installer -v \
>>> --foreman-foreman-url=puppet.example.com \
>>> --foreman-server-ssl-cert=/etc/pki/tls/certs/puppet.example.com.crt \
>>> --foreman-server-ssl-key=/etc/pki/tls/private/puppet.example.com.key \
>>> --foreman-server-ssl-chain /etc/pki/tls/example.com.root.pem
>>>
>>> Make sure to include all the intermediate certificates in the root chain.
>>>
>>> On Wednesday, June 15, 2016 at 11:30:46 PM UTC+2, johny casanova wrote:
>>>>
>>>> helo,
>>>>
>>>> I followed the guide in
>>>> https://www.theforeman.org/2015/11/foreman-ssl.html and changed the
>>>> certs in SSLCertificateFile "/etc/pki/tls/certs/puppet.example.com.crt"
>>>> SSLCertificateKeyFile "/etc/pki/tls/private/puppet.example.com.key"
>>>> but, after making this change another puppet host cant connect after
>>>> running puppet agent -t
>>>>
>>>>
>>>> I get this error: puppetpuppet agent unable to fetch my node
>>>> definition error 400 agent unable to fetch my node definition error 400
>>>>
>>>
> I've implemented public-signed certs for Foreman days back and it worked.
> My foreman-installer options related to this topic are:
>
> --foreman-server-ssl-key=/etc/pki/tls/private/public_wildcard.key
> --foreman-server-ssl-cert=/etc/pki/tls/certs/public_wildcard.crt
> --foreman-server-ssl-certs-dir=/etc/pki/tls/certs
> --foreman-server-ssl-chain=/etc/pki/tls/certs/ca_combo.crt \
> --foreman-server-ssl-ca=/var/lib/puppet/ssl/certs/ca.pem
> --foreman-server-ssl-crl=/var/lib/puppet/ssl/crl.pem \
> --foreman-websockets-encrypt=true
> --foreman-websockets-ssl-key=/etc/pki/tls/private/public_wildcard.key
> --foreman-websockets-ssl-cert=/etc/pki/tls/certs/public_wildcard.crt \
> --puppet-server-foreman=true
> --puppet-server-foreman-ssl-ca=/etc/pki/tls/certs/ca_combo.crt
> --puppet-server-foreman-url=https://foreman.example.com \
>
> To Create the ca_combo.crt file, cat all CAs into a file, from the
> intermediate CA (the one signed your HTTPS cert), one by one until root CA,
> say,
>
> if you domain cert is signed by intermediate CA ICA1, and ICA1 is signed
> by ICA2, ICA2 is signed by rootCA , then run the following command will be
> used to create the ca_combo.crt above:
> cat ICA1 ICA2 .... rootCA >ca_combo.crt
>
> to find the ICA1, ICA2, ..., rootCA, you can use firefox to see the CA
> chain and export them one by one, For me, I'm just check the ca-bundle on
> Linux box. :)
>
> The settings will show up in /etc/httpd/conf.d/05-foreman-ssl.conf, and
> /etc/puppet/foreman.yaml. The problem here seems like that the foreman.yaml
> doesn't have correct :ssl_ca: value.
>
> In fact, if you comment out :ssl_ca: from the file, or set an empty value,
> then it will work as well -- though you need to remember to make same
> manual change after foreman upgrade next time.
>
> Have fun.
>
>
and replaced --puppet-server-foreman-url=https://foreman.mydomain.co.uk
with --foreman-foreman-url=https://foreman.mydomain.co.uk
Adrian
···
On Friday, 24 June 2016 13:08:43 UTC+1, Adrian Cunnelly wrote:
>
> On a fresh install of foreman 1.12 RC 2, I run the following in order to
> install foreman and configure using my own certificates:
>
> foreman-installer \
> --foreman-server-ssl-key=/etc/ssl/private/my_public_cert_private_key.key \
> --puppet-server-foreman=true \
> --foreman-server-ssl-cert=/etc/ssl/certs/my_public_cert.crt \
> --foreman-server-ssl-chain=/etc/ssl/certs/my_public_ca_chain.crt \
> --foreman-server-ssl-certs-dir=/etc/ssl/certs \
> --foreman-websockets-encrypt=true \
> --foreman-websockets-ssl-key=/etc/ssl/private/my_public_cert_private_key.key
> \
> --foreman-websockets-ssl-cert=/etc/ssl/certs/my_public_cert.crt \
> --puppet-server-foreman=true \
> --puppet-server-foreman-ssl-ca=/etc/ssl/certs/my_public_ca_chain.crt \
> --puppet-server-foreman-url=https://foreman.mydomain.co.uk
>
> However the foreman-install fails with the following SSL errors:
>
> /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[
> puppet02a.mydomain.co.uk]: Could not evaluate: Exception SSL_connect
> returned=1 errno=0 state=error: certificate verify failed in get request
> to:
> https://puppet02a.mydomain.co.uk/api/v2/smart_proxies?search=name=%22puppet02a.mydomain.co.uk%22
> /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[
> puppet02a.mydomain.co.uk]: Failed to call refresh: Exception SSL_connect
> returned=1 errno=0 state=error: certificate verify failed in get request
> to:
> https://puppet02a.mydomain.co.uk/api/v2/smart_proxies?search=name=%22puppet02a.mydomain.co.uk%22
> /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[
> puppet02a.mydomain.co.uk]: Exception SSL_connect returned=1 errno=0
> state=error: certificate verify failed in get request to:
> https://puppet02a.mydomain.co.uk/api/v2/smart_proxies?search=name=%22puppet02a.mydomain.co.uk%22
> Installing Done
> [100%]
> [.........................................................................................................................................................]
> Something went wrong! Check the log for ERROR-level output
>
> my_public_cert.crt has CN=foreman.mydomain.co.uk and SANS:
> foreman.mydomain.co.uk & puppet02a.mydomain.co.uk
>
> Any ideas what is wrong ? Is this a bug in 1.12 RC2 ?
>
> Thanks
> Adrian
>
>
> On Thursday, 23 June 2016 19:03:34 UTC+1, Thomas Cheng wrote:
>>
>>
>>
>> On Monday, June 20, 2016 at 5:55:53 AM UTC-7, johny casanova wrote:
>>>
>>> thanks for the info. I just tried it and I still get the same error :(
>>>
>>> On Thursday, June 16, 2016 at 9:28:40 AM UTC-4, Sandro Roth wrote:
>>>>
>>>> I suggest changing this via foreman-installer. This ensures that
>>>> updates won't break your configuration.
>>>>
>>>> foreman-installer -v \
>>>> --foreman-foreman-url=puppet.example.com \
>>>> --foreman-server-ssl-cert=/etc/pki/tls/certs/puppet.example.com.crt \
>>>> --foreman-server-ssl-key=/etc/pki/tls/private/puppet.example.com.key \
>>>> --foreman-server-ssl-chain /etc/pki/tls/example.com.root.pem
>>>>
>>>> Make sure to include all the intermediate certificates in the root
>>>> chain.
>>>>
>>>> On Wednesday, June 15, 2016 at 11:30:46 PM UTC+2, johny casanova wrote:
>>>>>
>>>>> helo,
>>>>>
>>>>> I followed the guide in
>>>>> https://www.theforeman.org/2015/11/foreman-ssl.html and changed the
>>>>> certs in SSLCertificateFile
>>>>> "/etc/pki/tls/certs/puppet.example.com.crt"
>>>>> SSLCertificateKeyFile "/etc/pki/tls/private/puppet.example.com.key"
>>>>> but, after making this change another puppet host cant connect after
>>>>> running puppet agent -t
>>>>>
>>>>>
>>>>> I get this error: puppetpuppet agent unable to fetch my node
>>>>> definition error 400 agent unable to fetch my node definition error
>>>>> 400
>>>>>
>>>>
>> I've implemented public-signed certs for Foreman days back and it worked.
>> My foreman-installer options related to this topic are:
>>
>> --foreman-server-ssl-key=/etc/pki/tls/private/public_wildcard.key
>> --foreman-server-ssl-cert=/etc/pki/tls/certs/public_wildcard.crt
>> --foreman-server-ssl-certs-dir=/etc/pki/tls/certs
>> --foreman-server-ssl-chain=/etc/pki/tls/certs/ca_combo.crt \
>> --foreman-server-ssl-ca=/var/lib/puppet/ssl/certs/ca.pem
>> --foreman-server-ssl-crl=/var/lib/puppet/ssl/crl.pem \
>> --foreman-websockets-encrypt=true
>> --foreman-websockets-ssl-key=/etc/pki/tls/private/public_wildcard.key
>> --foreman-websockets-ssl-cert=/etc/pki/tls/certs/public_wildcard.crt \
>> --puppet-server-foreman=true
>> --puppet-server-foreman-ssl-ca=/etc/pki/tls/certs/ca_combo.crt
>> --puppet-server-foreman-url=https://foreman.example.com \
>>
>> To Create the ca_combo.crt file, cat all CAs into a file, from the
>> intermediate CA (the one signed your HTTPS cert), one by one until root CA,
>> say,
>>
>> if you domain cert is signed by intermediate CA ICA1, and ICA1 is
>> signed by ICA2, ICA2 is signed by rootCA , then run the following command
>> will be used to create the ca_combo.crt above:
>> cat ICA1 ICA2 .... rootCA >ca_combo.crt
>>
>> to find the ICA1, ICA2, ..., rootCA, you can use firefox to see the CA
>> chain and export them one by one, For me, I'm just check the ca-bundle on
>> Linux box. :)
>>
>> The settings will show up in /etc/httpd/conf.d/05-foreman-ssl.conf, and
>> /etc/puppet/foreman.yaml. The problem here seems like that the foreman.yaml
>> doesn't have correct :ssl_ca: value.
>>
>> In fact, if you comment out :ssl_ca: from the file, or set an empty
>> value, then it will work as well -- though you need to remember to make
>> same manual change after foreman upgrade next time.
>>
>> Have fun.
>>
>>
I am trying to do a fresh setup of Foreman where the web interface is on a
separate cert. For testing I am trying to set this up using a self signed
certificate but it keeps failing with an error about not being able to
verify it:
···
On Friday, June 24, 2016 at 9:48:31 AM UTC-4, Adrian Cunnelly wrote:
>
> I have managed to resolve my issue:
>
> Added: --foreman-proxy-foreman-ssl-ca=/etc/ssl/certs/my_public_ca_chain.crt
>
> and replaced --puppet-server-foreman-url=https://foreman.mydomain.co.uk
> with --foreman-foreman-url=https://foreman.mydomain.co.uk
>
> Adrian
>
> On Friday, 24 June 2016 13:08:43 UTC+1, Adrian Cunnelly wrote:
>>
>> On a fresh install of foreman 1.12 RC 2, I run the following in order to
>> install foreman and configure using my own certificates:
>>
>> foreman-installer \
>> --foreman-server-ssl-key=/etc/ssl/private/my_public_cert_private_key.key \
>> --puppet-server-foreman=true \
>> --foreman-server-ssl-cert=/etc/ssl/certs/my_public_cert.crt \
>> --foreman-server-ssl-chain=/etc/ssl/certs/my_public_ca_chain.crt \
>> --foreman-server-ssl-certs-dir=/etc/ssl/certs \
>> --foreman-websockets-encrypt=true \
>> --foreman-websockets-ssl-key=/etc/ssl/private/my_public_cert_private_key.key
>> \
>> --foreman-websockets-ssl-cert=/etc/ssl/certs/my_public_cert.crt \
>> --puppet-server-foreman=true \
>> --puppet-server-foreman-ssl-ca=/etc/ssl/certs/my_public_ca_chain.crt \
>> --puppet-server-foreman-url=https://foreman.mydomain.co.uk
>>
>> However the foreman-install fails with the following SSL errors:
>>
>> /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[
>> puppet02a.mydomain.co.uk]: Could not evaluate: Exception SSL_connect
>> returned=1 errno=0 state=error: certificate verify failed in get request
>> to:
>> https://puppet02a.mydomain.co.uk/api/v2/smart_proxies?search=name=%22puppet02a.mydomain.co.uk%22
>> /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[
>> puppet02a.mydomain.co.uk]: Failed to call refresh: Exception SSL_connect
>> returned=1 errno=0 state=error: certificate verify failed in get request
>> to:
>> https://puppet02a.mydomain.co.uk/api/v2/smart_proxies?search=name=%22puppet02a.mydomain.co.uk%22
>> /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[
>> puppet02a.mydomain.co.uk]: Exception SSL_connect returned=1 errno=0
>> state=error: certificate verify failed in get request to:
>> https://puppet02a.mydomain.co.uk/api/v2/smart_proxies?search=name=%22puppet02a.mydomain.co.uk%22
>> Installing Done
>> [100%]
>> [.........................................................................................................................................................]
>> Something went wrong! Check the log for ERROR-level output
>>
>> my_public_cert.crt has CN=foreman.mydomain.co.uk and SANS:
>> foreman.mydomain.co.uk & puppet02a.mydomain.co.uk
>>
>> Any ideas what is wrong ? Is this a bug in 1.12 RC2 ?
>>
>> Thanks
>> Adrian
>>
>>
>> On Thursday, 23 June 2016 19:03:34 UTC+1, Thomas Cheng wrote:
>>>
>>>
>>>
>>> On Monday, June 20, 2016 at 5:55:53 AM UTC-7, johny casanova wrote:
>>>>
>>>> thanks for the info. I just tried it and I still get the same error :(
>>>>
>>>> On Thursday, June 16, 2016 at 9:28:40 AM UTC-4, Sandro Roth wrote:
>>>>>
>>>>> I suggest changing this via foreman-installer. This ensures that
>>>>> updates won't break your configuration.
>>>>>
>>>>> foreman-installer -v \
>>>>> --foreman-foreman-url=puppet.example.com \
>>>>> --foreman-server-ssl-cert=/etc/pki/tls/certs/puppet.example.com.crt \
>>>>> --foreman-server-ssl-key=/etc/pki/tls/private/puppet.example.com.key \
>>>>> --foreman-server-ssl-chain /etc/pki/tls/example.com.root.pem
>>>>>
>>>>> Make sure to include all the intermediate certificates in the root
>>>>> chain.
>>>>>
>>>>> On Wednesday, June 15, 2016 at 11:30:46 PM UTC+2, johny casanova wrote:
>>>>>>
>>>>>> helo,
>>>>>>
>>>>>> I followed the guide in
>>>>>> https://www.theforeman.org/2015/11/foreman-ssl.html and changed the
>>>>>> certs in SSLCertificateFile
>>>>>> "/etc/pki/tls/certs/puppet.example.com.crt"
>>>>>> SSLCertificateKeyFile "/etc/pki/tls/private/puppet.example.com.key"
>>>>>> but, after making this change another puppet host cant connect after
>>>>>> running puppet agent -t
>>>>>>
>>>>>>
>>>>>> I get this error: puppetpuppet agent unable to fetch my node
>>>>>> definition error 400 agent unable to fetch my node definition error
>>>>>> 400
>>>>>>
>>>>>
>>> I've implemented public-signed certs for Foreman days back and it
>>> worked. My foreman-installer options related to this topic are:
>>>
>>> --foreman-server-ssl-key=/etc/pki/tls/private/public_wildcard.key
>>> --foreman-server-ssl-cert=/etc/pki/tls/certs/public_wildcard.crt
>>> --foreman-server-ssl-certs-dir=/etc/pki/tls/certs
>>> --foreman-server-ssl-chain=/etc/pki/tls/certs/ca_combo.crt \
>>> --foreman-server-ssl-ca=/var/lib/puppet/ssl/certs/ca.pem
>>> --foreman-server-ssl-crl=/var/lib/puppet/ssl/crl.pem \
>>> --foreman-websockets-encrypt=true
>>> --foreman-websockets-ssl-key=/etc/pki/tls/private/public_wildcard.key
>>> --foreman-websockets-ssl-cert=/etc/pki/tls/certs/public_wildcard.crt \
>>> --puppet-server-foreman=true
>>> --puppet-server-foreman-ssl-ca=/etc/pki/tls/certs/ca_combo.crt
>>> --puppet-server-foreman-url=https://foreman.example.com \
>>>
>>> To Create the ca_combo.crt file, cat all CAs into a file, from the
>>> intermediate CA (the one signed your HTTPS cert), one by one until root CA,
>>> say,
>>>
>>> if you domain cert is signed by intermediate CA ICA1, and ICA1 is
>>> signed by ICA2, ICA2 is signed by rootCA , then run the following command
>>> will be used to create the ca_combo.crt above:
>>> cat ICA1 ICA2 .... rootCA >ca_combo.crt
>>>
>>> to find the ICA1, ICA2, ..., rootCA, you can use firefox to see the CA
>>> chain and export them one by one, For me, I'm just check the ca-bundle on
>>> Linux box. :)
>>>
>>> The settings will show up in /etc/httpd/conf.d/05-foreman-ssl.conf, and
>>> /etc/puppet/foreman.yaml. The problem here seems like that the foreman.yaml
>>> doesn't have correct :ssl_ca: value.
>>>
>>> In fact, if you comment out :ssl_ca: from the file, or set an empty
>>> value, then it will work as well -- though you need to remember to make
>>> same manual change after foreman upgrade next time.
>>>
>>> Have fun.
>>>
>>>
I am trying to do the same as @Gene_Liverman1.
So, I would like to have a common certs for 3 servers:
S1: Foreman UI 1
S2: Foreman UI 2
S3: HAProxy - LoadBalancing between S1 & S2.
I don’t want to touch puppet certs or foreman-proxy server certs. I want to share the same certs among all those three ‘web’ servers. Is it possible ?
Just for the testing purposes I generated only self-signed certs and I Am getting:
Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate) in get request to:
