Hi folks,
Foreman version – 1.24.2
I have followed the below steps which are suggested by community to change ssl certs for foreman web ui, after making changes, ssl certs got reflected in UI but while doing remote execution, getting an error saying proxy is down. Kindly help me to get resolve this.
/etc/httpd/conf.d/05-foreman-ssl.conf
#OLD SSLCertificateFile “/etc/puppetlabs/puppet/ssl/certs/foreman.example.com.pem”
#OLD SSLCertificateKeyFile “/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.com.pem”
#OLD SSLCertificateChainFile “/etc/puppetlabs/puppet/ssl/certs/ca.pem”
SSLCertificateFile “/etc/puppetlabs/puppet/ssl/certs/NEWCERT.pem”
SSLCertificateKeyFile “/etc/puppetlabs/puppet/ssl/private_keys/NEWKEY.pem”
SSLCertificateChainFile “/etc/puppetlabs/puppet/ssl/certs/NEWCHAIN.pem”
/etc/foreman/settings.yaml
For the console feature to work (via websockets)
#OLD:websockets_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/foreman.example.com.pem
#OLD:websockets_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/foreman.example.com.pem
:websockets_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/NEWKEY.pem
:websockets_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/NEWCERT.pem
/etc/foreman-proxy/settings.yml
Foreman smart proxy, listening on 8443
You need to ensure it trusts the new CA when it connects back to the webUI
This section is for other things talking to the foreman proxy, no change
:ssl_ca_file: /etc/puppetlabs/puppet/ssl/certs/ca.pem
:ssl_certificate: /etc/puppetlabs/puppet/ssl/certs/foreman.example.com.pem
:ssl_private_key: /etc/puppetlabs/puppet/ssl/private_keys/foreman.example.com.pem
This is for the proxy talking back to foreman webUI; the ca needs to be the system CA, + new key & new cert. Normally these are commented out, uncomment and update
:foreman_ssl_ca: /etc/pki/tls/certs/ca-bundle.crt
:foreman_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/NEWCERT.pem
:foreman_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/NEWKEY.pem
/etc/puppetlabs/puppet/foreman.yaml
This is for when puppet talks back to foreman; it needs to trust the new cert on the webui (ie it needs to trust public certs)
#OLD:ssl_ca: “/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem”
:ssl_ca: “/etc/pki/tls/certs/ca-bundle.crt”