Changing of ssl certs for foreman UI

Hi folks,

Foreman version – 1.24.2

I have followed the below steps which are suggested by community to change ssl certs for foreman web ui, after making changes, ssl certs got reflected in UI but while doing remote execution, getting an error saying proxy is down. Kindly help me to get resolve this.


#OLD SSLCertificateFile “/etc/puppetlabs/puppet/ssl/certs/”
#OLD SSLCertificateKeyFile “/etc/puppetlabs/puppet/ssl/private_keys/”
#OLD SSLCertificateChainFile “/etc/puppetlabs/puppet/ssl/certs/ca.pem”
SSLCertificateFile “/etc/puppetlabs/puppet/ssl/certs/NEWCERT.pem”
SSLCertificateKeyFile “/etc/puppetlabs/puppet/ssl/private_keys/NEWKEY.pem”
SSLCertificateChainFile “/etc/puppetlabs/puppet/ssl/certs/NEWCHAIN.pem”

For the console feature to work (via websockets)

#OLD:websockets_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/
#OLD:websockets_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/
:websockets_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/NEWKEY.pem
:websockets_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/NEWCERT.pem

Foreman smart proxy, listening on 8443
You need to ensure it trusts the new CA when it connects back to the webUI
This section is for other things talking to the foreman proxy, no change

:ssl_ca_file: /etc/puppetlabs/puppet/ssl/certs/ca.pem
:ssl_certificate: /etc/puppetlabs/puppet/ssl/certs/
:ssl_private_key: /etc/puppetlabs/puppet/ssl/private_keys/

This is for the proxy talking back to foreman webUI; the ca needs to be the system CA, + new key & new cert. Normally these are commented out, uncomment and update

:foreman_ssl_ca: /etc/pki/tls/certs/ca-bundle.crt
:foreman_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/NEWCERT.pem
:foreman_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/NEWKEY.pem

This is for when puppet talks back to foreman; it needs to trust the new cert on the webui (ie it needs to trust public certs)

#OLD:ssl_ca: “/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem”
:ssl_ca: “/etc/pki/tls/certs/ca-bundle.crt”

What version and distribution of linux are you using?

The location of the system CA is different for each distribution e.g. for Debian/ Ubuntu it is /etc/ssl/certs/ca-certificates.crt

I am using centos 7.6 version.
if we use system CA /etc/pki/tls/certs/ca-bundle.crt still i am getting the proxy down error.

after making ssl cert changes in mentioned files, need to run foreman-installer again? if yes need to mention certificate path in foreman-installer command? kindly share command to run if required?

Hello folks,

I tried to change foreman gui ssl certs by following this link but it could not worked.
If we update our wildcard certs in only http configuration, it was worked for GUI but remote execution and web console(cockpit) was not working (i.e remote execution went to hung state and cockpit says internal error).

If we update certs in http config, foreman-proxy config and puppet config, getting an error say smart proxy was down while doing remote execution.

Could any one help us on where we will need to put our ssl certificates ( wildcard one) only on the frontend. Let client or proxy use the puppet based ones or the default ones. I can’t use puppet based ones on the web frontend because, it will be self signed ones. And i can’t use the public certificates for all three puppet ,proxy and frontend because when it expires ( say after two years) i will have tough time pushing them to clients.

In only front end, public/valid certificate to be set so that users doesn’t see self signed, and let agents ( end points / clients) and foreman proxy take the default certs ( puppet one).


Hello Folks,

Could anyone help me out on this?

Thanks in advance!!!

Hello All,

Could anyone help me to change ssl certs with my wild card certs for Foreman GUI only?

Thanks in Advance!!!