I know there's some SElinux magic, but if you have disabled SELinux you can
try a command line like
this to install a new web certificate, key, and chain (intermediate
certificates) and keep the puppet part working…
W dniu wtorek, 20 września 2016 18:54:48 UTC+2 użytkownik Edward Berger
napisał:
···
>
>
> I know there's some SElinux magic, but if you have disabled SELinux you
> can try a command line like
> this to install a new web certificate, key, and chain (intermediate
> certificates) and keep the puppet part working...
>
> foreman-installer \
> --foreman-server-ssl-key=/etc/pki/tls/private/foreman.example.com.key \
> --puppet-server-foreman=true \
> --foreman-server-ssl-cert=/etc/pki/tls/certs/foreman.example.com.crt \
> --foreman-server-ssl-chain=/etc/pki/tls/certs/cachain.crt \
> --foreman-server-ssl-certs-dir=/etc/pki/tls/certs \
> --foreman-websockets-encrypt=true \
> --foreman-websockets-ssl-key=/etc/pki/tls/private/foreman.example.com.key \
> --foreman-websockets-ssl-cert=/etc/pki/tls/certs/foreman.example.com.crt \
> --puppet-server-foreman=true \
> --puppet-server-foreman-ssl-ca=/etc/pki/tls/certs/cachain.crt \
> --foreman-proxy-foreman-ssl-ca=/etc/pki/tls/certs/cachain.crt \
> --foreman-foreman-url=https://foreman.example.com
>
>
>
Did something change in Foreman 1.12.3 then? I did exactly as you showed,
but it broke Puppet.
On the verbose output from Foreman I get the error:
[ERROR 2016-09-30 19:20:14 verbose]
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[myhostfqdn]:
Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error:
certificate verify failed in get request to: https://dlistmrfpup02.cbs.ad.cbs.net/api/v2/smart_proxies?search=name=" myhostfqdn%22
On the agent I am getting:
Warning: Unable to fetch my node definition, but the agent run will
continue:
Warning: Find /development/node/myagent.fqdn?transaction_uuid=171b325c-72e8-49c1-9a7a-6479fb4c44…
resulted in 404 with the message: {"message": "Not Found: Could not find
node myagent.fqdn","issue_kind":"RESOURCE_NOT_FOUND"}
It was working before I added my SSL certs for the host.
The webserver works fine with the https:// access with the certificate
being valid, but Puppet is not able to use the webserver connection to do
anything with facts.
I have tried your techniques and all listed above by the OP.
Is it really this hard to put a valid SSL certificate on a Foreman server
running Puppet? I figured I am really missing something simple.
I think the simple thing is that the developers haven't directly supported
and tested using custom certs for the WebUI.
I'm just a user who ran into the same problem as the original poster…
My answer above was what I found I needed when I built a VM with the foreman.org 1.12 installation instructions (with puppet 4).
But then I found I couldn't install the katello plugin for foreman, because
it didn't support puppet 4 yet.
I rebuilt the VM fresh with the the katello.org installation instructions
and they handled cert things differently and I needed to search
again for how to get things working again with a custom commercial cert for
the WebUI and did the following to get it working again.
It's works, but after couple of weeks I have some problems:
When I opened foreman URL, web browser asked me for user certifcate for
authentification. When I clicked cancel, a could normaly log in.
It isn't a big problem, but i'm corious why it's happening.
When i restarted service puppetserver, autosign certifcates became
untrusted, and I had to cleaned certifcates on agent, and manual signed it
by forman GUI.
It's a bigger problem
W dniu środa, 21 września 2016 09:29:23 UTC+2 użytkownik woj woj napisał:
···
>
> It works.
> Thank you very much!
>
> W dniu wtorek, 20 września 2016 18:54:48 UTC+2 użytkownik Edward Berger
> napisał:
>>
>>
>> I know there's some SElinux magic, but if you have disabled SELinux you
>> can try a command line like
>> this to install a new web certificate, key, and chain (intermediate
>> certificates) and keep the puppet part working...
>>
>> foreman-installer \
>> --foreman-server-ssl-key=/etc/pki/tls/private/foreman.example.com.key \
>> --puppet-server-foreman=true \
>> --foreman-server-ssl-cert=/etc/pki/tls/certs/foreman.example.com.crt \
>> --foreman-server-ssl-chain=/etc/pki/tls/certs/cachain.crt \
>> --foreman-server-ssl-certs-dir=/etc/pki/tls/certs \
>> --foreman-websockets-encrypt=true \
>> --foreman-websockets-ssl-key=/etc/pki/tls/private/foreman.example.com.key
>> \
>> --foreman-websockets-ssl-cert=/etc/pki/tls/certs/foreman.example.com.crt \
>> --puppet-server-foreman=true \
>> --puppet-server-foreman-ssl-ca=/etc/pki/tls/certs/cachain.crt \
>> --foreman-proxy-foreman-ssl-ca=/etc/pki/tls/certs/cachain.crt \
>> --foreman-foreman-url=https://foreman.example.com
>>
>>
>>
After I did a foreman-install, with site modified entries in the above
options, I still had foreman_proxy failing.
What seems to have fixed it was to:
Setup the lines in the foreman-answers.yaml under the forman_proxy
section to be:
ssl_ca: /etc/puppetlabs/puppet/ssl/certs/ca.pem
ssl_cert: /etc/puppetlabs/puppet/ssl/certs/myhost.pem
ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/myhost.pem
yum -y uninstall foreman-proxy.
rm -fr /etc/foreman-proxy
Run foreman-installer with no options so it only used the answer file.
As far as I can tell now, it all appears to be working, but I have not yet
setup a client to communicate with the server.
