Clarification on certificate wrt foreman installation

Support
#1

Problem:
I am doing fresh install.

  1. Two foreman servers are already installed. I can access the GUI. ALL is fine.
    foreman1.example.com
    foreman2.example.com

  2. These are accessed using DNS round-robin using name forman.example.com.

  3. My foreman server certificate has
    CN = forman.example.com
    X509v3 Subject Alternative Name= DNS:forman.example.com, DNS:forman1.example.com, DNS:forman2.example.com, DNS:proxy1.example.com, DNS:proxy2.example.com

  4. Now I want to install two proxy servers.
    proxy1.example.com
    proxy2.example.com

Question:
Since proxy server names are already mentioned in the foreman server cert as ‘alternative names(SAN)’, Can I use the same foreman certificate and keys to generate certificate for proxies using below command.
foreman-proxy-certs-generate --foreman-proxy

Expected outcome:

Foreman and Proxy versions:

Foreman and Proxy plugin versions:

Distribution and version:

Other relevant data:

#2

Do I have to create two separate certificates with unique CN corresponding to each proxy server hostname?

CN: proxy1.example.com
CN: proxy2.example.com

#3

Any update on this. Below line in documentation confuses me.

If you use a custom SSL certificate, you must also configure each external Smart Proxy server with a distinct custom SSL certificate

#4

Sorry, but you neither mention the foreman version you are using nor if it is a simple foreman server or a foreman/katello server. You don’t mention the foreman-installer command you have used to set up those custom certificates on the foreman or katello server. So basically, no one really knows how you have set this up exactly and thus it’s really hard to give advice…

So the only advice I can give is to refer to the docs and follow them: Installing Foreman 3.5 Server with Katello 4.7 Plugin on RHEL/CentOS

#5

@gvde
I have created single certificate where I have mentioned both foreman servers and Proxy servers hostnames as ‘alternative names(SAN)’ as below.

CN = forman.example.com
X509v3 Subject Alternative Name= DNS:forman.example.com, DNS:forman1.example.com, DNS:forman2.example.com, DNS:proxy1.example.com, DNS:proxy2.example.com

Can I use the same foreman certificates and key (Marked in bold in foreman installer command below) to generate certificate for proxies using below command.

foreman-proxy-certs-generate

Required details:

  1. foreman 3.5 with ketello 4.7.
  2. Foreman installer command I used for foreman installation:
foreman-installer --scenario katello \
>   --foreman-initial-organization "companyname" \
>   --foreman-initial-location "US" \
>   --foreman-initial-admin-username admin \
>   --foreman-initial-admin-password PASS123 \
>   --foreman-proxy-foreman-base-url=https://foreman.example.com\
>   --foreman-db-host db.company.com \
>   --foreman-db-password PASS123 \
>   --foreman-db-database foreman \
>   --foreman-db-manage false \
>   --katello-candlepin-db-host db.example.com \
>   --katello-candlepin-db-name candlepin \
>   --katello-candlepin-db-password PASS123 \
>   --katello-candlepin-manage-db false \
>   --foreman-proxy-content-pulpcore-manage-postgresql false \
>   --foreman-proxy-content-pulpcore-postgresql-host db.example.com \
>   --foreman-proxy-content-pulpcore-postgresql-db-name pulpcore \
>   --foreman-proxy-content-pulpcore-postgresql-password PASS123  \
>   --foreman-proxy-content-pulpcore-postgresql-user pulp \
>   **--certs-server-cert "/root/foreman_cert/satellite_cadence_com_cert.pem" \**
**>   --certs-server-key "/root/foreman_cert/foreman_cert_key.pem" \**
**>   --certs-server-ca-cert "/root/foreman_cert/ca_cert_bundle.pem"**
     --no-enable-foreman-plugin-default-hostgroup
#6

Well look into the docs

https://docs.theforeman.org/3.5/Installing_Proxy/index-katello.html#configuring-capsule-server-with-ssl-certificates

When you configure Smart Proxy server with custom certificates, note the following considerations:

  • You must use the Privacy-Enhanced Mail (PEM) encoding for the SSL certificates.
  • You cannot use the same certificate for both Foreman server and Smart Proxy server.
  • The same Certificate Authority must sign certificates for Foreman server and Smart Proxy server.
#7

Thank you for quick response.
Please find my responses inline.

  1. You must use the Privacy-Enhanced Mail (PEM) encoding for the SSL certificates.
    → Already considered this.
    Current certificate on foreman server is /root/foreman_cert/satellite_cadence_com_cert.pem
    and foreman server is working without issue.

  2. You cannot use the same certificate for both Foreman server and Smart Proxy server.
    → This where I am getting confused. AS I mentioned earlier, I have mentioned both foreman servers and Proxy servers hostnames as ‘alternative names(SAN)’ in same certificate and intend to use it on both Foreman server and proxy server.
    Theoretically, it should work but Is that allowed in foreman?
    What errors should I expect?

  3. The same Certificate Authority must sign certificates for Foreman server and Smart Proxy server.
    → Considered this point too.

#8

I don’t know what’s unclear: it’s not supported. It is specifically mentioned in the docs. I guess it’s there for a reason. Maybe one of the developers can give a simple reason for this.

You could try, but you are on your own if you do so. If there are certificate related problems in the future, you’ll have to handle those yourself. And you should never forget to mention it in any future question here, because obviously, the general assumption would be that you have different certificates for each server/proxy.

I guess it could work in principal. I just don’t see the advantage except higher risks in the case of a compromised key. If the key on the proxy is compromised, so is it on all your foreman servers/proxy then.

I generally don’t have a problem with specific certificates for each individual foreman server/proxy…

1 Like