Configuring Smart Proxy server with SSL Certificates without foreman-installer

I have installed a external smart proxy but not with the foreman-installer. I installed it manually (dnf install foreman-proxy) and add it as smart proxy to the foreman. Now i want to configure ssl on this smart proxy. For this, i generated a certificate with following command on the foreman master server:

foreman-proxy-certs-generate \ --foreman-proxy-fqdn smartproxy.local \ --certs-tar /root/smart-proxy_cert/smart-proxy_certs.tar

Then, i copied the tar to the external smart proxy. The only way to deploy the Cert on the external Proxy is, to use the foreman-installer ommand like this:
foreman-installer --scenario foreman-proxy-content …

Then i installed the foreman-installer (dnf install foreman-proxy) and tried the command but i got this:

ERROR: Scenario (/etc/foreman-installer/scenarios.d/foreman-proxy-content.yaml) was not found, can not continue

So is there a way to install it without foreman-installer or how can i add this scenario to the smart proxy.

Expected outcome:

Sucsessfull deployed SSL Cert on the external Smart Proxy

Foreman and Proxy versions:

foreman.noarch 3.5.1-1.el8

External Smart Proxy:
foreman-proxy.noarch 3.5.1-1.el8

Sounds like from the description, that you have installed Foreman w/ Katello on the main server. First, installing a smart-proxy when Katello is present without using the foreman-proxy-content scenario with the installer is an untested/unsupported configuration. We do not know what behavior you may encounter.

That being said, you can likely take the certificate tarball, and crack it open, and grab the certificates that are need for the smart-proxy from inside and manually place them. No guarantees but here is my off the cuff idea of how you’d do that:

The certificates you’ll want from it are labeled:

  • ${hostname}-foreman-proxy-client: used for talking to Foreman
  • ${hostname}-foreman-proxy: used as the server certificates

You will also need the CA certificate.

You can then place them, for example, in these locations:



Ensuring they are owned by root:foreman-proxy.

You will also need to update the smart-proxy settings:

I have posted a tutorial on how I set up our smart proxy for puppet which may give you a pointer how to do it in your case: Installing a puppet smart proxy against a katello main server

I have recently also had a use-case where I needed to install a Proxy without content on a smart-proxy for a Katello server. Here is what I did what worked for me:

mkdir proxy-certs
mv proxy-certs/
cd proxy-certs/
tar -xf
yum localinstall -y ssl-build/katello-server-ca-1.0-1.noarch.rpm ssl-build/ ssl-build/
cp /etc/pki/katello-certs-tools/certs/ /etc/foreman-proxy/foreman_ssl_cert.pem
cp /etc/pki/katello-certs-tools/certs/katello-server-ca.crt /etc/foreman-proxy/foreman_ssl_ca.pem
cp /etc/pki/katello-certs-tools/private/ /etc/foreman-proxy/foreman_ssl_key.pem
cp /etc/pki/katello-certs-tools/certs/ /etc/foreman-proxy/ssl_cert.pem
cp /etc/pki/katello-certs-tools/private/ /etc/foreman-proxy/ssl_key.pem
cp /etc/pki/katello-certs-tools/certs/katello-server-ca.crt /etc/foreman-proxy/ssl_ca.pem
chmod 440 /etc/foreman-proxy/*key.pem
chown :foreman-proxy /etc/foreman-proxy/*key.pem

Afterwords I ran foreman-installer with these options:

--foreman-proxy-foreman-ssl-ca /etc/foreman-proxy/foreman_ssl_ca.pem --foreman-proxy-foreman-ssl-cert /etc/foreman-proxy/foreman_ssl_cert.pem --foreman-proxy-foreman-ssl-key /etc/foreman-proxy/foreman_ssl_key.pem --foreman-proxy-ssl-ca /etc/foreman-proxy/ssl_ca.pem --foreman-proxy-ssl-cert /etc/foreman-proxy/ssl_cert.pem --foreman-proxy-ssl-key /etc/foreman-proxy/ssl_key.pem

In case there is no specific reason why you are installing a smart-proxy that way, I would recommend to install foreman-installer-katello RPM (which contains the smart-proxy-content scenario) and redo the smart-proxy setup from scratch with the proper installer commands.
As already mentioned, installing a smart-proxy in the way you are doing is untested or at least undocumented and may lead to a lot of headache.

Thank you very much it worked now.