UXabre
June 28, 2019, 12:08pm
1
I’ve tried changing the Web SSL certificates by my own custom certificates (with public CA).
Getting the website to work was easy, however, I’m having a lot of trouble getting the correct configuration settings for Dynflow to end.
I thought this needed to change in my foreman-proxy installer:
ssl_ca: /etc/puppetlabs/puppet/ssl/certs/ca.pem
ssl_cert: /etc/puppetlabs/puppet/ssl/certs/foreman.redacted.com.pem
ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/foreman.redacted.com.pem
foreman_ssl_ca: /etc/foreman/ssl/certs/redacted.ca.pem
foreman_ssl_cert: /etc/foreman/ssl/certs/thcs-foreman.redacted.com.pem
foreman_ssl_key: /etc/foreman/ssl/private_keys/thcs-foreman.redacted.com.pem
But doing so results in the log complaining about verifying the certificate. If I revert the changes to use the puppet SSL, the tasks runs…but the task never “ends”!
ssl_ca: /etc/puppetlabs/puppet/ssl/certs/ca.pem
ssl_cert: /etc/puppetlabs/puppet/ssl/certs/foreman.redacted.com.pem
ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/foreman.redacted.com.pem
foreman_ssl_ca: /etc/puppetlabs/puppet/ssl/certs/ca.pem
foreman_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/foreman.redacted.com.pem
foreman_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/foreman.redacted.com.pem
I’m at a loss on what I should do to make this work. Mind you, I’ve only changed the frontend SSL certificates (not the puppet certificates):
server_ssl_ca: /etc/foreman/ssl/certs/redacted.ca.pem
server_ssl_chain: /etc/foreman/ssl/certs/redacted.ca.pem
server_ssl_cert: /etc/foreman/ssl/certs/thcs-foreman.redacted.com.pem
server_ssl_certs_dir: ‘’
server_ssl_key: /etc/foreman/ssl/private_keys/thcs-foreman.redacted.com
If anyone would have a clue on what to do I’d be so happy!
Kind regards!
I had the same problem. You can try this solution:
#foreman_ssl_ca: /etc/puppetlabs/puppet/ssl/certs/ca.pem
foreman_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/foreman.redacted.com.pem
foreman_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/foreman.redacted.com.pe
You have to comment out line with “:foreman_ssl_ca”, because Puppet CA is not CA for your new Foreman Web SSL cert.
UXabre
November 1, 2019, 3:33pm
3
Awesome! Will try this tomorrow thanks!
ekohl
November 1, 2019, 4:38pm
4
This morning I started to write up a blog post to document this, but I haven’t gotten around to testing it.
If you keep this on the Puppet CA, all proxies can continue using Puppet and authenticate with it. Then you don’t need to change foreman_ssl_{cert,key}
on the proxy.
I’d strongly advise against this. This disables CA verification.
UXabre
November 6, 2019, 3:04pm
5
So, a dash later than expected, I managed to continue this effort. I continued using CA certification and thus only really changed the webserver certs. That parts seem to work quite easily and a green lock is shown in my browser. So far, so good!
In my proxy, I configured the foreman_server_ssl options to match the ones used in the foreman server.
foreman_ssl_ca: /etc/foreman/ssl/certs/redacted.ca.pem
foreman_ssl_cert: /etc/foreman/ssl/certs/redacted.com.pem
foreman_ssl_key: /etc/foreman/ssl/private_keys/redacted.com
However, now no tasks seem to be able to run and Foreman complains that all proxies are down.
Looking in the logs, this is what I get:
Error processing request ‘97c0ec75-02dd-4d59-92b9-795a06d39652 OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed /usr/share/ruby/net/http.rb:921:in connect' /usr/share/ruby/net/http.rb:921:in
block in connect’ /usr/share/ruby/timeout.rb:52:in timeout' /usr/share/ruby/net/http.rb:921:in
connect’ /usr/share/ruby/net/http.rb:862:in do_start' /usr/share/ruby/net/http.rb:851:in
start’ /usr/share/ruby/net/http.rb:1373:in request' /usr/share/foreman-proxy/lib/proxy/request.rb:49:in
send_request’ /usr/share/gems/gems/smart_proxy_dynflow-0.2.3/lib/smart_proxy_dynflow/callback.rb:23:in relay' /usr/share/gems/gems/smart_proxy_dynflow-0.2.3/lib/smart_proxy_dynflow/callback.rb:29:in
relay’ /usr/share/gems/gems/smart_proxy_dynflow-0.2.3/lib/smart_proxy_dynflow/helpers.rb:5:in relay_request' /usr/share/gems/gems/smart_proxy_dynflow-0.2.3/lib/smart_proxy_dynflow/api.rb:62:in
block in class:Api ’ /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1611:in call' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1611:in
block in compile!’ /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:975:in []' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:975:in
block (3 levels) in route!’ /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:994:in route_eval' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:975:in
block (2 levels) in route!’ /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1015:in block in process_route' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1013:in
catch’ /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1013:in process_route' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:973:in
block in route!’ /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:972:in each' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:972:in
route!’ /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1085:in block in dispatch!' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in
block in invoke’ /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in catch' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in
invoke’ /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1082:in dispatch!' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:907:in
block in call!’ /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in block in invoke' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in
catch’ /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in invoke' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:907:in
call!’ /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:895:in call' /usr/share/foreman-proxy/lib/proxy/log.rb:96:in
call’ /usr/share/foreman-proxy/lib/proxy/request_id_middleware.rb:11:in call' /usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/xss_header.rb:18:in
call’ /usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb:16:in call' /usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/json_csrf.rb:18:in
call’ /usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/base.rb:49:in call' /usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/base.rb:49:in
call’ /usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/frame_options.rb:31:in call' /usr/share/gems/gems/rack-1.6.4/lib/rack/nulllogger.rb:9:in
call’ /usr/share/gems/gems/rack-1.6.4/lib/rack/head.rb:13:in call' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/show_exceptions.rb:25:in
call’ /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:182:in call' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:2013:in
call’ /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1487:in block in call' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1787:in
synchronize’ /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1487:in call' /usr/share/gems/gems/rack-1.6.4/lib/rack/urlmap.rb:66:in
block in call’ /usr/share/gems/gems/rack-1.6.4/lib/rack/urlmap.rb:50:in each' /usr/share/gems/gems/rack-1.6.4/lib/rack/urlmap.rb:50:in
call’ /usr/share/gems/gems/rack-1.6.4/lib/rack/urlmap.rb:66:in block in call' /usr/share/gems/gems/rack-1.6.4/lib/rack/urlmap.rb:50:in
each’ /usr/share/gems/gems/rack-1.6.4/lib/rack/urlmap.rb:50:in call' /usr/share/gems/gems/rack-1.6.4/lib/rack/builder.rb:153:in
call’ /usr/share/gems/gems/rack-1.6.4/lib/rack/handler/webrick.rb:88:in service' /usr/share/ruby/webrick/httpserver.rb:138:in
service’ /usr/share/ruby/webrick/httpserver.rb:94:in run' /usr/share/ruby/webrick/server.rb:295:in
block in start_thread’ /usr/share/gems/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in call' /usr/share/gems/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in
block in create_with_logging_context’
Is there any chance you happen to have a draft available of this? Would love to test this out and provide feedback actually
1 Like
UXabre
November 6, 2019, 8:25pm
6
Oh BTW, I’m using ansible + REX