NOTE: Cert replacement in foreman 3.8 is all good, including ansible, with step of 1+2. This symptom of ansible disfunction only happens to foreman3.9. The difference on upgrade procedures between foreman 3.8 and 3.9 is that foreman3.9 disable pulpcore module.
I would highly recommend to change certs only via foreman-installer and not directly in the configuration files. Changes in the configuration files are reverted next time you run foreman-installer. Follow the procedure in the docs on how to renew the certificates…
Foreman is very much geared around using the foreman-installer tool to make configuration changes. Editing the config files manually rarely works because the config files will be overwritten every time you do a patch or update to foreman and run the foreman-installer.
If you do not use foreman-installer, you will find yourself having to chase the configs all the time and fighting with foreman-installer all the time.
Instead of guessing options, it’s really better to refer to the docs. The installation and the administration manuals have chapters on setting up and renewing ssl certs:
Hi @gvde & @nixfu,
Our original foreman host name is abc.xxxx.net ; the new cert name is def.zzzz.com.
Is above method good for replace with a different FQDN cert?
I tried the method from official site but not working. Therefore, I guess, it require of using same FQDN with updating cert for an existing foreman server (below image)
Do I need to do any change to foreman-proxy conf file?
NOTE: I changed VM hostname to match new FQDN and added new FQDN to /etc/hosts
It’s really impossible to tell what you did if you don’t post what you did exactly, i.e. post the exact commands you ran… And also please post the output as text in a preformatted block. Don’t post images. Images are hard to read and impossible to search.
Did you run foreman-installer with out any options first to restore the correct foreman configuration? You have manually changed configuration files before, therefore messing with the full system. You need to get a properly configured system, first, and the use foreman-installer to change it. Only then foreman-installer can make the right assumptions about what is and what is supposed to be.
You have also forgot to mention that you want to change the host name. That, of course, is a much bigger change. Only replacing the certificates won’t do you any good because foreman is configured to use the old hostname and thus it won’t match.
I don’t know if there are docs for that, but obviously you have to change all foreman-installer options for which it’s still using the old name to use the new one. It’ll break if foreman-installer expects the old name as server or proxy name while your certificate has a different name.
I think there is an old thread here somewhere which explains the steps to rename the foreman server…
Hi @gvde , Thank you for your prompt response. This time I used cert with the original host name and install successfully. However, there is an error when I restarted foreman service. Please see blow detail.
clean up foreman-install (success)
foreman-installer --scenario katello
install CA signed certs (success)
foreman-installer --scenario katello --certs-server-cert “/root/ssl-build/sjc1-foreman-ap6.sdi.trendnet.org/sjc1-foreman-ap6.crt” --certs-server-key “/root/ssl-build/sjc1-foreman-ap6.sdi.trendnet.org/sjc1-foreman-ap6.key” --certs-server-ca-cert “/root/ssl-build/sjc1-foreman-ap6.sdi.trendnet.org/sjc1-foreman-ap6-chain.crt” --certs-node-fqdn sjc1-foreman-ap6.sdi.trendnet.org–certs-update-server --certs-update-server-ca
[Continued from the previous post]
After a couple of test, it is verified that foreman-restart failure is caused by the plugin of host_name_validator. From previous error picture, it is a DB issue and maybe the plugin no long support newer version of foreman. Please advise me if I am wrong. Thank you
