Customized Cert Replacement for foreman katello 3.9

**Problem: Ansible roles disfunction after replacing customized cert

**Expected outcome: Able to log in with customized cert and run ansible

**Foreman and Proxy versions:3.9

**Distribution and version:3.9

Could you please provide standard procedure for customized cert replacement? Thank you

Below is what I did:
I tried the steps of 1+2 and 1+2+3, but both caused ansible to disfunction.

1.) /etc/httpd/conf.d/05-foreman-ssl.conf

SSLCertificateFile “/etc/pki/katello/certs/NEW.crt”
SSLCertificateKeyFile “/etc/pki/katello/private/NEW.key”
SSLCertificateChainFile “/etc/pki/katello/certs/NEW_CHAIN.crt”

2.) /etc/foreman/settings.yaml

:websockets_ssl_key: /etc/pki/katello/private/NEW.key
:websockets_ssl_cert: /etc/pki/katello/certs/NEW.crt

3.) /etc/foreman-proxy/settings.yml

:foreman_ssl_ca: /etc/pki/katello/certs/NEW_CHAIN.crt
:foreman_ssl_cert: /etc/pki/katello/certs/NEW.crt
:foreman_ssl_key: /etc/pki/katello/private/NEW.key

NOTE: Cert replacement in foreman 3.8 is all good, including ansible, with step of 1+2. This symptom of ansible disfunction only happens to foreman3.9. The difference on upgrade procedures between foreman 3.8 and 3.9 is that foreman3.9 disable pulpcore module.

NOTE: Any cert path change in those will cause foreman-maintain service restart & systemctl restart foreman failed at restarting httpd.

I would highly recommend to change certs only via foreman-installer and not directly in the configuration files. Changes in the configuration files are reverted next time you run foreman-installer. Follow the procedure in the docs on how to renew the certificates…

Foreman is very much geared around using the foreman-installer tool to make configuration changes. Editing the config files manually rarely works because the config files will be overwritten every time you do a patch or update to foreman and run the foreman-installer.

If you do not use foreman-installer, you will find yourself having to chase the configs all the time and fighting with foreman-installer all the time.

FYI some of the options to foreman-installer you will want to look at using:

   --certs-server-cert {{ foreman_certfile }}
   --certs-server-key {{ foreman_keyfile }}
   --certs-server-ca-cert {{ foreman_cafile }}
   --certs-server-cert-req {{ foreman_csrfile }}
   --certs-node-fqdn   {{ foreman_fqdn }}
   --certs-cname {{ foreman_cname }}

Instead of guessing options, it’s really better to refer to the docs. The installation and the administration manuals have chapters on setting up and renewing ssl certs:

1 Like

Hi @gvde & @nixfu,
Our original foreman host name is ; the new cert name is
Is above method good for replace with a different FQDN cert?

I tried the method from official site but not working. Therefore, I guess, it require of using same FQDN with updating cert for an existing foreman server (below image)
Do I need to do any change to foreman-proxy conf file?

NOTE: I changed VM hostname to match new FQDN and added new FQDN to /etc/hosts

It’s really impossible to tell what you did if you don’t post what you did exactly, i.e. post the exact commands you ran… And also please post the output as text in a preformatted block. Don’t post images. Images are hard to read and impossible to search.

Did you run foreman-installer with out any options first to restore the correct foreman configuration? You have manually changed configuration files before, therefore messing with the full system. You need to get a properly configured system, first, and the use foreman-installer to change it. Only then foreman-installer can make the right assumptions about what is and what is supposed to be.

You have also forgot to mention that you want to change the host name. That, of course, is a much bigger change. Only replacing the certificates won’t do you any good because foreman is configured to use the old hostname and thus it won’t match.

I don’t know if there are docs for that, but obviously you have to change all foreman-installer options for which it’s still using the old name to use the new one. It’ll break if foreman-installer expects the old name as server or proxy name while your certificate has a different name.

I think there is an old thread here somewhere which explains the steps to rename the foreman server…

Hi @gvde , Thank you for your prompt response. This time I used cert with the original host name and install successfully. However, there is an error when I restarted foreman service. Please see blow detail.

  1. clean up foreman-install (success)
    foreman-installer --scenario katello
  2. install CA signed certs (success)
    foreman-installer --scenario katello --certs-server-cert “/root/ssl-build/” --certs-server-key “/root/ssl-build/” --certs-server-ca-cert “/root/ssl-build/” --certs-node-fqdn–certs-update-server --certs-update-server-ca
  3. install hostname validator
    yum install rubygem-foreman_host_extra_validator -y
  4. foreman-maintain service restart (Terminal shows success; but UI has below error)
  5. run db migration again (show an error)

[Continued from the previous post]
After a couple of test, it is verified that foreman-restart failure is caused by the plugin of host_name_validator. From previous error picture, it is a DB issue and maybe the plugin no long support newer version of foreman. Please advise me if I am wrong. Thank you

yum install rubygem-foreman_host_extra_validator -y
systemctl restart foreman