Greetings, I'm a little confused by what I'm running into today. I have
build a new Foreman 1.2 server named foreman with a local proxy that
handles all default features for the install just wonderfully. I have
attempted to add a pre-existing puppetmaster/puppetca (named puppet) to
foreman by installing and configuring the smart-proxy and attempting to add
this proxy via the WebUI. I am getting an SSL verify failure and I'm not
sure of the issue:
Unable to save
Unable to communicate with the proxy: SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verify failed
Please check the proxy is configured and running on the host.
The foreman-proxy's settings.yaml has trusted hosts setup with my
workstation and the foreman server as trusted. I have verified that I can
get the /features page from both my workstation and foreman (using curl).
Is there something I need to do to allow Foreman to trust the puppetCA cert
that's running on the puppet server? It seems to have no problem trusting
its own PuppetCA cert.
Thanks in advance.
Perhaps this link is the root cause of my issue. I just saw this exact
issue come up with configuring foreman to use ldaps for authentication…
http://projects.theforeman.org/issues/2435
> Greetings, I'm a little confused by what I'm running into today. I have
> build a new Foreman 1.2 server named foreman with a local proxy that
> handles all default features for the install just wonderfully. I have
> attempted to add a pre-existing puppetmaster/puppetca (named puppet) to
> foreman by installing and configuring the smart-proxy and attempting to
> add this proxy via the WebUI. I am getting an SSL verify failure and
> I'm not sure of the issue:
>
>
> Unable to save
>
>
> Unable to communicate with the proxy: SSL_connect returned=1 errno=0
> state=SSLv3 read server certificate B: certificate verify failed
> Please check the proxy is configured and running on the host.
>
> The foreman-proxy's settings.yaml has trusted hosts setup with my
> workstation and the foreman server as trusted. I have verified that I
> can get the /features page from both my workstation and foreman (using
> curl).
>
> Is there something I need to do to allow Foreman to trust the puppetCA
> cert that's running on the puppet server? It seems to have no problem
> trusting its own PuppetCA cert.
Foreman has a configuration setting for the CA that it verifies with
when contacting smart proxies:
>>>ssl_ca_file (also ssl_certificate and
ssl_priv_key)
Having multiple Puppet CA hosts is OK, but you should use only one CA
for the proxy certificates themselves. The certificate used by a proxy
doesn't need to be related to the Puppet CA on the box.
If you want to keep both CAs, I'd suggest signing a new cert on your
Foreman host for the proxy running on the other puppet server. There's
some information about this under "Generating a certificate" here:
http://theforeman.org/manuals/1.2/index.html#4.3.7SSL
···
On 10/07/13 19:55, Sean Alderman wrote:
–
Dominic Cleal
Red Hat Engineering
