Foreman default installation fails on certificates

Hi,

I'm trying to test foreman and install it on a server (RHEL6.4) with
default configuration

yum -y install http://yum.theforeman.org/releases/1.2/el6/x86_64/foreman-release.rpm
yum -y install foreman-installer
ruby /usr/share/foreman-installer/generate_answers.rb

y to all question.

This configuration installs puppet & puppetmaster 3.3 with ruby-1.8.7

The issue is service httpd do not start afterward because ca (/var/lib/puppet/ssl/ca/ca_crt.pem) file is not present. I can find a root certificate within /var/lib/puppet/ssl/certs/ca.pem & I tried to modify puppet.conf to use this certificate but I still have issues with virtualhost overlap (solved by changing virtualhost value in the foreman.conf) and with key value mismatch.

Did I failed some configuration before foreman installation ? or is there some tweaks to install it properly ?

Best regards
YRousseau

Perhaps there were errors during the installation that you missed? Look
for red text.

It should run "puppet cert generate FQDN" if
/var/lib/puppet/ssl/certs/FQDN.pem doesn't already exist. Ensure
/var/lib/puppet/ssl isn't present before you begin.

··· On 27/09/13 16:49, yannig rousseau wrote: > Hi, > > I'm trying to test foreman and install it on a server (RHEL6.4) with > default configuration > > > > yum -y install http://yum.theforeman.org/releases/1.2/el6/x86_64/foreman-release.rpm > yum -y install foreman-installer > >> ruby /usr/share/foreman-installer/generate_answers.rb| > y to all question. > > This configuration installs puppet & puppetmaster 3.3 with ruby-1.8.7 > > The issue is service httpd do not start afterward because ca (/var/lib/puppet/ssl/ca/ca_crt.pem) file is not present. I can find a root certificate within /var/lib/puppet/ssl/certs/ca.pem & I tried to modify puppet.conf to use this certificate but I still have issues with virtualhost overlap (solved by changing virtualhost value in the foreman.conf) and with key value mismatch. > > Did I failed some configuration before foreman installation ? or is there some tweaks to install it properly ?


Dominic Cleal
Red Hat Engineering

I'm having the same problem. The install is generating some certs, but not
the CA certs. The only red that shows up in my install log is around the
apache restart. The following lines are in /etc/httpd/conf.d/puppet.conf:

SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem

But the files definitely do not exist. In fact, no /var/lib/puppet/ssl/ca
directory was created.

··· On Friday, September 27, 2013 2:16:32 PM UTC-4, Dominic Cleal RH wrote: > > On 27/09/13 16:49, yannig rousseau wrote: > > Hi, > > > > I'm trying to test foreman and install it on a server (RHEL6.4) with > > default configuration > > > > > > > yum -y install > http://yum.theforeman.org/releases/1.2/el6/x86_64/foreman-release.rpm > > yum -y install foreman-installer > > >> ruby /usr/share/foreman-installer/generate_answers.rb| > > y to all question. > > > > This configuration installs puppet & puppetmaster 3.3 with ruby-1.8.7 > > > > The issue is service httpd do not start afterward because ca > (/var/lib/puppet/ssl/ca/ca_crt.pem) file is not present. I can find a root > certificate within /var/lib/puppet/ssl/certs/ca.pem & I tried to modify > puppet.conf to use this certificate but I still have issues with > virtualhost overlap (solved by changing virtualhost value in the > foreman.conf) and with key value mismatch. > > > > Did I failed some configuration before foreman installation ? or is > there some tweaks to install it properly ? > > Perhaps there were errors during the installation that you missed? Look > for red text. > > It should run "puppet cert generate FQDN" if > /var/lib/puppet/ssl/certs/FQDN.pem doesn't already exist. Ensure > /var/lib/puppet/ssl isn't present before you begin. > > -- > Dominic Cleal > Red Hat Engineering >

Those three lines are actually not needed for a basic SSL setup.

As a workaround, comment them out and restart the httpd service.

··· On Tuesday, October 1, 2013 11:17:30 AM UTC-7, Matt Chesler wrote: > > I'm having the same problem. The install is generating some certs, but > not the CA certs. The only red that shows up in my install log is around > the apache restart. The following lines are in > /etc/httpd/conf.d/puppet.conf: > > SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem > SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem > SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem > > But the files definitely do not exist. In fact, no /var/lib/puppet/ssl/ca > directory was created. > > On Friday, September 27, 2013 2:16:32 PM UTC-4, Dominic Cleal RH wrote: >> >> On 27/09/13 16:49, yannig rousseau wrote: >> > Hi, >> > >> > I'm trying to test foreman and install it on a server (RHEL6.4) with >> > default configuration >> > >> > >> > > yum -y install >> http://yum.theforeman.org/releases/1.2/el6/x86_64/foreman-release.rpm >> > yum -y install foreman-installer >> > >> ruby /usr/share/foreman-installer/generate_answers.rb| >> > y to all question. >> > >> > This configuration installs puppet & puppetmaster 3.3 with ruby-1.8.7 >> > >> > The issue is service httpd do not start afterward because ca >> (/var/lib/puppet/ssl/ca/ca_crt.pem) file is not present. I can find a root >> certificate within /var/lib/puppet/ssl/certs/ca.pem & I tried to modify >> puppet.conf to use this certificate but I still have issues with >> virtualhost overlap (solved by changing virtualhost value in the >> foreman.conf) and with key value mismatch. >> > >> > Did I failed some configuration before foreman installation ? or is >> there some tweaks to install it properly ? >> >> Perhaps there were errors during the installation that you missed? Look >> for red text. >> >> It should run "puppet cert generate FQDN" if >> /var/lib/puppet/ssl/certs/FQDN.pem doesn't already exist. Ensure >> /var/lib/puppet/ssl isn't present before you begin. >> >> -- >> Dominic Cleal >> Red Hat Engineering >> >

Is there anything else in /var/lib/puppet/ssl? Perhaps an agent had
already run on the host - if the FQDN.pem existed already, it won't
touch the certificates.

If you delete the whole dir, then either re-run the installer or run
"puppet cert generate $(hostname -f)" then it should generate a new host
cert and CA.

··· -- Dominic Cleal Red Hat Engineering

On 01/10/13 19:17, Matt Chesler wrote:

I’m having the same problem. The install is generating some certs, but
not the CA certs. The only red that shows up in my install log is
around the apache restart. The following lines are in
/etc/httpd/conf.d/puppet.conf:

SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem

But the files definitely do not exist. In fact, no
/var/lib/puppet/ssl/ca directory was created.

On Friday, September 27, 2013 2:16:32 PM UTC-4, Dominic Cleal RH wrote:

On 27/09/13 16:49, yannig rousseau wrote:
> Hi,
>
> I'm trying to test foreman and install it on a server (RHEL6.4) with
> default configuration
>      
>
> >    yum -y install
http://yum.theforeman.org/releases/1.2/el6/x86_64/foreman-release.rpm <http://yum.theforeman.org/releases/1.2/el6/x86_64/foreman-release.rpm>

>     yum -y install foreman-installer
> >>    ruby /usr/share/foreman-installer/generate_answers.rb|
> y to all question.
>
> This configuration installs puppet & puppetmaster 3.3 with ruby-1.8.7
>
> The issue is service httpd do not start afterward because ca
(/var/lib/puppet/ssl/ca/ca_crt.pem) file is not present. I can find
a root certificate within /var/lib/puppet/ssl/certs/ca.pem & I tried
to modify puppet.conf to use this certificate but I still have
issues with virtualhost overlap (solved by changing virtualhost
value in the foreman.conf) and with key value mismatch.
>
> Did I failed some configuration before foreman installation ? or
is there some tweaks to install it properly ?

Perhaps there were errors during the installation that you missed?
 Look
for red text.

It should run "puppet cert generate FQDN" if
/var/lib/puppet/ssl/certs/FQDN.pem doesn't already exist.  Ensure
/var/lib/puppet/ssl isn't present before you begin.

-- 
Dominic Cleal
Red Hat Engineering


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/groups/opt_out.

This was a fresh OS install - CentOS 6.4 minimal - so there wasn't a
preexisting /var/lib/puppet/ssl. I'll try rerunning the installer as
suggested.

··· On Wed, Oct 2, 2013 at 4:20 AM, Dominic Cleal wrote:

Is there anything else in /var/lib/puppet/ssl? Perhaps an agent had
already run on the host - if the FQDN.pem existed already, it won’t
touch the certificates.

If you delete the whole dir, then either re-run the installer or run
"puppet cert generate $(hostname -f)" then it should generate a new host
cert and CA.


Dominic Cleal
Red Hat Engineering

On 01/10/13 19:17, Matt Chesler wrote:

I’m having the same problem. The install is generating some certs, but
not the CA certs. The only red that shows up in my install log is
around the apache restart. The following lines are in
/etc/httpd/conf.d/puppet.conf:

SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem

But the files definitely do not exist. In fact, no
/var/lib/puppet/ssl/ca directory was created.

On Friday, September 27, 2013 2:16:32 PM UTC-4, Dominic Cleal RH wrote:

On 27/09/13 16:49, yannig rousseau wrote:
> Hi,
>
> I'm trying to test foreman and install it on a server (RHEL6.4)

with

> default configuration
>
>
> >    yum -y install

http://yum.theforeman.org/releases/1.2/el6/x86_64/foreman-release.rpm <
http://yum.theforeman.org/releases/1.2/el6/x86_64/foreman-release.rpm>

>     yum -y install foreman-installer
> >>    ruby /usr/share/foreman-installer/generate_answers.rb|
> y to all question.
>
> This configuration installs puppet & puppetmaster 3.3 with

ruby-1.8.7

>
> The issue is service httpd do not start afterward because ca
(/var/lib/puppet/ssl/ca/ca_crt.pem) file is not present. I can find
a root certificate within /var/lib/puppet/ssl/certs/ca.pem & I tried
to modify puppet.conf to use this certificate but I still have
issues with virtualhost overlap (solved by changing virtualhost
value in the foreman.conf) and with key value mismatch.
>
> Did I failed some configuration before foreman installation ? or
is there some tweaks to install it properly ?

Perhaps there were errors during the installation that you missed?
 Look
for red text.

It should run "puppet cert generate FQDN" if
/var/lib/puppet/ssl/certs/FQDN.pem doesn't already exist.  Ensure
/var/lib/puppet/ssl isn't present before you begin.

--
Dominic Cleal
Red Hat Engineering


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/groups/opt_out.


You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/foreman-users/ekZdM2nZPeo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/groups/opt_out.

I went through and repeated a fresh install of CentOS 6.4, added the EPEL,
Puppet and Foreman repositories, confirmed no /var/lib/puppet/ssl directory
existed and ran the foreman installer again with the exact same results.
Removing /var/lib/puppet/ssl, running "puppet cert generate $(hostname
-f)" and re-running the foreman install resolved the issue. Looks to me
like there's a bug in the installer, but regardless, thanks for your help!

··· On Wednesday, October 2, 2013 4:20:27 AM UTC-4, Dominic Cleal RH wrote: > > Is there anything else in /var/lib/puppet/ssl? Perhaps an agent had > already run on the host - if the FQDN.pem existed already, it won't > touch the certificates. > > If you delete the whole dir, then either re-run the installer or run > "puppet cert generate $(hostname -f)" then it should generate a new host > cert and CA. > > -- > Dominic Cleal > Red Hat Engineering > > On 01/10/13 19:17, Matt Chesler wrote: > > I'm having the same problem. The install is generating some certs, but > > not the CA certs. The only red that shows up in my install log is > > around the apache restart. The following lines are in > > /etc/httpd/conf.d/puppet.conf: > > > > SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem > > SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem > > SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem > > > > But the files definitely do not exist. In fact, no > > /var/lib/puppet/ssl/ca directory was created. > > > > On Friday, September 27, 2013 2:16:32 PM UTC-4, Dominic Cleal RH wrote: > > > > On 27/09/13 16:49, yannig rousseau wrote: > > > Hi, > > > > > > I'm trying to test foreman and install it on a server (RHEL6.4) > with > > > default configuration > > > > > > > > > > yum -y install > > > http://yum.theforeman.org/releases/1.2/el6/x86_64/foreman-release.rpm < > http://yum.theforeman.org/releases/1.2/el6/x86_64/foreman-release.rpm> > > > > > yum -y install foreman-installer > > > >> ruby /usr/share/foreman-installer/generate_answers.rb| > > > y to all question. > > > > > > This configuration installs puppet & puppetmaster 3.3 with > ruby-1.8.7 > > > > > > The issue is service httpd do not start afterward because ca > > (/var/lib/puppet/ssl/ca/ca_crt.pem) file is not present. I can find > > a root certificate within /var/lib/puppet/ssl/certs/ca.pem & I tried > > to modify puppet.conf to use this certificate but I still have > > issues with virtualhost overlap (solved by changing virtualhost > > value in the foreman.conf) and with key value mismatch. > > > > > > Did I failed some configuration before foreman installation ? or > > is there some tweaks to install it properly ? > > > > Perhaps there were errors during the installation that you missed? > > Look > > for red text. > > > > It should run "puppet cert generate FQDN" if > > /var/lib/puppet/ssl/certs/FQDN.pem doesn't already exist. Ensure > > /var/lib/puppet/ssl isn't present before you begin. > > > > -- > > Dominic Cleal > > Red Hat Engineering > > > > -- > > You received this message because you are subscribed to the Google > > Groups "Foreman users" group. > > To unsubscribe from this group and stop receiving emails from it, send > > an email to foreman-user...@googlegroups.com . > > To post to this group, send email to forema...@googlegroups.com. > > > Visit this group at http://groups.google.com/group/foreman-users. > > For more options, visit https://groups.google.com/groups/opt_out. > >

I had the same issue and the root cause what that the hostname of the
machine was not correct

Edit /etc/hosts and put hostname entry in the correct order, for example
1.2.3.4 full.hostname.com full

··· Le mercredi 2 octobre 2013 16:32:33 UTC+2, Matt Chesler a écrit : > > I went through and repeated a fresh install of CentOS 6.4, added the EPEL, > Puppet and Foreman repositories, confirmed no /var/lib/puppet/ssl directory > existed and ran the foreman installer again with the exact same results. > Removing /var/lib/puppet/ssl, running "puppet cert generate $(hostname > -f)" and re-running the foreman install resolved the issue. Looks to me > like there's a bug in the installer, but regardless, thanks for your help! > > On Wednesday, October 2, 2013 4:20:27 AM UTC-4, Dominic Cleal RH wrote: >> >> Is there anything else in /var/lib/puppet/ssl? Perhaps an agent had >> already run on the host - if the FQDN.pem existed already, it won't >> touch the certificates. >> >> If you delete the whole dir, then either re-run the installer or run >> "puppet cert generate $(hostname -f)" then it should generate a new host >> cert and CA. >> >> -- >> Dominic Cleal >> Red Hat Engineering >> >> On 01/10/13 19:17, Matt Chesler wrote: >> > I'm having the same problem. The install is generating some certs, but >> > not the CA certs. The only red that shows up in my install log is >> > around the apache restart. The following lines are in >> > /etc/httpd/conf.d/puppet.conf: >> > >> > SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem >> > SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem >> > SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem >> > >> > But the files definitely do not exist. In fact, no >> > /var/lib/puppet/ssl/ca directory was created. >> > >> > On Friday, September 27, 2013 2:16:32 PM UTC-4, Dominic Cleal RH wrote: >> > >> > On 27/09/13 16:49, yannig rousseau wrote: >> > > Hi, >> > > >> > > I'm trying to test foreman and install it on a server (RHEL6.4) >> with >> > > default configuration >> > > >> > > >> > > > yum -y install >> > >> http://yum.theforeman.org/releases/1.2/el6/x86_64/foreman-release.rpm < >> http://yum.theforeman.org/releases/1.2/el6/x86_64/foreman-release.rpm> >> > >> > > yum -y install foreman-installer >> > > >> ruby /usr/share/foreman-installer/generate_answers.rb| >> > > y to all question. >> > > >> > > This configuration installs puppet & puppetmaster 3.3 with >> ruby-1.8.7 >> > > >> > > The issue is service httpd do not start afterward because ca >> > (/var/lib/puppet/ssl/ca/ca_crt.pem) file is not present. I can find >> > a root certificate within /var/lib/puppet/ssl/certs/ca.pem & I >> tried >> > to modify puppet.conf to use this certificate but I still have >> > issues with virtualhost overlap (solved by changing virtualhost >> > value in the foreman.conf) and with key value mismatch. >> > > >> > > Did I failed some configuration before foreman installation ? or >> > is there some tweaks to install it properly ? >> > >> > Perhaps there were errors during the installation that you missed? >> > Look >> > for red text. >> > >> > It should run "puppet cert generate FQDN" if >> > /var/lib/puppet/ssl/certs/FQDN.pem doesn't already exist. Ensure >> > /var/lib/puppet/ssl isn't present before you begin. >> > >> > -- >> > Dominic Cleal >> > Red Hat Engineering >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups "Foreman users" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to foreman-user...@googlegroups.com. >> > To post to this group, send email to forema...@googlegroups.com. >> > Visit this group at http://groups.google.com/group/foreman-users. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >>