Foreman installation using existing SSL certs

Support
1

I was wondering if anyone could help me as I have spent a lot of time
trying to get this to work with no success.

I can install foreman on debian wheezy using foreman-installer and the
default settings. This installs using a self signed cert meaning if I go to
https://foreman.mydomain.com in my browser the connection is not verified.

I have a certificate for this domain that I would like to use with foreman
and it is saved in the following locations

ca -> /var/lib/puppet/ssl/certs/GandiProSSLCA.pem
cert -> /var/lib/puppet/ssl/certs/REALforeman.mydomain.com.crt
key -> /var/lib/puppet/ssl/private_keys/REALforeman.mydomain.com.key

Now I have edited /etc/foreman/foreman-installer-answers.yaml and set :

server_ssl_ca: /var/lib/puppet/ssl/certs/GandiProSSLCA.pem
server_ssl_chain: /var/lib/puppet/ssl/certs/GandiProSSLCA.pem
server_ssl_cert: /var/lib/puppet/ssl/certs/REALforeman.mydomain.com.crt
server_ssl_key: /var/lib/puppet/ssl/private_keys/REALforeman.mydomain.

com.key

Then I run foreman-installer again

When I do this my connection to https://foreman.mydomain.com in my browser
is verified but then puppet does not work, if I run 'puppet agent -t' I get
the following

Warning: Unable to fetch my node definition, but the agent run will continue
:
Warning: Error 400 on SERVER: Failed to find foreman.mydomain.com via exec:
Execution of '/etc/puppet/node.rb foreman.mydomain.com' returned 1:
Info: Retrieving pluginfacts
Info: Retrieving plugin
Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
Failed when searching for node foreman.mydomain.com: Failed to find foreman.
mydomain.com via exec: Execution of '/etc/puppet/node.rb
foreman.mydomain.com' returned 1:
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

Running /etc/puppet/node.rb foreman.mydomain.com manually gets me this

Could not send facts to Foreman: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed

I have also tried pointing these settings to my certs with no luck

websockets_ssl_key
websockets_ssl_cert
ssl_ca
ssl_cert
ssl_key
puppet_ssl_ca
puppet_ssl_cert
puppet_ssl_key
server_foreman_ssl_ca
server_foreman_ssl_cert
server_foreman_ssl_key

Would anyone be able to help me with the correct options that I should be
setting? I can attach any necessary files, just ask.

2

>
> I have seen this guide (which seems to get referenced on this user group)
> but it appears it may be out of date?
>

The definition for 'ssl_ca' is not in /etc/puppet/node.rb

&

/usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb does not exist

If I do a locate foreman.rb I get these files

/usr/lib/ruby/vendor_ruby/hammer_cli_foreman.rb
/usr/lib/ruby/vendor_ruby/puppet/reports/foreman.rb
/usr/share/foreman/config/initializers/foreman.rb
/usr/share/foreman/lib/foreman.rb
/usr/share/foreman-installer/modules/foreman/lib/puppet/parser/functions/foreman.rb

but definitions for 'foreman_ssl_ca' is not in any of them as far as I can
see

3

>
> I forgot the URL:
>

4

Anyone? Sorry but I am really stuck with this.

5

Have you also set the certs inside the foreman settings, you can do it though the UI or via foreman-rake, something like this:

foreman-rake config -k ssl_ca_file -v /path/to/client_ca.pem

– Ivan

··· ----- Original Message ----- > Anyone? Sorry but I am really stuck with this. > > -- > You received this message because you are subscribed to the Google Groups > "Foreman users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to foreman-users+unsubscribe@googlegroups.com. > To post to this group, send email to foreman-users@googlegroups.com. > Visit this group at http://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/d/optout. >
6

that command does not appear to be valid

root@sysadmin:~# foreman-rake config -k ssl_ca_file -v
/var/lib/puppet/ssl/certs/GandiProSSLCA.pem
invalid option: -k

But 'ssl_ca_file' is set to '/var/lib/puppet/ssl/certs/GandiProSSLCA.pem'

If you have this working would you mind attaching your 'foreman-installer-answers.yaml'
file?

··· On Wednesday, January 7, 2015 1:23:46 PM UTC, Ivan Necas wrote: > > Have you also set the certs inside the foreman settings, you can do it > though the UI or via foreman-rake, something like this: > > foreman-rake config -k ssl_ca_file -v /path/to/client_ca.pem > > -- Ivan > > ----- Original Message ----- > > Anyone? Sorry but I am really stuck with this. > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "Foreman users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to foreman-user...@googlegroups.com . > > To post to this group, send email to forema...@googlegroups.com > . > > Visit this group at http://groups.google.com/group/foreman-users. > > For more options, visit https://groups.google.com/d/optout. > > >
7

> that command does not appear to be valid

> root@sysadmin:~# foreman-rake config -k ssl_ca_file -v
> /var/lib/puppet/ssl/certs/GandiProSSLCA.pem
> invalid option: -k

Ah, sry: it should have been foreman-rake config -- -k ssl_ca_file -v /var/lib/puppet/ssl/certs/GandiProSSLCA.pem

> But ' ssl_ca_file' is set to ' /var/lib/puppet/ssl/certs/GandiProSSLCA.pem '

> If you have this working would you mind attaching your '
> foreman-installer-answers.yaml' file?

I'm using katello-installer, as in it's setup there are more certs to be handled, therefore
there are also more options for setting that up. Anyway, it would not work for your case, as
it would probably break your current foreman setup.

I would start by checking with curl against the foreman-proxy (expecting it running on the same server
as the foreman)

curl --cacert /var/lib/puppet/ssl/certs/GandiProSSLCA.pem https://REALforeman.mydomain.com:8443

If it passes, the issue is with the ca cert set on foreman server (maybe restarting is needed for the cert
to take effect…)

If it fail, the issue is either on the foreman-proxy side (what version are you using?), or on the ca file:
You can try this script https://github.com/iNecas/katello-installer/blob/issue/8609/bin/katello-certs-check
to check, if the files you're using are valid for the foreman case (you can omit the '-r' option, it's not needed
for your case)

– Ivan

··· ----- Original Message -----

On Wednesday, January 7, 2015 1:23:46 PM UTC, Ivan Necas wrote:

Have you also set the certs inside the foreman settings, you can do it
though
the UI or via foreman-rake, something like this:

foreman-rake config -k ssl_ca_file -v /path/to/client_ca.pem

– Ivan

----- Original Message -----

Anyone? Sorry but I am really stuck with this.

You received this message because you are subscribed to the Google Groups

“Foreman users” group.

To unsubscribe from this group and stop receiving emails from it, send an

email to foreman-user...@googlegroups.com .

To post to this group, send email to forema...@googlegroups.com .

Visit this group at http://groups.google.com/group/foreman-users .

For more options, visit https://groups.google.com/d/optout .


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com .
To post to this group, send email to foreman-users@googlegroups.com .
Visit this group at http://groups.google.com/group/foreman-users .
For more options, visit https://groups.google.com/d/optout .

8

I'm having this issue too. Any luck?

··· On Friday, January 9, 2015 at 3:41:47 AM UTC-6, Ivan Necas wrote: > > ----- Original Message ----- > > > that command does not appear to be valid > > > root@sysadmin:~# foreman-rake config -k ssl_ca_file -v > > /var/lib/puppet/ssl/certs/GandiProSSLCA.pem > > invalid option: -k > > Ah, sry: it should have been `foreman-rake config -- -k ssl_ca_file -v > /var/lib/puppet/ssl/certs/GandiProSSLCA.pem` > > > > But ' ssl_ca_file' is set to ' > /var/lib/puppet/ssl/certs/GandiProSSLCA.pem ' > > > If you have this working would you mind attaching your ' > > foreman-installer-answers.yaml' file? > > I'm using katello-installer, as in it's setup there are more certs to be > handled, therefore > there are also more options for setting that up. Anyway, it would not work > for your case, as > it would probably break your current foreman setup. > > I would start by checking with curl against the foreman-proxy (expecting > it running on the same server > as the foreman) > > curl --cacert /var/lib/puppet/ssl/certs/GandiProSSLCA.pem > https://REALforeman.mydomain.com:8443 > > If it passes, the issue is with the ca cert set on foreman server (maybe > restarting is needed for the cert > to take effect…) > > If it fail, the issue is either on the foreman-proxy side (what version > are you using?), or on the ca file: > You can try this script > https://github.com/iNecas/katello-installer/blob/issue/8609/bin/katello-certs-check > to check, if the files you're using are valid for the foreman case (you > can omit the '-r' option, it's not needed > for your case) > > -- Ivan > > > > On Wednesday, January 7, 2015 1:23:46 PM UTC, Ivan Necas wrote: > > > Have you also set the certs inside the foreman settings, you can do it > > > though > > > the UI or via foreman-rake, something like this: > > > > > > foreman-rake config -k ssl_ca_file -v /path/to/client_ca.pem > > > > > > -- Ivan > > > > > > ----- Original Message ----- > > > > > > Anyone? Sorry but I am really stuck with this. > > > > > > > > > > > > -- > > > > > > You received this message because you are subscribed to the Google > Groups > > > > > > "Foreman users" group. > > > > > > To unsubscribe from this group and stop receiving emails from it, > send an > > > > > > email to foreman-user...@googlegroups.com . > > > > > > To post to this group, send email to forema...@googlegroups.com . > > > > > > Visit this group at http://groups.google.com/group/foreman-users . > > > > > > For more options, visit https://groups.google.com/d/optout . > > > > > > > > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "Foreman users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to foreman-user...@googlegroups.com . > > To post to this group, send email to forema...@googlegroups.com > . > > Visit this group at http://groups.google.com/group/foreman-users . > > For more options, visit https://groups.google.com/d/optout . >
9

Unsure if this will help either of you but these are the changes I made on the master to get it working. Otherwise, the web UI was fine but the clients were always broken.

Note: I haven't gotten around to testing this against additional Smart Proxies yet.

New SSL certs/keys:
/etc/pki/tls/certs/<YOUR_SSL_PROVIDER_CHAIN_HERE>.crt
/etc/pki/tls/certs/wildcard_<YOUR_DOMAIN_HERE>.crt
/etc/pki/tls/private/wildcard_<YOUR_DOMAIN_HERE>.key

Files modified:
/etc/foreman-proxy/settings.yml
/etc/httpd/conf.d/05-foreman-ssl.conf
/etc/puppet/foreman.yaml

[root@foreman01 etc]# diff -u foreman-proxy/settings.yml.pre_WildcardSSL foreman-proxy/settings.yml
— foreman-proxy/settings.yml.pre_WildcardSSL 2014-09-22 13:37:48.622468800 -0500
+++ foreman-proxy/settings.yml 2015-01-19 15:05:02.558106906 -0600
@@ -9,9 +9,9 @@

if enabled, all communication would be verfied via SSL

NOTE that both certificates need to be signed by the same CA in order for this to work

see SSL - Smart Proxy - Foreman for more information

-:ssl_ca_file: /var/lib/puppet/ssl/certs/ca.pem
-:ssl_certificate: /var/lib/puppet/ssl/certs/foreman01.<YOUR_DOMAIN_HERE>.pem
-:ssl_private_key: /var/lib/puppet/ssl/private_keys/foreman01.<YOUR_DOMAIN_HERE>.pem
+:ssl_ca_file: /etc/pki/tls/certs/<YOUR_SSL_PROVIDER_CHAIN_HERE>.crt
+:ssl_certificate: /etc/pki/tls/certs/wildcard_<YOUR_DOMAIN_HERE>.crt
+:ssl_private_key: /etc/pki/tls/private/wildcard_<YOUR_DOMAIN_HERE>.key

the hosts which the proxy accepts connections from

commenting the following lines would mean every verified SSL connection

allowed

[root@foreman01 etc]# diff -u httpd/conf.d/05-foreman-ssl.conf.pre_WildcardSSL httpd/conf.d/05-foreman-ssl.conf
— httpd/conf.d/05-foreman-ssl.conf.pre_WildcardSSL 2014-09-17 12:38:00.132011664 -0500
+++ httpd/conf.d/05-foreman-ssl.conf 2015-01-19 14:52:29.711717368 -0600
@@ -37,9 +37,9 @@

SSL directives

SSLEngine on

  • SSLCertificateFile "/var/lib/puppet/ssl/certs/foreman01.<YOUR_DOMAIN_HERE>.pem"
  • SSLCertificateKeyFile "/var/lib/puppet/ssl/private_keys/foreman01.<YOUR_DOMAIN_HERE>.pem"
  • SSLCertificateChainFile "/var/lib/puppet/ssl/certs/ca.pem"
  • SSLCertificateFile "/etc/pki/tls/certs/wildcard_<YOUR_DOMAIN_HERE>.crt"
  • SSLCertificateKeyFile "/etc/pki/tls/private/wildcard_<YOUR_DOMAIN_HERE>.key"
  • SSLCertificateChainFile "/etc/pki/tls/certs/<YOUR_SSL_PROVIDER_CHAIN_HERE>.crt"
    SSLCACertificatePath "/etc/pki/tls/certs"
    SSLCACertificateFile "/var/lib/puppet/ssl/certs/ca.pem"
    SSLVerifyClient optional

[root@foreman01 etc]# diff -u puppet/foreman.yaml.pre_WildcardSSL puppet/foreman.yaml
— puppet/foreman.yaml.pre_WildcardSSL 2014-09-17 12:37:56.712011501 -0500
+++ puppet/foreman.yaml 2015-01-19 15:14:19.194210739 -0600
@@ -1,6 +1,6 @@

··· --- :url: "https://foreman01." -:ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem" +:ssl_ca: "/etc/pki/tls/certs/.crt" :ssl_cert: "/var/lib/puppet/ssl/certs/foreman01..pem" :ssl_key: "/var/lib/puppet/ssl/private_keys/foreman01..pem" :user: ""


-Justin

On Tuesday, January 20, 2015 06:09:26 AM Bill M wrote:

I’m having this issue too. Any luck?

On Friday, January 9, 2015 at 3:41:47 AM UTC-6, Ivan Necas wrote:

----- Original Message -----

that command does not appear to be valid

root@sysadmin:~# foreman-rake config -k ssl_ca_file -v
/var/lib/puppet/ssl/certs/GandiProSSLCA.pem
invalid option: -k

Ah, sry: it should have been foreman-rake config -- -k ssl_ca_file -v /var/lib/puppet/ssl/certs/GandiProSSLCA.pem

But ’ ssl_ca_file’ is set to ’

/var/lib/puppet/ssl/certs/GandiProSSLCA.pem ’

If you have this working would you mind attaching your ‘
foreman-installer-answers.yaml’ file?

I’m using katello-installer, as in it’s setup there are more certs to be
handled, therefore
there are also more options for setting that up. Anyway, it would not work
for your case, as
it would probably break your current foreman setup.

I would start by checking with curl against the foreman-proxy (expecting
it running on the same server
as the foreman)

curl --cacert /var/lib/puppet/ssl/certs/GandiProSSLCA.pem
https://REALforeman.mydomain.com:8443

If it passes, the issue is with the ca cert set on foreman server (maybe
restarting is needed for the cert
to take effect…)

If it fail, the issue is either on the foreman-proxy side (what version
are you using?), or on the ca file:
You can try this script
https://github.com/iNecas/katello-installer/blob/issue/8609/bin/katello-ce
rts-check to check, if the files you’re using are valid for the foreman
case (you can omit the ‘-r’ option, it’s not needed
for your case)

– Ivan

On Wednesday, January 7, 2015 1:23:46 PM UTC, Ivan Necas wrote:

Have you also set the certs inside the foreman settings, you can do it
though
the UI or via foreman-rake, something like this:

foreman-rake config -k ssl_ca_file -v /path/to/client_ca.pem

– Ivan

----- Original Message -----

Anyone? Sorry but I am really stuck with this.

You received this message because you are subscribed to the Google

Groups

“Foreman users” group.

To unsubscribe from this group and stop receiving emails from it,

send an

email to foreman-user...@googlegroups.com .

To post to this group, send email to forema...@googlegroups.com .

Visit this group at http://groups.google.com/group/foreman-users .

For more options, visit https://groups.google.com/d/optout .

Groups

“Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send

an

email to foreman-user...@googlegroups.com <javascript:> .
To post to this group, send email to forema...@googlegroups.com

<javascript:> .

Visit this group at http://groups.google.com/group/foreman-users .
For more options, visit https://groups.google.com/d/optout .

This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.

10

Justin's suggestion along with updating ssl_ca_file, ssl_certificate, and ssl_priv_key in the 'Administer >> Settings >> Provisioning' section of the foreman console got me working.

ssl_ca_file = /etc/pki/tls/certs/<YOUR_SSL_PROVIDER_CHAIN_HERE>.crt
ssl_certificate = /etc/pki/tls/certs/wildcard_<YOUR_DOMAIN_HERE>.crt
ssl_priv_key = /etc/pki/tls/private/wildcard_<YOUR_DOMAIN_HERE>.key

Thanks!

··· -----Original Message----- From: foreman-users@googlegroups.com [mailto:foreman-users@googlegroups.com] On Behalf Of Tianen, Justin Sent: Tuesday, January 20, 2015 9:56 AM To: foreman-users@googlegroups.com Subject: Re: [foreman-users] Re: Foreman installation using existing SSL certs

Unsure if this will help either of you but these are the changes I made on the master to get it working. Otherwise, the web UI was fine but the clients were always broken.

Note: I haven’t gotten around to testing this against additional Smart Proxies yet.

New SSL certs/keys:
/etc/pki/tls/certs/<YOUR_SSL_PROVIDER_CHAIN_HERE>.crt
/etc/pki/tls/certs/wildcard_<YOUR_DOMAIN_HERE>.crt
/etc/pki/tls/private/wildcard_<YOUR_DOMAIN_HERE>.key

Files modified:
/etc/foreman-proxy/settings.yml
/etc/httpd/conf.d/05-foreman-ssl.conf
/etc/puppet/foreman.yaml

[root@foreman01 etc]# diff -u foreman-proxy/settings.yml.pre_WildcardSSL foreman-proxy/settings.yml
— foreman-proxy/settings.yml.pre_WildcardSSL 2014-09-22 13:37:48.622468800 -0500
+++ foreman-proxy/settings.yml 2015-01-19 15:05:02.558106906 -0600
@@ -9,9 +9,9 @@

if enabled, all communication would be verfied via SSL # NOTE that both certificates need to be signed by the same CA in order for this to work # see SSL - Smart Proxy - Foreman for more information

-:ssl_ca_file: /var/lib/puppet/ssl/certs/ca.pem
-:ssl_certificate: /var/lib/puppet/ssl/certs/foreman01.<YOUR_DOMAIN_HERE>.pem
-:ssl_private_key: /var/lib/puppet/ssl/private_keys/foreman01.<YOUR_DOMAIN_HERE>.pem
+:ssl_ca_file: /etc/pki/tls/certs/<YOUR_SSL_PROVIDER_CHAIN_HERE>.crt
+:ssl_certificate: /etc/pki/tls/certs/wildcard_<YOUR_DOMAIN_HERE>.crt
+:ssl_private_key: /etc/pki/tls/private/wildcard_<YOUR_DOMAIN_HERE>.key

the hosts which the proxy accepts connections from # commenting the following lines would mean every verified SSL connection allowed

[root@foreman01 etc]# diff -u httpd/conf.d/05-foreman-ssl.conf.pre_WildcardSSL httpd/conf.d/05-foreman-ssl.conf
— httpd/conf.d/05-foreman-ssl.conf.pre_WildcardSSL 2014-09-17 12:38:00.132011664 -0500
+++ httpd/conf.d/05-foreman-ssl.conf 2015-01-19 14:52:29.711717368 -0600
@@ -37,9 +37,9 @@

SSL directives

SSLEngine on

  • SSLCertificateFile “/var/lib/puppet/ssl/certs/foreman01.<YOUR_DOMAIN_HERE>.pem”
  • SSLCertificateKeyFile “/var/lib/puppet/ssl/private_keys/foreman01.<YOUR_DOMAIN_HERE>.pem”
  • SSLCertificateChainFile “/var/lib/puppet/ssl/certs/ca.pem”
  • SSLCertificateFile “/etc/pki/tls/certs/wildcard_<YOUR_DOMAIN_HERE>.crt”
  • SSLCertificateKeyFile “/etc/pki/tls/private/wildcard_<YOUR_DOMAIN_HERE>.key”
  • SSLCertificateChainFile "/etc/pki/tls/certs/<YOUR_SSL_PROVIDER_CHAIN_HERE>.crt"
    SSLCACertificatePath "/etc/pki/tls/certs"
    SSLCACertificateFile "/var/lib/puppet/ssl/certs/ca.pem"
    SSLVerifyClient optional

[root@foreman01 etc]# diff -u puppet/foreman.yaml.pre_WildcardSSL puppet/foreman.yaml
— puppet/foreman.yaml.pre_WildcardSSL 2014-09-17 12:37:56.712011501 -0500
+++ puppet/foreman.yaml 2015-01-19 15:14:19.194210739 -0600
@@ -1,6 +1,6 @@

:url: “https://foreman01.<YOUR_DOMAIN_HERE>”
-:ssl_ca: “/var/lib/puppet/ssl/certs/ca.pem”
+:ssl_ca: “/etc/pki/tls/certs/<YOUR_SSL_PROVIDER_CHAIN_HERE>.crt”
:ssl_cert: “/var/lib/puppet/ssl/certs/foreman01.<YOUR_DOMAIN_HERE>.pem”
:ssl_key: “/var/lib/puppet/ssl/private_keys/foreman01.<YOUR_DOMAIN_HERE>.pem”
:user: “”


-Justin

On Tuesday, January 20, 2015 06:09:26 AM Bill M wrote:

I’m having this issue too. Any luck?

On Friday, January 9, 2015 at 3:41:47 AM UTC-6, Ivan Necas wrote:

----- Original Message -----

that command does not appear to be valid

root@sysadmin:~# foreman-rake config -k ssl_ca_file -v
/var/lib/puppet/ssl/certs/GandiProSSLCA.pem
invalid option: -k

Ah, sry: it should have been foreman-rake config -- -k ssl_ca_file -v /var/lib/puppet/ssl/certs/GandiProSSLCA.pem

But ’ ssl_ca_file’ is set to ’

/var/lib/puppet/ssl/certs/GandiProSSLCA.pem ’

If you have this working would you mind attaching your ‘
foreman-installer-answers.yaml’ file?

I’m using katello-installer, as in it’s setup there are more certs to be
handled, therefore
there are also more options for setting that up. Anyway, it would not work
for your case, as
it would probably break your current foreman setup.

I would start by checking with curl against the foreman-proxy (expecting
it running on the same server
as the foreman)

curl --cacert /var/lib/puppet/ssl/certs/GandiProSSLCA.pem
https://REALforeman.mydomain.com:8443

If it passes, the issue is with the ca cert set on foreman server (maybe
restarting is needed for the cert
to take effect…)

If it fail, the issue is either on the foreman-proxy side (what version
are you using?), or on the ca file:
You can try this script
https://github.com/iNecas/katello-installer/blob/issue/8609/bin/katello-ce
rts-check to check, if the files you’re using are valid for the foreman
case (you can omit the ‘-r’ option, it’s not needed
for your case)

– Ivan

On Wednesday, January 7, 2015 1:23:46 PM UTC, Ivan Necas wrote:

Have you also set the certs inside the foreman settings, you can do it
though
the UI or via foreman-rake, something like this:

foreman-rake config -k ssl_ca_file -v /path/to/client_ca.pem

– Ivan

----- Original Message -----

Anyone? Sorry but I am really stuck with this.

You received this message because you are subscribed to the Google

Groups

“Foreman users” group.

To unsubscribe from this group and stop receiving emails from it,

send an

email to foreman-user...@googlegroups.com .

To post to this group, send email to forema...@googlegroups.com .

Visit this group at http://groups.google.com/group/foreman-users .

For more options, visit https://groups.google.com/d/optout .

Groups

“Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send

an

email to foreman-user...@googlegroups.com <javascript:> .
To post to this group, send email to forema...@googlegroups.com

<javascript:> .

Visit this group at http://groups.google.com/group/foreman-users .
For more options, visit https://groups.google.com/d/optout .

This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.


You received this message because you are subscribed to the Google Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.

11

All we did is change the foreman url with the installer.

foreman-installer --foreman-foreman-url=foreman.local

And after the installation changed apache config.

vi /etc/httpd/conf.d/05-foreman-ssl.conf
ServerName foreman.local
SSLCertificateFile "/etc/pki/tls/certs/foreman.local.pem"
SSLCertificateKeyFile "/etc/pki/tls/private/foreman.local.key"

And then added our PKI's root cert to puppet's ca.

cat /etc/pki/ca-trust/source/anchors/our-domain-root.pem >>
/var/lib/puppet/ssl/certs/ca.pem

This way the browser is able to verify foreman's web ui and puppet agents
work too.

··· On Tuesday, January 20, 2015 at 7:57:43 PM UTC+1, Fletcher, Robert wrote: > > Justin's suggestion along with updating ssl_ca_file, ssl_certificate, and > ssl_priv_key in the 'Administer >> Settings >> Provisioning' section of the > foreman console got me working. > > ssl_ca_file = /etc/pki/tls/certs/.crt > ssl_certificate = /etc/pki/tls/certs/wildcard_.crt > ssl_priv_key = /etc/pki/tls/private/wildcard_.key > > Thanks! > > -----Original Message----- > From: forema...@googlegroups.com [mailto: > forema...@googlegroups.com ] On Behalf Of Tianen, Justin > Sent: Tuesday, January 20, 2015 9:56 AM > To: forema...@googlegroups.com > Subject: Re: [foreman-users] Re: Foreman installation using existing SSL > certs > > Unsure if this will help either of you but these are the changes I made on > the master to get it working. Otherwise, the web UI was fine but the > clients were always broken. > > Note: I haven't gotten around to testing this against additional Smart > Proxies yet. > > > New SSL certs/keys: > /etc/pki/tls/certs/.crt > /etc/pki/tls/certs/wildcard_.crt > /etc/pki/tls/private/wildcard_.key > > Files modified: > /etc/foreman-proxy/settings.yml > /etc/httpd/conf.d/05-foreman-ssl.conf > /etc/puppet/foreman.yaml > > > [root@foreman01 etc]# diff -u foreman-proxy/settings.yml.pre_WildcardSSL > foreman-proxy/settings.yml > --- foreman-proxy/settings.yml.pre_WildcardSSL 2014-09-22 > 13:37:48.622468800 -0500 > +++ foreman-proxy/settings.yml 2015-01-19 15:05:02.558106906 -0600 > @@ -9,9 +9,9 @@ > # if enabled, all communication would be verfied via SSL # NOTE that > both certificates need to be signed by the same CA in order for this to > work # see http://theforeman.org/projects/smart-proxy/wiki/SSL for more > information > -:ssl_ca_file: /var/lib/puppet/ssl/certs/ca.pem > -:ssl_certificate: > /var/lib/puppet/ssl/certs/foreman01..pem > -:ssl_private_key: > /var/lib/puppet/ssl/private_keys/foreman01..pem > +:ssl_ca_file: /etc/pki/tls/certs/.crt > +:ssl_certificate: /etc/pki/tls/certs/wildcard_.crt > +:ssl_private_key: /etc/pki/tls/private/wildcard_.key > > # the hosts which the proxy accepts connections from # commenting the > following lines would mean every verified SSL connection allowed > > > [root@foreman01 etc]# diff -u > httpd/conf.d/05-foreman-ssl.conf.pre_WildcardSSL > httpd/conf.d/05-foreman-ssl.conf > --- httpd/conf.d/05-foreman-ssl.conf.pre_WildcardSSL 2014-09-17 > 12:38:00.132011664 -0500 > +++ httpd/conf.d/05-foreman-ssl.conf 2015-01-19 14:52:29.711717368 > -0600 > @@ -37,9 +37,9 @@ > > ## SSL directives > SSLEngine on > - SSLCertificateFile > "/var/lib/puppet/ssl/certs/foreman01..pem" > - SSLCertificateKeyFile > "/var/lib/puppet/ssl/private_keys/foreman01..pem" > - SSLCertificateChainFile "/var/lib/puppet/ssl/certs/ca.pem" > + SSLCertificateFile > "/etc/pki/tls/certs/wildcard_.crt" > + SSLCertificateKeyFile > "/etc/pki/tls/private/wildcard_.key" > + SSLCertificateChainFile > "/etc/pki/tls/certs/.crt" > SSLCACertificatePath "/etc/pki/tls/certs" > SSLCACertificateFile "/var/lib/puppet/ssl/certs/ca.pem" > SSLVerifyClient optional > > > [root@foreman01 etc]# diff -u puppet/foreman.yaml.pre_WildcardSSL > puppet/foreman.yaml > --- puppet/foreman.yaml.pre_WildcardSSL 2014-09-17 12:37:56.712011501 > -0500 > +++ puppet/foreman.yaml 2015-01-19 15:14:19.194210739 -0600 > @@ -1,6 +1,6 @@ > --- > :url: "https://foreman01." > -:ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem" > +:ssl_ca: "/etc/pki/tls/certs/.crt" > :ssl_cert: "/var/lib/puppet/ssl/certs/foreman01..pem" > :ssl_key: > "/var/lib/puppet/ssl/private_keys/foreman01..pem" > :user: "" > > -- > -Justin > > On Tuesday, January 20, 2015 06:09:26 AM Bill M wrote: > > I'm having this issue too. Any luck? > > > > On Friday, January 9, 2015 at 3:41:47 AM UTC-6, Ivan Necas wrote: > > > ----- Original Message ----- > > > > > > > that command does not appear to be valid > > > > > > > > root@sysadmin:~# foreman-rake config -k ssl_ca_file -v > > > > /var/lib/puppet/ssl/certs/GandiProSSLCA.pem > > > > invalid option: -k > > > > > > Ah, sry: it should have been `foreman-rake config -- -k ssl_ca_file -v > > > /var/lib/puppet/ssl/certs/GandiProSSLCA.pem` > > > > > > > But ' ssl_ca_file' is set to ' > > > > > > /var/lib/puppet/ssl/certs/GandiProSSLCA.pem ' > > > > > > > If you have this working would you mind attaching your ' > > > > foreman-installer-answers.yaml' file? > > > > > > I'm using katello-installer, as in it's setup there are more certs to > be > > > handled, therefore > > > there are also more options for setting that up. Anyway, it would not > work > > > for your case, as > > > it would probably break your current foreman setup. > > > > > > I would start by checking with curl against the foreman-proxy > (expecting > > > it running on the same server > > > as the foreman) > > > > > > curl --cacert /var/lib/puppet/ssl/certs/GandiProSSLCA.pem > > > https://REALforeman.mydomain.com:8443 > > > > > > If it passes, the issue is with the ca cert set on foreman server > (maybe > > > restarting is needed for the cert > > > to take effect…) > > > > > > If it fail, the issue is either on the foreman-proxy side (what > version > > > are you using?), or on the ca file: > > > You can try this script > > > > https://github.com/iNecas/katello-installer/blob/issue/8609/bin/katello-ce > > > rts-check to check, if the files you're using are valid for the > foreman > > > case (you can omit the '-r' option, it's not needed > > > for your case) > > > > > > -- Ivan > > > > > > > On Wednesday, January 7, 2015 1:23:46 PM UTC, Ivan Necas wrote: > > > > > Have you also set the certs inside the foreman settings, you can > do it > > > > > though > > > > > the UI or via foreman-rake, something like this: > > > > > > > > > > > > > > > foreman-rake config -k ssl_ca_file -v /path/to/client_ca.pem > > > > > > > > > > > > > > > -- Ivan > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > > > > Anyone? Sorry but I am really stuck with this. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > You received this message because you are subscribed to the > Google > > > > > > Groups > > > > > > > > > "Foreman users" group. > > > > > > > > > > > > To unsubscribe from this group and stop receiving emails from > it, > > > > > > send an > > > > > > > > > email to foreman-user...@googlegroups.com . > > > > > > > > > > > > To post to this group, send email to forema...@googlegroups.com > . > > > > > > > > > > > > Visit this group at http://groups.google.com/group/foreman-users > . > > > > > > > > > > > > For more options, visit https://groups.google.com/d/optout . > > > > > > Groups > > > > > > > "Foreman users" group. > > > > To unsubscribe from this group and stop receiving emails from it, > send > > > > > > an > > > > > > > email to foreman-user...@googlegroups.com . > > > > To post to this group, send email to forema...@googlegroups.com > > > > > > . > > > > > > > Visit this group at http://groups.google.com/group/foreman-users . > > > > For more options, visit https://groups.google.com/d/optout . > > ---------------------------------------------------------------------- > This message and any attachments are intended only for the use of the > addressee and may contain information that is privileged and confidential. > If the reader of the message is not the intended recipient or an authorized > representative of the intended recipient, you are hereby notified that any > dissemination of this communication is strictly prohibited. If you have > received this communication in error, notify the sender immediately by > return email and delete the message and any attachments from your system. > > -- > You received this message because you are subscribed to the Google Groups > "Foreman users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to foreman-user...@googlegroups.com . > To post to this group, send email to forema...@googlegroups.com > . > Visit this group at http://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/d/optout. > The information contained in this message is proprietary and/or > confidential. If you are not the intended recipient, please: (i) delete the > message and all copies; (ii) do not disclose, distribute or use the message > in any manner; and (iii) notify the sender immediately. In addition, please > be aware that any message addressed to our domain is subject to archiving > and review by persons other than the intended recipient. Thank you. >
12

I still can't get this working using any of the suggestions in this thread.

I just get

Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
Failed when searching for node agent.example.com: Failed to find
agent.example.com via exec: Execution of '/etc/puppet/node.rb
agent.example.com' returned 1:

I have tried justin's suggestion on it's own and I have also tried it
setting ssl_ca_file, ssl_certificate and ssl_priv_key in the GUI.

I have also tried "Sandro Roth"s suggestion, everything just results in the
same 400 error.

The permissions on my wildcard files match those of the self signed certs.

Anyone else got any ideas?

I have attached my configuration is someone wouldn't mind taking a look for
me?

··· On Wednesday, January 21, 2015 at 9:16:49 AM UTC, Sandro Roth wrote: > > All we did is change the foreman url with the installer. > > foreman-installer --foreman-foreman-url=foreman.local > > And after the installation changed apache config. > > vi /etc/httpd/conf.d/05-foreman-ssl.conf > ServerName foreman.local > SSLCertificateFile "/etc/pki/tls/certs/foreman.local.pem" > SSLCertificateKeyFile "/etc/pki/tls/private/foreman.local.key" > > And then added our PKI's root cert to puppet's ca. > > cat /etc/pki/ca-trust/source/anchors/our-domain-root.pem >> > /var/lib/puppet/ssl/certs/ca.pem > > This way the browser is able to verify foreman's web ui and puppet agents > work too. > > > On Tuesday, January 20, 2015 at 7:57:43 PM UTC+1, Fletcher, Robert wrote: >> >> Justin's suggestion along with updating ssl_ca_file, ssl_certificate, and >> ssl_priv_key in the 'Administer >> Settings >> Provisioning' section of the >> foreman console got me working. >> >> ssl_ca_file = /etc/pki/tls/certs/.crt >> ssl_certificate = /etc/pki/tls/certs/wildcard_.crt >> ssl_priv_key = /etc/pki/tls/private/wildcard_.key >> >> Thanks! >> >> -----Original Message----- >> From: forema...@googlegroups.com [mailto:forema...@googlegroups.com] On >> Behalf Of Tianen, Justin >> Sent: Tuesday, January 20, 2015 9:56 AM >> To: forema...@googlegroups.com >> Subject: Re: [foreman-users] Re: Foreman installation using existing SSL >> certs >> >> Unsure if this will help either of you but these are the changes I made >> on the master to get it working. Otherwise, the web UI was fine but the >> clients were always broken. >> >> Note: I haven't gotten around to testing this against additional Smart >> Proxies yet. >> >> >> New SSL certs/keys: >> /etc/pki/tls/certs/.crt >> /etc/pki/tls/certs/wildcard_.crt >> /etc/pki/tls/private/wildcard_.key >> >> Files modified: >> /etc/foreman-proxy/settings.yml >> /etc/httpd/conf.d/05-foreman-ssl.conf >> /etc/puppet/foreman.yaml >> >> >> [root@foreman01 etc]# diff -u foreman-proxy/settings.yml.pre_WildcardSSL >> foreman-proxy/settings.yml >> --- foreman-proxy/settings.yml.pre_WildcardSSL 2014-09-22 >> 13:37:48.622468800 -0500 >> +++ foreman-proxy/settings.yml 2015-01-19 15:05:02.558106906 -0600 >> @@ -9,9 +9,9 @@ >> # if enabled, all communication would be verfied via SSL # NOTE that >> both certificates need to be signed by the same CA in order for this to >> work # see http://theforeman.org/projects/smart-proxy/wiki/SSL for more >> information >> -:ssl_ca_file: /var/lib/puppet/ssl/certs/ca.pem >> -:ssl_certificate: >> /var/lib/puppet/ssl/certs/foreman01..pem >> -:ssl_private_key: >> /var/lib/puppet/ssl/private_keys/foreman01..pem >> +:ssl_ca_file: /etc/pki/tls/certs/.crt >> +:ssl_certificate: /etc/pki/tls/certs/wildcard_.crt >> +:ssl_private_key: /etc/pki/tls/private/wildcard_.key >> >> # the hosts which the proxy accepts connections from # commenting the >> following lines would mean every verified SSL connection allowed >> >> >> [root@foreman01 etc]# diff -u >> httpd/conf.d/05-foreman-ssl.conf.pre_WildcardSSL >> httpd/conf.d/05-foreman-ssl.conf >> --- httpd/conf.d/05-foreman-ssl.conf.pre_WildcardSSL 2014-09-17 >> 12:38:00.132011664 -0500 >> +++ httpd/conf.d/05-foreman-ssl.conf 2015-01-19 14:52:29.711717368 >> -0600 >> @@ -37,9 +37,9 @@ >> >> ## SSL directives >> SSLEngine on >> - SSLCertificateFile >> "/var/lib/puppet/ssl/certs/foreman01..pem" >> - SSLCertificateKeyFile >> "/var/lib/puppet/ssl/private_keys/foreman01..pem" >> - SSLCertificateChainFile "/var/lib/puppet/ssl/certs/ca.pem" >> + SSLCertificateFile >> "/etc/pki/tls/certs/wildcard_.crt" >> + SSLCertificateKeyFile >> "/etc/pki/tls/private/wildcard_.key" >> + SSLCertificateChainFile >> "/etc/pki/tls/certs/.crt" >> SSLCACertificatePath "/etc/pki/tls/certs" >> SSLCACertificateFile "/var/lib/puppet/ssl/certs/ca.pem" >> SSLVerifyClient optional >> >> >> [root@foreman01 etc]# diff -u puppet/foreman.yaml.pre_WildcardSSL >> puppet/foreman.yaml >> --- puppet/foreman.yaml.pre_WildcardSSL 2014-09-17 12:37:56.712011501 >> -0500 >> +++ puppet/foreman.yaml 2015-01-19 15:14:19.194210739 -0600 >> @@ -1,6 +1,6 @@ >> --- >> :url: "https://foreman01." >> -:ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem" >> +:ssl_ca: "/etc/pki/tls/certs/.crt" >> :ssl_cert: "/var/lib/puppet/ssl/certs/foreman01..pem" >> :ssl_key: >> "/var/lib/puppet/ssl/private_keys/foreman01..pem" >> :user: "" >> >> -- >> -Justin >> >> On Tuesday, January 20, 2015 06:09:26 AM Bill M wrote: >> > I'm having this issue too. Any luck? >> > >> > On Friday, January 9, 2015 at 3:41:47 AM UTC-6, Ivan Necas wrote: >> > > ----- Original Message ----- >> > > >> > > > that command does not appear to be valid >> > > > >> > > > root@sysadmin:~# foreman-rake config -k ssl_ca_file -v >> > > > /var/lib/puppet/ssl/certs/GandiProSSLCA.pem >> > > > invalid option: -k >> > > >> > > Ah, sry: it should have been `foreman-rake config -- -k ssl_ca_file >> -v >> > > /var/lib/puppet/ssl/certs/GandiProSSLCA.pem` >> > > >> > > > But ' ssl_ca_file' is set to ' >> > > >> > > /var/lib/puppet/ssl/certs/GandiProSSLCA.pem ' >> > > >> > > > If you have this working would you mind attaching your ' >> > > > foreman-installer-answers.yaml' file? >> > > >> > > I'm using katello-installer, as in it's setup there are more certs to >> be >> > > handled, therefore >> > > there are also more options for setting that up. Anyway, it would not >> work >> > > for your case, as >> > > it would probably break your current foreman setup. >> > > >> > > I would start by checking with curl against the foreman-proxy >> (expecting >> > > it running on the same server >> > > as the foreman) >> > > >> > > curl --cacert /var/lib/puppet/ssl/certs/GandiProSSLCA.pem >> > > https://REALforeman.mydomain.com:8443 >> > > >> > > If it passes, the issue is with the ca cert set on foreman server >> (maybe >> > > restarting is needed for the cert >> > > to take effect…) >> > > >> > > If it fail, the issue is either on the foreman-proxy side (what >> version >> > > are you using?), or on the ca file: >> > > You can try this script >> > > >> https://github.com/iNecas/katello-installer/blob/issue/8609/bin/katello-ce >> > > rts-check to check, if the files you're using are valid for the >> foreman >> > > case (you can omit the '-r' option, it's not needed >> > > for your case) >> > > >> > > -- Ivan >> > > >> > > > On Wednesday, January 7, 2015 1:23:46 PM UTC, Ivan Necas wrote: >> > > > > Have you also set the certs inside the foreman settings, you can >> do it >> > > > > though >> > > > > the UI or via foreman-rake, something like this: >> > > > > >> > > > > >> > > > > foreman-rake config -k ssl_ca_file -v /path/to/client_ca.pem >> > > > > >> > > > > >> > > > > -- Ivan >> > > > > >> > > > > >> > > > > ----- Original Message ----- >> > > > > >> > > > > > Anyone? Sorry but I am really stuck with this. >> > > > > > >> > > > > > >> > > > > > >> > > > > > >> > > > > > You received this message because you are subscribed to the >> Google >> > > >> > > Groups >> > > >> > > > > > "Foreman users" group. >> > > > > > >> > > > > > To unsubscribe from this group and stop receiving emails from >> it, >> > > >> > > send an >> > > >> > > > > > email to foreman-user...@googlegroups.com . >> > > > > > >> > > > > > To post to this group, send email to forema...@googlegroups.com >> . >> > > > > > >> > > > > > Visit this group at >> http://groups.google.com/group/foreman-users . >> > > > > > >> > > > > > For more options, visit https://groups.google.com/d/optout . >> > > >> > > Groups >> > > >> > > > "Foreman users" group. >> > > > To unsubscribe from this group and stop receiving emails from it, >> send >> > > >> > > an >> > > >> > > > email to foreman-user...@googlegroups.com . >> > > > To post to this group, send email to forema...@googlegroups.com >> > > >> > > . >> > > >> > > > Visit this group at http://groups.google.com/group/foreman-users . >> > > > For more options, visit https://groups.google.com/d/optout . >> >> ---------------------------------------------------------------------- >> This message and any attachments are intended only for the use of the >> addressee and may contain information that is privileged and confidential. >> If the reader of the message is not the intended recipient or an authorized >> representative of the intended recipient, you are hereby notified that any >> dissemination of this communication is strictly prohibited. If you have >> received this communication in error, notify the sender immediately by >> return email and delete the message and any attachments from your system. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Foreman users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to foreman-user...@googlegroups.com. >> To post to this group, send email to forema...@googlegroups.com. >> Visit this group at http://groups.google.com/group/foreman-users. >> For more options, visit https://groups.google.com/d/optout. >> The information contained in this message is proprietary and/or >> confidential. If you are not the intended recipient, please: (i) delete the >> message and all copies; (ii) do not disclose, distribute or use the message >> in any manner; and (iii) notify the sender immediately. In addition, please >> be aware that any message addressed to our domain is subject to archiving >> and review by persons other than the intended recipient. Thank you. >> >