Hello everyone. Problem:
After a wrong installation ( foreman-installer --scenario katello) with path in --certs-server-ca-cert somewhere cached paths for ca.crt certificate. And every time strings with “ssl ca” in “/etc/httpd/conf.d/05-foreman-ssl.conf” and in “/etc/hammer/cli.modules.d/foreman.yml” rewriting with wrong path, even if i choose something like [details=“Summary”]
foreman-installer --scenario katello
–certs-server-cert “/etc/pki/msk-foreman.crt”
–certs-server-key “/etc/pki/msk-foreman.key”
–certs-server-ca-cert “/etc/pki/ca.crt”
[/details] it still show errors:
httpd[202475]: AH00526: Syntax error on line 140 of /etc/httpd/conf.d/05-foreman-ssl.conf:
SSLCertificateChainFile: file ‘/root/ca_chain.crt’ does not exist or is empty
I can only manually rewrite strings to cerrect path and restart service. Expected outcome:
correct path into files Foreman and Proxy versions:
foreman + katello 3.12 + 4.12 Foreman and Proxy plugin versions:
Distribution and version:
CentOS9 Other relevant data:
katello-certs-check -t foreman -c /etc/pki/msk-foreman.crt -k /etc/pki/msk-foreman.key -b /etc/pki/ca.crt shows All OK
When you run this, it shows you the command you should run to update the certs.
That’s the command you see for installing a new server, not for update. The update command includes --certs-update-server --certs-update-server-ca.
However, from what you write, you seem to have set custom paths for the foreman server, i.e. with the --foreman-server-ssl-cert option to foreman-installer. foreman-installer remembers any custom configuration you have set in any previous run. If you set a custom ssl cert for the foreman (apache) server, it will remain in there. That’s why it’s always a bad idea to “test & try” random configuration options if you trying to achieve something unless you make sure to undo any configuration change…
Which is the opposite of what I have suggested: Instead of manually overwriting this information, which will work until the next cert update, it’s better to let foreman-installer handle that. Then you update the certs in the standard way and foreman-installer puts the right files into the right places and points the configuration to the right places…
I have tried some keys with foreman-installer like certs-reset or something like that, but it still continue using custom configuration, so I don’t know how to avoid that instead of strict use keys : --foreman-server-ssl-xxxx. But yes, I wanted to do the same thing what you have suggested too.
