Hello,
I'm trying to install katello/foreman with a DHCP smart-proxy located on
another server.
My first attempt was to use a certificate signed by our internal CA with
this command:
foreman-installer --scenario katello --foreman-admin-password test
–certs-server-cert "/root/katello_certs/katello2.example.com.crt"
–certs-server-cert-req "/root/katello_certs/katello2.example.com.csr"
–certs-server-key "/root/katello_certs/katello2.example.com.key"
–certs-server-ca-cert "/root/katello_certs/cacert.pem"
Installation was successful and I was able to connect to my foreman web
interface without SSL warnings.
Next step was to setup the connection between my foreman and my DHCP
smart-proxy:
So I followed the steps documented here
https://theforeman.org/manuals/1.15/index.html#4.3SmartProxies
generate my cert on my foreman server:
puppet cert generate dhcp.example.com
copy cert, ca and key to the /etc/foreman-proxy/ssl directory on my DHCP smart-proxy
edit my setting.yml config file like this:
···
---
:settings_directory: "/etc/foreman-proxy/settings.d"
:daemon: true
:daemon_pid: /var/run/foreman-proxy/foreman-proxy.pid
:bind_host: '*'
:https_port: 8443
:ssl_certificate: /etc/foreman-proxy/ssl/dhcp.example.com.pem
:ssl_ca_file: /etc/foreman-proxy/ssl/ca.pem
:ssl_private_key: /etc/foreman-proxy/ssl/dhcp.example.com.key
:trusted_hosts:
- katello2.example.com
:log_file: /var/log/foreman-proxy/proxy.log
:log_level: DEBUG
open firewall ports
When I try to connect from my foreman web interface with this URL https://dhcp.example.com:8443
I get this error message in the log file of my DHCP smart-proxy:
“OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=unknown state:
tlsv1 alert unknown ca”
It’s a CA issue maybe because I’m playing with internal CA so I tried with
the self-signed certificates generated with the foreman/katello
installation:
foreman-installer --scenario katello --foreman-admin-password “test”
Same error.
I think I miss something in the smart-proxy setup and I don’t play with
the right certificates.
I probably don’t use the same CA to sign my foreman certificate and my DHCP
smart-proxy certificate.
Can somebody put me in the good direction to solve this problem?
Best regards,
update when I use the foreman-installer without Katello I can add my DHCP
proxy without problems:
foreman-installer --scenario foreman --foreman-admin-password test
···
Le mercredi 24 mai 2017 15:12:11 UTC+2, Vincenzo Z a écrit :
>
> Hello,
>
>
> I'm trying to install katello/foreman with a DHCP smart-proxy located on
> another server.
>
> My first attempt was to use a certificate signed by our internal CA with
> this command:
> foreman-installer --scenario katello --foreman-admin-password test
> --certs-server-cert "/root/katello_certs/katello2.example.com.crt"
> --certs-server-cert-req "/root/katello_certs/katello2.example.com.csr"
> --certs-server-key "/root/katello_certs/katello2.example.com.key"
> --certs-server-ca-cert "/root/katello_certs/cacert.pem"
>
> Installation was successful and I was able to connect to my foreman web
> interface without SSL warnings.
>
>
> Next step was to setup the connection between my foreman and my DHCP
> smart-proxy:
>
> So I followed the steps documented here
> https://theforeman.org/manuals/1.15/index.html#4.3SmartProxies
>
> generate my cert on my foreman server:
>
> puppet cert generate dhcp.example.com
>
> copy cert, ca and key to the /etc/foreman-proxy/ssl directory on my DHCP smart-proxy
>
> edit my setting.yml config file like this:
>
> ---
> :settings_directory: "/etc/foreman-proxy/settings.d"
> :daemon: true
> :daemon_pid: /var/run/foreman-proxy/foreman-proxy.pid
> :bind_host: '*'
> :https_port: 8443
> :ssl_certificate: /etc/foreman-proxy/ssl/dhcp.example.com.pem
> :ssl_ca_file: /etc/foreman-proxy/ssl/ca.pem
> :ssl_private_key: /etc/foreman-proxy/ssl/dhcp.example.com.key
> :trusted_hosts:
> - katello2.example.com
> :log_file: /var/log/foreman-proxy/proxy.log
> :log_level: DEBUG
>
> open firewall ports
>
> When I try to connect from my foreman web interface with this URL https://dhcp.example.com:8443
>
> I get this error message in the log file of my DHCP smart-proxy:
>
> "OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=unknown
> state: tlsv1 alert unknown ca"
>
>
> It's a CA issue maybe because I'm playing with internal CA so I tried with
> the self-signed certificates generated with the foreman/katello
> installation:
>
> foreman-installer --scenario katello --foreman-admin-password "test"
>
> Same error.
>
>
> I think I miss something in the smart-proxy setup and I don't play with
> the right certificates.
>
> I probably don't use the same CA to sign my foreman certificate and my
> DHCP smart-proxy certificate.
>
> Can somebody put me in the good direction to solve this problem?
>
>
> Best regards,
>
>
>
>
Katello does not use the puppet certificates for a majority of
configuration which means that if you follow the Smart Proxy instructions
you pointed to you'll likely end up with a smart proxy that cannot
communicate back to the server.
Was your DHCP smart proxy an existing smart proxy or a fresh install? I
would recommend looking at how to install a smart proxy when you have a
Katello install:
https://theforeman.org/plugins/katello/3.4/installation/smart_proxy.html
This by default configures the smart proxy with content for syncing content
to an external location or datacenter. If you are not wanting to use this
and thus want a lighter weight smart proxy with your Katello install you
can disable Pulp setup and configuration.
Eric
···
On May 29, 2017 5:35 AM, "Vincenzo Z" wrote:
update when I use the foreman-installer without Katello I can add my DHCP
proxy without problems:
foreman-installer --scenario foreman --foreman-admin-password test
Le mercredi 24 mai 2017 15:12:11 UTC+2, Vincenzo Z a écrit :
Hello,
I’m trying to install katello/foreman with a DHCP smart-proxy located on
another server.
My first attempt was to use a certificate signed by our internal CA with
this command:
foreman-installer --scenario katello --foreman-admin-password test
–certs-server-cert “/root/katello_certs/katello2.example.com.crt”
–certs-server-cert-req “/root/katello_certs/katello2.example.com.csr”
–certs-server-key “/root/katello_certs/katello2.example.com.key”
–certs-server-ca-cert “/root/katello_certs/cacert.pem”
Installation was successful and I was able to connect to my foreman web
interface without SSL warnings.
Next step was to setup the connection between my foreman and my DHCP
smart-proxy:
So I followed the steps documented here Index of /manuals
/1.15/index.html#4.3SmartProxies
generate my cert on my foreman server:
puppet cert generate dhcp.example.com
copy cert, ca and key to the /etc/foreman-proxy/ssl directory on my DHCP smart-proxy
edit my setting.yml config file like this:
:settings_directory: “/etc/foreman-proxy/settings.d”
:daemon: true
:daemon_pid: /var/run/foreman-proxy/foreman-proxy.pid
:bind_host: ‘*’
:https_port: 8443
:ssl_certificate: /etc/foreman-proxy/ssl/dhcp.example.com.pem
:ssl_ca_file: /etc/foreman-proxy/ssl/ca.pem
:ssl_private_key: /etc/foreman-proxy/ssl/dhcp.example.com.key
:trusted_hosts:
- katello2.example.com
:log_file: /var/log/foreman-proxy/proxy.log
:log_level: DEBUG
open firewall ports
When I try to connect from my foreman web interface with this URL https://dhcp.example.com:8443
I get this error message in the log file of my DHCP smart-proxy:
“OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=unknown
state: tlsv1 alert unknown ca”
It’s a CA issue maybe because I’m playing with internal CA so I tried
with the self-signed certificates generated with the foreman/katello
installation:
foreman-installer --scenario katello --foreman-admin-password “test”
Same error.
I think I miss something in the smart-proxy setup and I don’t play with
the right certificates.
I probably don’t use the same CA to sign my foreman certificate and my
DHCP smart-proxy certificate.
Can somebody put me in the good direction to solve this problem?
Best regards,
–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
Thanks Eric for your answer.
My DHCP is running on a Debian server so I can't do a fresh installation.
Indeed, if I follow the Smart Proxy instruction on the foreman doc it
doesn't work because the certificate for my DHCP Smart Proxy server is
generated by puppet.
Finally, I found a solution to add a smart-proxy with foreman-installer
–scenario katello installation:
foreman-proxy-certs-generate --foreman-proxy-fqdn dhcp.example.com
–certs-tar "~/dhcp.example.com-certs.tar"
tar -xvf dhcp.example.com-certs.tar
yum install
ssl-build/dhcp.example.com/dhcp.example.com-foreman-proxy-1.0-1.noarch.rpm
copy /etc/pki/katello-certs-tools/certs/dhcp.example.com-foreman-proxy.crt,
/etc/pki/katello-certs-tools/certs/dhcp.example.com-foreman-proxy.key and
/etc/foreman/proxy_ca.pem
Next step, find a way to do it with a certificate signed with our internal
CA.
···
Le samedi 3 juin 2017 18:11:06 UTC+2, Eric Helms a écrit :
>
> Katello does not use the puppet certificates for a majority of
> configuration which means that if you follow the Smart Proxy instructions
> you pointed to you'll likely end up with a smart proxy that cannot
> communicate back to the server.
>
> Was your DHCP smart proxy an existing smart proxy or a fresh install? I
> would recommend looking at how to install a smart proxy when you have a
> Katello install:
>
> https://theforeman.org/plugins/katello/3.4/installation/smart_proxy.html
>
> This by default configures the smart proxy with content for syncing
> content to an external location or datacenter. If you are not wanting to
> use this and thus want a lighter weight smart proxy with your Katello
> install you can disable Pulp setup and configuration.
>
> Eric
>
> On May 29, 2017 5:35 AM, "Vincenzo Z" <vlam...@gmail.com > > wrote:
>
>> update when I use the foreman-installer without Katello I can add my DHCP
>> proxy without problems:
>>
>> foreman-installer --scenario foreman --foreman-admin-password test
>>
>>
>>
>> Le mercredi 24 mai 2017 15:12:11 UTC+2, Vincenzo Z a écrit :
>>>
>>> Hello,
>>>
>>>
>>> I'm trying to install katello/foreman with a DHCP smart-proxy located on
>>> another server.
>>>
>>> My first attempt was to use a certificate signed by our internal CA with
>>> this command:
>>> foreman-installer --scenario katello --foreman-admin-password test
>>> --certs-server-cert "/root/katello_certs/katello2.example.com.crt"
>>> --certs-server-cert-req "/root/katello_certs/katello2.example.com.csr"
>>> --certs-server-key "/root/katello_certs/katello2.example.com.key"
>>> --certs-server-ca-cert "/root/katello_certs/cacert.pem"
>>>
>>> Installation was successful and I was able to connect to my foreman web
>>> interface without SSL warnings.
>>>
>>>
>>> Next step was to setup the connection between my foreman and my DHCP
>>> smart-proxy:
>>>
>>> So I followed the steps documented here
>>> https://theforeman.org/manuals/1.15/index.html#4.3SmartProxies
>>>
>>> generate my cert on my foreman server:
>>>
>>> puppet cert generate dhcp.example.com
>>>
>>> copy cert, ca and key to the /etc/foreman-proxy/ssl directory on my DHCP smart-proxy
>>>
>>> edit my setting.yml config file like this:
>>>
>>> ---
>>> :settings_directory: "/etc/foreman-proxy/settings.d"
>>> :daemon: true
>>> :daemon_pid: /var/run/foreman-proxy/foreman-proxy.pid
>>> :bind_host: '*'
>>> :https_port: 8443
>>> :ssl_certificate: /etc/foreman-proxy/ssl/dhcp.example.com.pem
>>> :ssl_ca_file: /etc/foreman-proxy/ssl/ca.pem
>>> :ssl_private_key: /etc/foreman-proxy/ssl/dhcp.example.com.key
>>> :trusted_hosts:
>>> - katello2.example.com
>>> :log_file: /var/log/foreman-proxy/proxy.log
>>> :log_level: DEBUG
>>>
>>> open firewall ports
>>>
>>> When I try to connect from my foreman web interface with this URL https://dhcp.example.com:8443
>>>
>>> I get this error message in the log file of my DHCP smart-proxy:
>>>
>>> "OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=unknown
>>> state: tlsv1 alert unknown ca"
>>>
>>>
>>> It's a CA issue maybe because I'm playing with internal CA so I tried
>>> with the self-signed certificates generated with the foreman/katello
>>> installation:
>>>
>>> foreman-installer --scenario katello --foreman-admin-password "test"
>>>
>>> Same error.
>>>
>>>
>>> I think I miss something in the smart-proxy setup and I don't play with
>>> the right certificates.
>>>
>>> I probably don't use the same CA to sign my foreman certificate and my
>>> DHCP smart-proxy certificate.
>>>
>>> Can somebody put me in the good direction to solve this problem?
>>>
>>>
>>> Best regards,
>>>
>>>
>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "Foreman users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to foreman-user...@googlegroups.com .
>> To post to this group, send email to forema...@googlegroups.com
>> .
>> Visit this group at https://groups.google.com/group/foreman-users.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
