I'm trying to install katello/foreman with a DHCP smart-proxy located on
another server.
My first attempt was to use a certificate signed by our internal CA with
this command:
foreman-installer --scenario katello --foreman-admin-password test
–certs-server-cert "/root/katello_certs/katello2.example.com.crt"
–certs-server-cert-req "/root/katello_certs/katello2.example.com.csr"
–certs-server-key "/root/katello_certs/katello2.example.com.key"
–certs-server-ca-cert "/root/katello_certs/cacert.pem"
Installation was successful and I was able to connect to my foreman web
interface without SSL warnings.
Next step was to setup the connection between my foreman and my DHCP
smart-proxy:
It’s a CA issue maybe because I’m playing with internal CA so I tried with
the self-signed certificates generated with the foreman/katello
installation:
update when I use the foreman-installer without Katello I can add my DHCP
proxy without problems:
foreman-installer --scenario foreman --foreman-admin-password test
···
Le mercredi 24 mai 2017 15:12:11 UTC+2, Vincenzo Z a écrit :
>
> Hello,
>
>
> I'm trying to install katello/foreman with a DHCP smart-proxy located on
> another server.
>
> My first attempt was to use a certificate signed by our internal CA with
> this command:
> foreman-installer --scenario katello --foreman-admin-password test
> --certs-server-cert "/root/katello_certs/katello2.example.com.crt"
> --certs-server-cert-req "/root/katello_certs/katello2.example.com.csr"
> --certs-server-key "/root/katello_certs/katello2.example.com.key"
> --certs-server-ca-cert "/root/katello_certs/cacert.pem"
>
> Installation was successful and I was able to connect to my foreman web
> interface without SSL warnings.
>
>
> Next step was to setup the connection between my foreman and my DHCP
> smart-proxy:
>
> So I followed the steps documented here
> https://theforeman.org/manuals/1.15/index.html#4.3SmartProxies
>
> generate my cert on my foreman server:
>
> puppet cert generate dhcp.example.com
>
> copy cert, ca and key to the /etc/foreman-proxy/ssl directory on my DHCP smart-proxy
>
> edit my setting.yml config file like this:
>
> ---
> :settings_directory: "/etc/foreman-proxy/settings.d"
> :daemon: true
> :daemon_pid: /var/run/foreman-proxy/foreman-proxy.pid
> :bind_host: '*'
> :https_port: 8443
> :ssl_certificate: /etc/foreman-proxy/ssl/dhcp.example.com.pem
> :ssl_ca_file: /etc/foreman-proxy/ssl/ca.pem
> :ssl_private_key: /etc/foreman-proxy/ssl/dhcp.example.com.key
> :trusted_hosts:
> - katello2.example.com
> :log_file: /var/log/foreman-proxy/proxy.log
> :log_level: DEBUG
>
> open firewall ports
>
> When I try to connect from my foreman web interface with this URL https://dhcp.example.com:8443
>
> I get this error message in the log file of my DHCP smart-proxy:
>
> "OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=unknown
> state: tlsv1 alert unknown ca"
>
>
> It's a CA issue maybe because I'm playing with internal CA so I tried with
> the self-signed certificates generated with the foreman/katello
> installation:
>
> foreman-installer --scenario katello --foreman-admin-password "test"
>
> Same error.
>
>
> I think I miss something in the smart-proxy setup and I don't play with
> the right certificates.
>
> I probably don't use the same CA to sign my foreman certificate and my
> DHCP smart-proxy certificate.
>
> Can somebody put me in the good direction to solve this problem?
>
>
> Best regards,
>
>
>
>
Katello does not use the puppet certificates for a majority of
configuration which means that if you follow the Smart Proxy instructions
you pointed to you'll likely end up with a smart proxy that cannot
communicate back to the server.
Was your DHCP smart proxy an existing smart proxy or a fresh install? I
would recommend looking at how to install a smart proxy when you have a
Katello install:
This by default configures the smart proxy with content for syncing content
to an external location or datacenter. If you are not wanting to use this
and thus want a lighter weight smart proxy with your Katello install you
can disable Pulp setup and configuration.
Eric
···
On May 29, 2017 5:35 AM, "Vincenzo Z" wrote:
update when I use the foreman-installer without Katello I can add my DHCP
proxy without problems:
foreman-installer --scenario foreman --foreman-admin-password test
Le mercredi 24 mai 2017 15:12:11 UTC+2, Vincenzo Z a écrit :
Hello,
I’m trying to install katello/foreman with a DHCP smart-proxy located on
another server.
My first attempt was to use a certificate signed by our internal CA with
this command:
foreman-installer --scenario katello --foreman-admin-password test
–certs-server-cert “/root/katello_certs/katello2.example.com.crt”
–certs-server-cert-req “/root/katello_certs/katello2.example.com.csr”
–certs-server-key “/root/katello_certs/katello2.example.com.key”
–certs-server-ca-cert “/root/katello_certs/cacert.pem”
Installation was successful and I was able to connect to my foreman web
interface without SSL warnings.
Next step was to setup the connection between my foreman and my DHCP
smart-proxy:
So I followed the steps documented here Index of /manuals
/1.15/index.html#4.3SmartProxies
It’s a CA issue maybe because I’m playing with internal CA so I tried
with the self-signed certificates generated with the foreman/katello
installation:
My DHCP is running on a Debian server so I can't do a fresh installation.
Indeed, if I follow the Smart Proxy instruction on the foreman doc it
doesn't work because the certificate for my DHCP Smart Proxy server is
generated by puppet.
Finally, I found a solution to add a smart-proxy with foreman-installer
–scenario katello installation:
copy /etc/pki/katello-certs-tools/certs/dhcp.example.com-foreman-proxy.crt,
/etc/pki/katello-certs-tools/certs/dhcp.example.com-foreman-proxy.key and
/etc/foreman/proxy_ca.pem
Next step, find a way to do it with a certificate signed with our internal
CA.
···
Le samedi 3 juin 2017 18:11:06 UTC+2, Eric Helms a écrit :
>
> Katello does not use the puppet certificates for a majority of
> configuration which means that if you follow the Smart Proxy instructions
> you pointed to you'll likely end up with a smart proxy that cannot
> communicate back to the server.
>
> Was your DHCP smart proxy an existing smart proxy or a fresh install? I
> would recommend looking at how to install a smart proxy when you have a
> Katello install:
>
> https://theforeman.org/plugins/katello/3.4/installation/smart_proxy.html
>
> This by default configures the smart proxy with content for syncing
> content to an external location or datacenter. If you are not wanting to
> use this and thus want a lighter weight smart proxy with your Katello
> install you can disable Pulp setup and configuration.
>
> Eric
>
> On May 29, 2017 5:35 AM, "Vincenzo Z" <vlam...@gmail.com > > wrote:
>
>> update when I use the foreman-installer without Katello I can add my DHCP
>> proxy without problems:
>>
>> foreman-installer --scenario foreman --foreman-admin-password test
>>
>>
>>
>> Le mercredi 24 mai 2017 15:12:11 UTC+2, Vincenzo Z a écrit :
>>>
>>> Hello,
>>>
>>>
>>> I'm trying to install katello/foreman with a DHCP smart-proxy located on
>>> another server.
>>>
>>> My first attempt was to use a certificate signed by our internal CA with
>>> this command:
>>> foreman-installer --scenario katello --foreman-admin-password test
>>> --certs-server-cert "/root/katello_certs/katello2.example.com.crt"
>>> --certs-server-cert-req "/root/katello_certs/katello2.example.com.csr"
>>> --certs-server-key "/root/katello_certs/katello2.example.com.key"
>>> --certs-server-ca-cert "/root/katello_certs/cacert.pem"
>>>
>>> Installation was successful and I was able to connect to my foreman web
>>> interface without SSL warnings.
>>>
>>>
>>> Next step was to setup the connection between my foreman and my DHCP
>>> smart-proxy:
>>>
>>> So I followed the steps documented here
>>> https://theforeman.org/manuals/1.15/index.html#4.3SmartProxies
>>>
>>> generate my cert on my foreman server:
>>>
>>> puppet cert generate dhcp.example.com
>>>
>>> copy cert, ca and key to the /etc/foreman-proxy/ssl directory on my DHCP smart-proxy
>>>
>>> edit my setting.yml config file like this:
>>>
>>> ---
>>> :settings_directory: "/etc/foreman-proxy/settings.d"
>>> :daemon: true
>>> :daemon_pid: /var/run/foreman-proxy/foreman-proxy.pid
>>> :bind_host: '*'
>>> :https_port: 8443
>>> :ssl_certificate: /etc/foreman-proxy/ssl/dhcp.example.com.pem
>>> :ssl_ca_file: /etc/foreman-proxy/ssl/ca.pem
>>> :ssl_private_key: /etc/foreman-proxy/ssl/dhcp.example.com.key
>>> :trusted_hosts:
>>> - katello2.example.com
>>> :log_file: /var/log/foreman-proxy/proxy.log
>>> :log_level: DEBUG
>>>
>>> open firewall ports
>>>
>>> When I try to connect from my foreman web interface with this URL https://dhcp.example.com:8443
>>>
>>> I get this error message in the log file of my DHCP smart-proxy:
>>>
>>> "OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=unknown
>>> state: tlsv1 alert unknown ca"
>>>
>>>
>>> It's a CA issue maybe because I'm playing with internal CA so I tried
>>> with the self-signed certificates generated with the foreman/katello
>>> installation:
>>>
>>> foreman-installer --scenario katello --foreman-admin-password "test"
>>>
>>> Same error.
>>>
>>>
>>> I think I miss something in the smart-proxy setup and I don't play with
>>> the right certificates.
>>>
>>> I probably don't use the same CA to sign my foreman certificate and my
>>> DHCP smart-proxy certificate.
>>>
>>> Can somebody put me in the good direction to solve this problem?
>>>
>>>
>>> Best regards,
>>>
>>>
>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "Foreman users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to foreman-user...@googlegroups.com .
>> To post to this group, send email to forema...@googlegroups.com
>> .
>> Visit this group at https://groups.google.com/group/foreman-users.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
