Foreman cannot communicate with it’s proxy using a valid Let’s Encrypt certificate when the proxy is validated working with the certificate using the browser
Successful proxy communication.
Foreman and Proxy versions:
Proxy latest version that comes with 1.21.0-RC4
Foreman and Proxy plugin versions:
Other relevant data:
2019-02-12T19:04:18 [E] OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1 alert unknown ca
Has anyone clue about this ? It almost looks like Foreman doesn’t accept, or doesn’t have, the Lets Encrypt CA in it’s bundle.
Also changing them to what foreman has to work with in the settings.yaml doesn’t work out.
Even when foreman is in another domain then the proxy is and setting that certificate information in the proxy as the used SSL certs doesn’t work out.
All with the same error message as above.
Thanks a lot!
It seems that it goes wrong when I change the SSL cert in settings.yaml on the foreman server:
Even when I set the proxy that the foreman server uses these certs using:
It fails with the same error.
Any idea ?
February 18, 2019, 11:58am
I had a similar problem with an internal microsoft pki.
the certificate must be able to authenticate clients.
you can validate this with
openssl x509 -text -noout -in mydomain.tld.crt the section “X509v3 Extended Key Usage” lists “TLS Web Client Authentication, TLS Web Server Authentication”
im not sure if lets encrypt allows this setting
Thanks! The LE certificate has “TLS Web Client Authentication, TLS Web Server Authentication” set so that is why it confuses me.
February 18, 2019, 1:16pm
Wildcard certificates are not supported by the proxy. I didn’t check Foreman but IMHO we shouldn’t.
Good to know, true actually as well! The proxy only won’t accept it from foreman, but foreman accepts it from the proxy as far as I can see ?
Maybe let puppetCA manage hemt anyway but the aio puppet since puppet 4 doesn’t add the puppet user/group anymore to relax the cert usag. I try to find a solution for that!