Foreman-proxy not working with valid LE-certificate


Foreman cannot communicate with it’s proxy using a valid Let’s Encrypt certificate when the proxy is validated working with the certificate using the browser

Expected outcome:

Successful proxy communication.

Foreman and Proxy versions:

Foreman 1.21.0-RC4
Proxy latest version that comes with 1.21.0-RC4

Foreman and Proxy plugin versions:

Other relevant data:


2019-02-12T19:04:18  [E] OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1 alert unknown ca
        /usr/share/ruby/openssl/ssl.rb:280:in `accept'

Has anyone clue about this ? It almost looks like Foreman doesn’t accept, or doesn’t have, the Lets Encrypt CA in it’s bundle.

Also changing them to what foreman has to work with in the settings.yaml doesn’t work out.

Even when foreman is in another domain then the proxy is and setting that certificate information in the proxy as the used SSL certs doesn’t work out.

All with the same error message as above.

Thanks a lot!

It seems that it goes wrong when I change the SSL cert in settings.yaml on the foreman server:

:ssl_certificate: /etc/foreman/ssl/certs/*.mydomain.tld.crt
:ssl_ca_file: /etc/foreman/ssl/certs/letsEncrypt.crt
:ssl_priv_key: /etc/foreman/ssl/private_keys/*.mydomain.tld.key

Even when I set the proxy that the foreman server uses these certs using:

:foreman_ssl_ca: /etc/foreman/ssl/certs/letsEncrypt.crt
:foreman_ssl_cert: /etc/foreman/ssl/certs/*.mydomain.tld.crt
:foreman_ssl_key: /etc/foreman/ssl/private_keys/*.mydomain.tld.key

It fails with the same error.

Any idea ?

I had a similar problem with an internal microsoft pki.

the certificate must be able to authenticate clients.
you can validate this with openssl x509 -text -noout -in mydomain.tld.crt the section “X509v3 Extended Key Usage” lists “TLS Web Client Authentication, TLS Web Server Authentication”

im not sure if lets encrypt allows this setting


Thanks! The LE certificate has “TLS Web Client Authentication, TLS Web Server Authentication” set so that is why it confuses me.

Wildcard certificates are not supported by the proxy. I didn’t check Foreman but IMHO we shouldn’t.

Good to know, true actually as well! The proxy only won’t accept it from foreman, but foreman accepts it from the proxy as far as I can see ?

Maybe let puppetCA manage hemt anyway but the aio puppet since puppet 4 doesn’t add the puppet user/group anymore to relax the cert usag. I try to find a solution for that!