Foreman proxy with custom ssl

Hi Foreman Support,

I have created a foreman(v2.0.1)/katello(v3.15.3) server with custom ssl certs. The certs were created with our freeipa server, and ssl is working fine on the server.

I used the following command to enable ssl: foreman-installer --scenario katello
–certs-server-cert “//.crt”
–certs-server-key “/.key”
–certs-server-ca-cert “//ca.crt”
–certs-update-server --certs-update-server-ca

Now I am trying to create a foreman-proxy-content server using the following:

foreman-installer --scenario foreman-proxy-content
–certs-tar-file “/root/-certs.tar”
–foreman-proxy-register-in-foreman “true”
–foreman-proxy-foreman-base-url “https://”
–foreman-proxy-trusted-hosts “”
–foreman-proxy-trusted-hosts “”
–foreman-proxy-oauth-consumer-key “”
–foreman-proxy-oauth-consumer-secret “”
–puppet-server-foreman-url “https://”
–foreman-proxy-tftp “false”

the tar certs file was created on the foreman server with:
–foreman-proxy-fqdn “”
–certs-tar “-certs.tar”

However when running the foreman-installer I get the following error:
[ERROR 2020-08-19T14:55:27 main] Proxy cannot be registered: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (error number 1)) for proxy https://serverproxyname:9090/v2/features Please check the proxy is configured and running on the host.

I have tried reading a lot of the documentation out there, and experimented with various commands but am still unable to get the foreman server and proxy to communicate with each other. Any hints in the right direction would be much appreciated.


You need to pass the custom certificate and key for the proxy to foreman-proxy-certs-generate. Otherwise, it will generate it’s own proxy certificates.

I have used something like this:

# foreman-proxy-certs-generate --foreman-proxy-fqdn "" \
       --certs-tar  "~/" \
       --server-cert "/root/foreman-proxy.crt" \
       --server-key "/root/foreman-proxy.key" \
       --server-ca-cert "/etc/pki/tls/certs/example-bundle.crt" \

example-bundle.crt contains the certificate chain, i.e. the certificate issuing CA, intermediates, root CA.

Thank you, that worked like a charm.