Foreman shows nodes out of sync after SSL cert replace

We are running puppet master 4.10 on CentOS with foreman 1.15.2 on the same
server. As per standard, we tried to replace the web self signed cert of
foreman with local CA but running into out of sync on foreman. The nodes
are communicating with puppet master with no issues, pulling the catalogs
but foreman reports them all as out of sync for some reason.

After getting the local CA signed cert, replaced it by running this command,

$foreman-installer -v

This command updated the file /etc/httpd/conf.d/05-foreman-ssl.conf with
given values.

Followed this link but i dont see any definition as ssl_ca on node.rb file.
as mentioned in the document.

Here is my file content,

$ grep ssl_ca /etc/puppetlabs/puppet/node.rb
if SETTINGS[:ssl_ca] && !SETTINGS[:ssl_ca].empty?
res.ca_file = SETTINGS[:ssl_ca]
if SETTINGS[:ssl_ca] && !SETTINGS[:ssl_ca].empty?
http.ca_file = SETTINGS[:ssl_ca]

$ locate foreman.rb

$ grep ssl_ca
if SETTINGS[:ssl_ca] && !SETTINGS[:ssl_ca].empty?
http.ca_file = SETTINGS[:ssl_ca]

If this file is correct, how do I edit them to change the value, I dont see
anywhere this ssl_ca is defined though.

Any help would be really helpful to move forward.


Dumb question, but have you verified the new certificate is in place on the
Foreman web interface?

  1. On one test host stop puppet, wipe out the all of the SSL certificates,
  2. clean out the host on the Puppet Server using "puppet cert clean"
  3. Run puppet agent -tv on the host
  4. Re-sign the client certificate with Puppet and then see if the SSL
    self-signed certificate issue goes away.

While I don't have hands on a server/client to test, I remember having this
sort of problem hit me with a CA signed Cert expired. The puppet client to
host certs were fine, but when it tried to send the reports to Foreman
there was a cert issue that caused problems.

I don't guarantee this will provide any help, but it may be a start.

Also you could run the puppet agent in full debug mode (–debug) to see if
there is anything there that complains about the certificate.