Foreman web interface trusted cert install

Would like to use our AD issued certificate for the foreman web interface
Expected outcome:
Trusted site with all other functionality working on the puppet side
Foreman and Proxy versions:
foreman 1.16 AIO with puppetserver 5.2.0-1xenial
Foreman and Proxy plugin versions:

Other relevant data:
I am able to add the certs to the apache2 config in /etc/apache2/sites-enabled/05-foreman-ssl.conf in the 3 fields SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile. The web interface then loads as trusted as expected, but then any puppet clients fail to send reports. On the first run, i get an error that the node could not be found when running node.rb. Subsequent runs appear to run fine, but reports never make it back to foreman. This is both communicating directly to puppet on the foreman box, or via a foreman-proxy.

I followed the instructions here: Foreman :: Replacing Foreman's web SSL certificate.
which seem rather dated as the paths differ on the apache side.

I have also tried various other tweaks i found by searching, none of which helped. Any chance there is an updated doc for this process? i would think this is a rather common request. Any help is much appreciated.

I know this topic is dated, but I’m curious if there was ever a resolution or if anyone has looked at whether changes in Foreman/Puppet have caused a need for an update to the blog post mentioned by @takedat.


Last week I changed the certificate used for the web interface. I struggled with NOT breaking the certs used by the Foreman Proxy and the Puppet CA.

After many tries, I found that changing : SSLCertificateFile , SSLCertificateKeyFile and SSLCertificateChainFile, and not changing SSLCACertificateFile or SSLCARevocationFile, as suggested in the article, worked for me.

The article is dated. It would be nice if someone had time to write up a new tutorial and added it to

@Sean @Stefan_Lasiewski
I never did get this working properly and I just gave up and dealt with the untrusted certs. Changing the certs per the doc seemed to work on the foreman master itself only. The doc doesnt make mention of how to get the foreman-proxies properly configured to talk to the foreman master after the changes. All reporting breaks and all proxies cant communicate with the master.

Agree with Stefan that an updated tutorial would be great.