Foreman Web SSL update

gkardara · March 11, 2024, 9:32am

Any thoughts how to update the SSL certificates that are needed for the web access?

Tried these steps Foreman :: Replacing Foreman's web SSL certificate. but its unclear what I have to renew

maximilian · March 12, 2024, 7:15am

Please have a look at the docs: Renewing the SSL certificate in Administering Foreman. There’s also Configuring Foreman server with a custom SSL certificate in Installing Foreman+Katello Sever.

gkardara · March 12, 2024, 8:49am

Many thanks, will try and inform

gkardara · March 12, 2024, 9:39am

tried but cannt find any pem files…
in the file /etc/httpd/conf.d/05-foreman-ssl.conf
i have the following

SSL directives

SSLEngine on
SSLCertificateFile “/etc/pki/katello/certs/katello-apache.crt”
SSLCertificateKeyFile “/etc/pki/katello/private/katello-apache.key”
SSLCertificateChainFile “/etc/pki/katello/certs/katello-server-ca.crt”
SSLVerifyClient optional
SSLVerifyDepth 3
SSLCACertificateFile “/etc/pki/katello/certs/katello-default-ca.crt”
SSLOptions +StdEnvVars +ExportCertData

gvde · March 12, 2024, 9:47am

What do you want to update the certificates with if you don’t have any files? What do you have?

gkardara · March 12, 2024, 10:07am

according to the config file, I have the following

SSLCertificateFile “/etc/pki/katello/certs/katello-apache.crt” ****
SSLCertificateKeyFile “/etc/pki/katello/private/katello-apache.key” ****
SSLCertificateChainFile “/etc/pki/katello/certs/katello-server-ca.crt” ****

gvde · March 12, 2024, 10:28am

Yes. Those are the current files. With what do you want to update them?

gkardara · March 12, 2024, 10:40am

the http certificate for the web is about the expire and need to update them with a new.
following the instractions,
I have

created this file → openssl genrsa -out /root/foreman_cert/foreman_cert_key.pem 4096
after the /root/foreman_cert/openssl.cnf
created the csr
openssl req -new \ -key /root/foreman_cert/foreman_cert_key.pem \ -config /root/foreman_cert/openssl.cnf \ -out /root/foreman_cert/foreman_cert_csr.pem

now i need the bundle pack and to run the installer again?

gvde · March 12, 2024, 11:24am

Now you send the certificate request in foreman_cert_csr.pem to your CA and get it signed.

gkardara · March 12, 2024, 11:32am

done, and run the next step to validate.
It seems that the buddle is messed

katello-certs-check \

-c /root/foreman_cert/foreman_cert.pem
-k /root/foreman_cert/foreman_cert_key.pem
-b /root/foreman_cert/ca_cert_bundle.pem
Checking server certificate encoding:
[OK]

unable to load certificate
140280417765184:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
140280417765184:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=X509_CINF
140280417765184:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646:Field=cert_info, Type=X509
140280417765184:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:crypto/pem/pem_oth.c:33:
date: invalid date ‘+%Y%m%d%H%M%S’
Checking expiration of certificate:
[OK]

Checking expiration of CA bundle:
[FAIL]

The CA bundle “/root/foreman_cert/ca_cert_bundle.pem” has already expired on:
Checking if server certificate has CA:TRUE flag
[OK]

Checking for private key passphrase:
[OK]

Checking to see if the private key matches the certificate:
[OK]

Checking CA bundle against the certificate file:
[FAIL]

The /root/foreman_cert/ca_cert_bundle.pem does not verify the /root/foreman_cert/foreman_cert.pem
Error loading file /root/foreman_cert/ca_cert_bundle.pem

Checking CA bundle size: 1
[OK]

Checking Subject Alt Name on certificate
[OK]

Checking if any Subject Alt Name on certificate matches the Subject CN
[OK]

Checking Key Usage extension on certificate for Key Encipherment
[OK]

Checking for use of shortname as CN
[OK]

gvde · March 12, 2024, 11:34am

So get the right bundle from your CA containing the chain for your certificate.

gkardara · March 12, 2024, 2:08pm

I created again the ca_cert_bundle.pem file
which I included the root + subca + server key

then it worked
next step as per instructions is to run

foreman-installer --scenario katello *
** --certs-server-cert “/root/foreman_cert/foreman_cert.pem” *
** --certs-server-key “/root/foreman_cert/foreman_cert_key.pem” **
** --certs-server-ca-cert “/root/foreman_cert/ca_cert_bundle.pem” **
** --certs-update-server --certs-update-server-ca**

katello-certs-check -t foreman -b /root/foreman_cert/ca_cert_bundle.pem -c /root/foreman_cert/foreman_cert.pem -k /root/foreman_cert/foreman_cert_key.pem
Checking server certificate encoding:
[OK]

Checking expiration of certificate:
[OK]

Checking expiration of CA bundle:
[OK]

Checking if server certificate has CA:TRUE flag
[OK]

Checking for private key passphrase:
[OK]

Checking to see if the private key matches the certificate:
[OK]

Checking CA bundle against the certificate file:
[OK]

Checking CA bundle size: 3
[OK]

Checking Subject Alt Name on certificate
[OK]

Checking if any Subject Alt Name on certificate matches the Subject CN
[OK]

Checking Key Usage extension on certificate for Key Encipherment
[OK]

Checking for use of shortname as CN
[OK]

Validation succeeded

To install the Katello server with the custom certificates, run:

foreman-installer --scenario katello \
                  --certs-server-cert "/root/foreman_cert/foreman_cert.pem" \
                  --certs-server-key "/root/foreman_cert/foreman_cert_key.pem" \
                  --certs-server-ca-cert "/root/foreman_cert/ca_cert_bundle.pem"

To update the certificates on a currently running Katello installation, run:

foreman-installer --scenario katello \
                  --certs-server-cert "/root/foreman_cert/foreman_cert.pem" \
                  --certs-server-key "/root/foreman_cert/foreman_cert_key.pem" \
                  --certs-server-ca-cert "/root/foreman_cert/ca_cert_bundle.pem" \
                  --certs-update-server --certs-update-server-ca

To use them inside a NEW $FOREMAN_PROXY, rerun this command with -t foreman-proxy

gvde · March 12, 2024, 3:09pm

The server key only belongs into the server key file not in the ca file. The ca file contains certificates and thus can be public readable while the server key is the private key which must be protected.

--certs-server-cert is for the server certificate.
--certs-server-key is for the server private key.
--certs-server-ca-cert contains the ca certificates to build the chain from the server certificate to a root ca.

The server key must be protected and should only be readable by root. Certificates are public and can be readable for anyone.

gkardara · March 13, 2024, 8:03am

ok thanks , the system is internal not reachable from the internet

gvde · March 13, 2024, 8:07am

It doesn’t matter: putting the server key into the ca bundle is wrong. You should never do it. It has no purpose there except potentially exposing the server key.

The ca bundle contains a list of ca certificates. Nothing else. No server certificate nor any server key.

You should not do it. And you shouldn’t suggest it even if it may be not an issue in your setup. Someone reads it here and follows it and never thinks about it and all of a sudden the key is exposed…

gkardara · March 13, 2024, 8:37am

thanks, I will remove it