Any thoughts how to update the SSL certificates that are needed for the web access?
Tried these steps Foreman :: Replacing Foreman's web SSL certificate. but its unclear what I have to renew
Any thoughts how to update the SSL certificates that are needed for the web access?
Tried these steps Foreman :: Replacing Foreman's web SSL certificate. but its unclear what I have to renew
Hi @gkardara
Please have a look at the docs: Renewing the SSL certificate in Administering Foreman. Thereâs also Configuring Foreman server with a custom SSL certificate in Installing Foreman+Katello Sever.
Many thanks, will try and inform
tried but cannt find any pem filesâŚ
in the file /etc/httpd/conf.d/05-foreman-ssl.conf
i have the following
SSLEngine on
SSLCertificateFile â/etc/pki/katello/certs/katello-apache.crtâ
SSLCertificateKeyFile â/etc/pki/katello/private/katello-apache.keyâ
SSLCertificateChainFile â/etc/pki/katello/certs/katello-server-ca.crtâ
SSLVerifyClient optional
SSLVerifyDepth 3
SSLCACertificateFile â/etc/pki/katello/certs/katello-default-ca.crtâ
SSLOptions +StdEnvVars +ExportCertData
What do you want to update the certificates with if you donât have any files? What do you have?
according to the config file, I have the following
SSLCertificateFile â/etc/pki/katello/certs/katello-apache.crtâ ****
SSLCertificateKeyFile â/etc/pki/katello/private/katello-apache.keyâ ****
SSLCertificateChainFile â/etc/pki/katello/certs/katello-server-ca.crtâ ****
Yes. Those are the current files. With what do you want to update them?
the http certificate for the web is about the expire and need to update them with a new.
following the instractions,
I have
now i need the bundle pack and to run the installer again?
Now you send the certificate request in foreman_cert_csr.pem
to your CA and get it signed.
done, and run the next step to validate.
It seems that the buddle is messed
katello-certs-check \
-c /root/foreman_cert/foreman_cert.pem
-k /root/foreman_cert/foreman_cert_key.pem
-b /root/foreman_cert/ca_cert_bundle.pem
Checking server certificate encoding:
[OK]
unable to load certificate
140280417765184:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
140280417765184:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=X509_CINF
140280417765184:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646:Field=cert_info, Type=X509
140280417765184:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:crypto/pem/pem_oth.c:33:
date: invalid date â+%Y%m%d%H%M%Sâ
Checking expiration of certificate:
[OK]
Checking expiration of CA bundle:
[FAIL]
The CA bundle â/root/foreman_cert/ca_cert_bundle.pemâ has already expired on:
Checking if server certificate has CA:TRUE flag
[OK]
Checking for private key passphrase:
[OK]
Checking to see if the private key matches the certificate:
[OK]
Checking CA bundle against the certificate file:
[FAIL]
The /root/foreman_cert/ca_cert_bundle.pem does not verify the /root/foreman_cert/foreman_cert.pem
Error loading file /root/foreman_cert/ca_cert_bundle.pem
Checking CA bundle size: 1
[OK]
Checking Subject Alt Name on certificate
[OK]
Checking if any Subject Alt Name on certificate matches the Subject CN
[OK]
Checking Key Usage extension on certificate for Key Encipherment
[OK]
Checking for use of shortname as CN
[OK]
So get the right bundle from your CA containing the chain for your certificate.
I created again the ca_cert_bundle.pem file
which I included the root + subca + server key
then it worked
next step as per instructions is to run
foreman-installer --scenario katello *
** --certs-server-cert â/root/foreman_cert/foreman_cert.pemâ *
** --certs-server-key â/root/foreman_cert/foreman_cert_key.pemâ **
** --certs-server-ca-cert â/root/foreman_cert/ca_cert_bundle.pemâ **
** --certs-update-server --certs-update-server-ca**
katello-certs-check -t foreman -b /root/foreman_cert/ca_cert_bundle.pem -c /root/foreman_cert/foreman_cert.pem -k /root/foreman_cert/foreman_cert_key.pem
Checking server certificate encoding:
[OK]
Checking expiration of certificate:
[OK]
Checking expiration of CA bundle:
[OK]
Checking if server certificate has CA:TRUE flag
[OK]
Checking for private key passphrase:
[OK]
Checking to see if the private key matches the certificate:
[OK]
Checking CA bundle against the certificate file:
[OK]
Checking CA bundle size: 3
[OK]
Checking Subject Alt Name on certificate
[OK]
Checking if any Subject Alt Name on certificate matches the Subject CN
[OK]
Checking Key Usage extension on certificate for Key Encipherment
[OK]
Checking for use of shortname as CN
[OK]
Validation succeeded
To install the Katello server with the custom certificates, run:
foreman-installer --scenario katello \
--certs-server-cert "/root/foreman_cert/foreman_cert.pem" \
--certs-server-key "/root/foreman_cert/foreman_cert_key.pem" \
--certs-server-ca-cert "/root/foreman_cert/ca_cert_bundle.pem"
To update the certificates on a currently running Katello installation, run:
foreman-installer --scenario katello \
--certs-server-cert "/root/foreman_cert/foreman_cert.pem" \
--certs-server-key "/root/foreman_cert/foreman_cert_key.pem" \
--certs-server-ca-cert "/root/foreman_cert/ca_cert_bundle.pem" \
--certs-update-server --certs-update-server-ca
To use them inside a NEW $FOREMAN_PROXY, rerun this command with -t foreman-proxy
The server key only belongs into the server key file not in the ca file. The ca file contains certificates and thus can be public readable while the server key is the private key which must be protected.
--certs-server-cert
is for the server certificate.
--certs-server-key
is for the server private key.
--certs-server-ca-cert
contains the ca certificates to build the chain from the server certificate to a root ca.
The server key must be protected and should only be readable by root. Certificates are public and can be readable for anyone.
ok thanks , the system is internal not reachable from the internet
It doesnât matter: putting the server key into the ca bundle is wrong. You should never do it. It has no purpose there except potentially exposing the server key.
The ca bundle contains a list of ca certificates. Nothing else. No server certificate nor any server key.
You should not do it. And you shouldnât suggest it even if it may be not an issue in your setup. Someone reads it here and follows it and never thinks about it and all of a sudden the key is exposedâŚ
thanks, I will remove it