Foreman Web UI SSL certs error

wrender · May 24, 2023, 8:44pm

Problem:
I have installed Foreman 3.6.1 without Katello, and just using default certificates. I now want to change the Web UI to use a valid cert, but I get errors when changing it. When I run:

foreman-installer \
  --foreman-server-ssl-cert /etc/ssl/certs/foreman.domain.local-cert.pem \
  --foreman-server-ssl-key /etc/ssl/certs/foreman.domain.local-key.pem \
  --foreman-server-ssl-chain /etc/ssl/certs/domainca.pem \
  --foreman-websockets-ssl-cert /etc/ssl/certs/foreman.domain.local-cert.pem \
  --foreman-websockets-ssl-key /etc/ssl/certs/foreman.domain.local-key.pem \

I get the following error:

2023-05-24 16:27:23 [NOTICE] [root] Loading installer configuration. This will take some time.
2023-05-24 16:27:26 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2023-05-24 16:27:26 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
2023-05-24 16:27:30 [NOTICE] [configure] Starting system configuration.
2023-05-24 16:27:37 [NOTICE] [configure] 250 configuration steps out of 1265 steps complete.
2023-05-24 16:27:37 [NOTICE] [configure] 500 configuration steps out of 1269 steps complete.
2023-05-24 16:27:37 [NOTICE] [configure] 750 configuration steps out of 1274 steps complete.
2023-05-24 16:27:58 [NOTICE] [configure] 1000 configuration steps out of 1274 steps complete.
2023-05-24 16:27:59 [NOTICE] [configure] 1250 configuration steps out of 1470 steps complete.
2023-05-24 16:28:17 [ERROR ] [configure] /Stage[main]/Foreman::Register/Foreman_host[foreman-foreman--01.domain.local]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) in get request to: https://foreman--01.domain.local/api/v2/hosts?search=name%3D%22foreman--01.domain.local%22
2023-05-24 16:28:17 [ERROR ] [configure] Wrapped exception:
2023-05-24 16:28:17 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
2023-05-24 16:28:19 [NOTICE] [configure] System configuration has finished.
 
  There were errors detected during install.
  Please address the errors and re-run the installer to ensure the system is properly configured.
  Failing to do so is likely to result in broken functionality

Although it seems to load the certificate ok, as I can then browse to the foreman UI, and it’s loaded my valid certificate. I’ve also tried adding settings like: --puppet-server-foreman-ssl-ca /etc/pki/tls/certs/ca-bundle.crt or --foreman-client-ssl-ca but same error.

Expected outcome:

Would expect the certificates, CA to change in the web UI, without breaking the foreman-installer

Foreman and Proxy versions:
3.6.1 without Katello
Distribution and version:
AlmaLinux 8.7

gvde · May 25, 2023, 4:04am

wrender:

foreman-installer \
  --foreman-server-ssl-cert /etc/ssl/certs/foreman.domain.local-cert.pem \
  --foreman-server-ssl-key /etc/ssl/certs/foreman.domain.local-key.pem \
  --foreman-server-ssl-chain /etc/ssl/certs/domainca.pem \
  --foreman-websockets-ssl-cert /etc/ssl/certs/foreman.domain.local-cert.pem \
  --foreman-websockets-ssl-key /etc/ssl/certs/foreman.domain.local-key.pem \

Where did you find that command? Why didn’t you use the command from the docs? Installing Foreman 3.6 Server with Katello 4.8 Plugin on RHEL/CentOS
Even though it’s katello docs I think the installer should still have the certs module and you should still be able to use those options. That would set it up properly everywhere it should be set up.

Please note, that by running that command before the next foreman-installer run will probably pick up those settings each time you run it. Omitting an option doesn’t reset it. See the help to find out how to reset those.

From the error message it looks as if the chain isn’t included in domainca.pem as it’s not possible to verify the certificate to a trusted root.

wrender · May 25, 2023, 12:29pm

I got these instructions from the quickinstall options list here: Foreman :: Manual , and also this post: Change Foreman web SSL certificate - #17 by romgo

I didn’t see anywhere in the EL8 documentation about using custom certs. It looks like the installer options are named quite a bit different for non-katello installer. I’m really wondering at this point if we should have just installed Katello. But already quite a few hosts registered that we are managing, so would somehow have to backup/restore all those.

gvde · May 25, 2023, 12:38pm

It’s in the katello docs, which I have linked above.

So you have checked and there are not --certs configuration options for foreman-installer? I don’t know, but I somehow thought the certs module would be universal. I may be wrong. The options aren’t named differently. Katello mostly has additional options.

Either way, did you check the chain file? The error says that something is wrong about it.

wrender · May 25, 2023, 12:51pm

I just checked and there are no --certs with the forman-installer that comes without katello. I tried running this with my own cert paths and it just says the options are not there:

  foreman-installer \
    --certs-server-cert "/root/foreman_cert/foreman_cert.pem" \
    --certs-server-key "/root/foreman_cert/foreman_cert_key.pem" \
    --certs-server-ca-cert "/root/foreman_cert/ca_cert_bundle.pem"

It’s possible i’m using wrong ssl chain. I’ll check with my certificate provider and get back to you.

gvde · May 25, 2023, 12:53pm

Interesting. So it must be a katello module. Too bad.

I’d rather check with “openssl verify”.

wrender · May 25, 2023, 12:55pm

Do you know what openssl verify command I can use?