Foreman Web UI SSL certs error

Problem:
I have installed Foreman 3.6.1 without Katello, and just using default certificates. I now want to change the Web UI to use a valid cert, but I get errors when changing it. When I run:

foreman-installer \
  --foreman-server-ssl-cert /etc/ssl/certs/foreman.domain.local-cert.pem \
  --foreman-server-ssl-key /etc/ssl/certs/foreman.domain.local-key.pem \
  --foreman-server-ssl-chain /etc/ssl/certs/domainca.pem \
  --foreman-websockets-ssl-cert /etc/ssl/certs/foreman.domain.local-cert.pem \
  --foreman-websockets-ssl-key /etc/ssl/certs/foreman.domain.local-key.pem \

I get the following error:

2023-05-24 16:27:23 [NOTICE] [root] Loading installer configuration. This will take some time.
2023-05-24 16:27:26 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2023-05-24 16:27:26 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
2023-05-24 16:27:30 [NOTICE] [configure] Starting system configuration.
2023-05-24 16:27:37 [NOTICE] [configure] 250 configuration steps out of 1265 steps complete.
2023-05-24 16:27:37 [NOTICE] [configure] 500 configuration steps out of 1269 steps complete.
2023-05-24 16:27:37 [NOTICE] [configure] 750 configuration steps out of 1274 steps complete.
2023-05-24 16:27:58 [NOTICE] [configure] 1000 configuration steps out of 1274 steps complete.
2023-05-24 16:27:59 [NOTICE] [configure] 1250 configuration steps out of 1470 steps complete.
2023-05-24 16:28:17 [ERROR ] [configure] /Stage[main]/Foreman::Register/Foreman_host[foreman-foreman--01.domain.local]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) in get request to: https://foreman--01.domain.local/api/v2/hosts?search=name%3D%22foreman--01.domain.local%22
2023-05-24 16:28:17 [ERROR ] [configure] Wrapped exception:
2023-05-24 16:28:17 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
2023-05-24 16:28:19 [NOTICE] [configure] System configuration has finished.
 
  There were errors detected during install.
  Please address the errors and re-run the installer to ensure the system is properly configured.
  Failing to do so is likely to result in broken functionality

Although it seems to load the certificate ok, as I can then browse to the foreman UI, and it’s loaded my valid certificate. I’ve also tried adding settings like: --puppet-server-foreman-ssl-ca /etc/pki/tls/certs/ca-bundle.crt or --foreman-client-ssl-ca but same error.

Expected outcome:

Would expect the certificates, CA to change in the web UI, without breaking the foreman-installer

Foreman and Proxy versions:
3.6.1 without Katello
Distribution and version:
AlmaLinux 8.7

Where did you find that command? Why didn’t you use the command from the docs? Installing Foreman Server with Katello 4.8 Plugin on CentOS/RHEL
Even though it’s katello docs I think the installer should still have the certs module and you should still be able to use those options. That would set it up properly everywhere it should be set up.

Please note, that by running that command before the next foreman-installer run will probably pick up those settings each time you run it. Omitting an option doesn’t reset it. See the help to find out how to reset those.

From the error message it looks as if the chain isn’t included in domainca.pem as it’s not possible to verify the certificate to a trusted root.

I got these instructions from the quickinstall options list here: Foreman :: Manual , and also this post: Change Foreman web SSL certificate - #17 by romgo

I didn’t see anywhere in the EL8 documentation about using custom certs. It looks like the installer options are named quite a bit different for non-katello installer. I’m really wondering at this point if we should have just installed Katello. But already quite a few hosts registered that we are managing, so would somehow have to backup/restore all those.

It’s in the katello docs, which I have linked above.

So you have checked and there are not --certs configuration options for foreman-installer? I don’t know, but I somehow thought the certs module would be universal. I may be wrong. The options aren’t named differently. Katello mostly has additional options.

Either way, did you check the chain file? The error says that something is wrong about it.

I just checked and there are no --certs with the forman-installer that comes without katello. I tried running this with my own cert paths and it just says the options are not there:

  foreman-installer \
    --certs-server-cert "/root/foreman_cert/foreman_cert.pem" \
    --certs-server-key "/root/foreman_cert/foreman_cert_key.pem" \
    --certs-server-ca-cert "/root/foreman_cert/ca_cert_bundle.pem"

It’s possible i’m using wrong ssl chain. I’ll check with my certificate provider and get back to you.

Interesting. So it must be a katello module. Too bad.

I’d rather check with “openssl verify”.

Do you know what openssl verify command I can use?

As already mentioned in this thread, the “certs” module is only available when using Katello, as such the corresponding --certs options are missing otherwise.

Is the procedure to use custom SSL certificates for the webserver documented somewhere ?

there are a few documents that give overviews, be mindful that a few options have changed from the first discussions on this (~2015) but as a general rule these are the options you’re interested in

–foreman-websockets-ssl-cert= where your custom cert is
–foreman-websockets-ssl-key=where your custom key is
–foreman-server-ssl-cert= where your custom csrt is
–foreman-server-ssl-chain= where your intermediate cert is if you have one / use one
–foreman-server-ssl-key= where your custom cert key is
–puppet-server-foreman-ssl-ca= what CA the puppet server should use to interact with foreman (NOT the CA used to sign / manage puppetserver/agent certificates)

1 Like

@ikonia I saved the foreman-installer help into a file, however I can’t see any of the --foreman-serer-ssl-* arguments available (this is Foreman 3.13 without katello):

command grep "\-ssl\-cert" foreman-installer.help returns:

    --foreman-plugin-puppetdb-ssl-certificate     Certificate file which will be used to connect to the PuppetDB API. (current: "/etc/puppetlabs/puppet/ssl/certs/fqdn.foobar.pem")
    --foreman-proxy-foreman-ssl-cert              SSL client certificate used when accessing the Foreman API
    --foreman-proxy-puppet-ssl-cert               SSL certificate used when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/certs/sas-internal-puppet-prod-1.c.sas-swiss-aviation-software.internal.pem")
    --foreman-proxy-ssl-cert                      SSL certificate to be used to run the foreman proxy via https. (current: "/etc/puppetlabs/puppet/ssl/certs/sas-internal-puppet-prod-1.foobar.pem")

The --foreman-websockets options are also missing.

use --full-help

[root@jarvis prod]# foreman-installer --full-help | grep -i socket
    --foreman-websockets-encrypt                                                 Whether to encrypt websocket connections (current: true)
    --reset-foreman-websockets-encrypt                                           Reset websockets_encrypt to the default value (true)
    --foreman-websockets-ssl-cert                                                SSL certificate file to use when encrypting websocket connections (current: "/etc/pki/tls/certs/star.no-dns.co.uk.crt")
    --reset-foreman-websockets-ssl-cert                                          Reset websockets_ssl_cert to the default value (UNDEF)
    --foreman-websockets-ssl-key                                                 SSL key file to use when encrypting websocket connections (current: "/etc/pki/tls/private/star.no-dns.co.uk.key")
    --reset-foreman-websockets-ssl-key                                           Reset websockets_ssl_key to the default value (UNDEF)
1 Like

@ikonia Thank you this actually worked perfectly, I got a successful puppet agent run on a registered host just for double checking. My browser now displays the connection as “secure” when logging into the web UI.

1 Like

great work