Foreman with Letsencrypt for internal UI only, not working with internal Step-CA ACME server

Hello guys,

I tried to switch my Foreman server to LetsEncrypt but I’m using an internal ACME server working just like letsencrypt.org but with an internal PKI.

Certbot stuff is working and validated, then I followed the following documentation for fix Foreman config using foreman-installer:

It always breaks with:

2022-05-30 21:17:41 [ERROR ] [configure] /Stage[main]/Foreman::Register/Foreman_host[foreman-puppet.domain.internal]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate) in get request to: https://puppet.domain.internal/api/v2/hosts?search=name%3D%22puppet.domain.internal%22
2022-05-30 21:17:41 [ERROR ] [configure] Wrapped exception:
2022-05-30 21:17:41 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate)
2022-05-30 21:17:41 [INFO  ] [configure] /Stage[main]/Foreman::Register/Foreman_instance_host[foreman-puppet.domain.internal]: Dependency Foreman_host[foreman-puppet.domain.internal] has failures: true

However this certificate is valid, and its CA is deployed system wide:

root@puppet.domain.internal:~# curl --verbose https://puppet.domain.internal
*   Trying 10.1.1.1:443...
* Connected to puppet.domain.internal (10.1.1.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: [NONE]
*  start date: May 30 18:55:20 2022 GMT
*  expire date: May 30 18:56:20 2023 GMT
*  subjectAltName: host "puppet.domain.internal" matched cert's "puppet.domain.internal"
*  issuer: CN=step-ca.domain.internal
*  SSL certificate verify ok.
[...]

It is possible that somewho the call being done within foreman-installer is not using default trusted CA from system ? Do you have any other idea ?

Thanks in advance!

A lot of places that does SSL call in the whole ecosystem are pointed to specific CA file, meaning it ignores the system wide store. IMHO your best chance is to put your custom CA cert into Foreman’s CA file. OpenSSL typically trusts all certificates it finds in a single file. See also this specific reply Foreman with letsencrypt - #14 by ekohl

1 Like