This is for Foreman without Katello. What I’ve done is keep the Puppet CA for internal traffic and use Let’s Encrypt only for the UI.
You’d do something like:
# certbot certonly -d $HOSTNAME --webroot /var/lib/foreman/public
# foreman-installer \
--foreman-server-ssl-cert /etc/letsencrypt/live/$HOSTNAME/cert.pem \
--foreman-server-ssl-chain /etc/letsencrypt/live/$HOSTNAME/chain.pem \
--foreman-server-ssl-key /etc/letsencrypt/live/$HOSTNAME/privkey.pem \
--foreman-proxy-foreman-ssl-ca /etc/ssl/certs/ca-bundle.crt \
--puppet-server-foreman-ssl-ca /etc/ssl/certs/ca-bundle.crt
This trusts the entire CA bundle to verify the CA. It would be more secure to only trust the Let’s Encrypt root, but it considered it good enough for my setup.
If you don’t have Puppet, you’d leave off the last argument. Same if you don’t have a foreman-proxy.
Then I also have a deploy hook cat /etc/letsencrypt/renewal-hooks/deploy/foreman
#!/bin/bash -e
for domain in $RENEWED_DOMAINS; do
case $domain in
my-hostname.example.com)
systemctl reload httpd
;;
esac
done
On Debian you’d reload apache2 instead of httpd. The CA bundle is also in a different location: /etc/ssl/certs/ca-certificates.crt.
Note my install is a bit older. I’m not sure if certbot still installs certs to /etc/letsencrypt.