Foreman with letsencrypt

Hi all,

I install letsencrypt on my server Ubuntu 20.04 and it works.
After I install Foreman 3.0.1 on the server letsencrypt doesnt work.

Is there anything else I have to do with foreman ?

Thanks in advance

Regards
Neeloj

1 Like

When I change in apache2 those two SSLCertificateFile and SSLCertificateKeyFile
keys to use letsencrypt certificates, the site is encrypted but foreman cann not read the reports.

Does anyone have any information or helpful tips :slight_smile:

I think the problem is that our report and enc scrip does not trust the CA from the system store. I think on many places we hardcode the CA file. When you pass the specific CA file to the openssh library, it does not look at system truststore. You can try adding the letsencrypt CA cert to /etc/foreman-proxy/foreman_ssl_ca.pem (or files listed in /etc/puppetlabs/puppet/foreman.yaml), that could help.

There was another user trying to do the similar with other CA, see [Katello] Setting Up New SSL Certificates and this guide

2 Likes

thank you @Marek_Hulan ,

  • you are right, when I change the config in apache the https works but the reports doent updated!

Ill test that and come back ::slight_smile:

@Marek_Hulan I dont have ca file

can you explain that a little bit more please, I tried something but it doesnt work. can you maybe add more informations.

thank you @Marek_Hulan

Well the problem is that the report upload looks into the CA file specified at /etc/puppetlabs/puppet/foreman.yaml. And that contain only the self-signed CA (either Candlepin or Puppet, based on whether you deployed Katello or not). CAs like letsencrypt are typically preinstalled in your system somewhere in /etc/pki. Normally when you use e.g. curl, it trusts all certs signed by the CAs you have installed there. The problem comes when you specify a specific CA cert file to use, in such case all system certificates are ignored. And that’s what I think happens in your case, because we hardcode the CA file in /etc/puppetlabs/puppet/foreman.yaml. Letsencrypt surely has somewhere published their root certificates or you could find it somehwere in /etc/pki. If you take that certificate and put it in a single file with the self-signed certificate it should work. Because OpenSSL trusts all CA certificates it finds in this file, in this case it would be two, the self-signed and the letsencrypt one.

Typically you just add the certificate like cat letsencrypt.pem >> another.pem which adds it to the end of the file.

2 Likes

Thank you so much, I’ll try your suggestion and I’ll test again.

So I don’t need to touch the Apache confit files right ? Or restart Apache right ?

Thank you again @Marek_Hulan

No, I don’t think you need to touch Apache anymore if you already have letsencrypt certs there.

1 Like

I repleace those two lines:

from:

SSLCertificateFile      "/etc/puppetlabs/puppet/ssl/certs/foreman.local.pem"
SSLCertificateKeyFile   "/etc/puppetlabs/puppet/ssl/private_keys/foreman.local.pem"

to bewlo are lets-encrypt files:

SSLCertificateFile /etc/letsencrypt/live/foreman.local/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/foreman.local/privkey.pem

this work for me when I restart Apache but the reports are not working.

So I will add the fullchain.pem content with e.g. cat to below file which is in /etc/puppetlabs/puppet/foreman.yaml

:ssl_ca: "/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem"

thats what you mean right ?

yes, exactly, fingers crossed (well reverting that is trivial :slight_smile:

1 Like

Thank you sooooo much @Marek_Hulan it seems it works now :heart_eyes: :crossed_fingers:

2 Likes

I think a lot of people are insterested in using Letsencrypt, would you be up for writing a blog post about what you all had to do to make it work? Or some guide in our Tutorials section? I think many people would appreciate that :slight_smile:

2 Likes

of course @Marek_Hulan you helped me to achieve that, thank you again.

I’ll try to write the steps clear in my english ( which is not so good ) but I want help too.

1 Like

This is for Foreman without Katello. What I’ve done is keep the Puppet CA for internal traffic and use Let’s Encrypt only for the UI.

You’d do something like:

# certbot certonly -d $HOSTNAME --webroot /var/lib/foreman/public
# foreman-installer \
  --foreman-server-ssl-cert /etc/letsencrypt/live/$HOSTNAME/cert.pem \
  --foreman-server-ssl-chain /etc/letsencrypt/live/$HOSTNAME/chain.pem \
  --foreman-server-ssl-key /etc/letsencrypt/live/$HOSTNAME/privkey.pem \
  --foreman-proxy-foreman-ssl-ca /etc/ssl/certs/ca-bundle.crt \
  --puppet-server-foreman-ssl-ca /etc/ssl/certs/ca-bundle.crt

This trusts the entire CA bundle to verify the CA. It would be more secure to only trust the Let’s Encrypt root, but it considered it good enough for my setup.

If you don’t have Puppet, you’d leave off the last argument. Same if you don’t have a foreman-proxy.

Then I also have a deploy hook cat /etc/letsencrypt/renewal-hooks/deploy/foreman

#!/bin/bash -e

for domain in $RENEWED_DOMAINS; do
        case $domain in
        my-hostname.example.com)
                systemctl reload httpd
                ;;
        esac
done

On Debian you’d reload apache2 instead of httpd. The CA bundle is also in a different location: /etc/ssl/certs/ca-certificates.crt.

Note my install is a bit older. I’m not sure if certbot still installs certs to /etc/letsencrypt.

2 Likes

thanks for your post @ekohl

Yes certbot install letsencrypt still there.

Why I cannot find the arguments when I search for it:

foreman-installer --help | less and then search for the arguments I dont find them!

You may need --full-help for them.

2 Likes

@ekohl you are right , --full-help is new for me :smiley: thanks