Problem: We are required to setup 2 foreman instances behind the load balancer with external puppet master and puppet CA. Puppet CA should be the certificate provider for all i.e foreman instances and puppet masters
Expected outcome: All proxy status should be in green with SSL communication.
Foreman and Proxy versions: foreman 1.20 , Puppet 5
Foreman and Proxy plugin versions: Discovery
Other relevant data: Could you please share the steps command options as below.
- Ganerate certificates for foreman instances
- External database server
- external puppet CA
- external puppet masters.
what will be the commands / options need to tun on these individual servers?
[e.g. logs from Foreman and/or the Proxy, modified templates, commands issued, etc]
(for logs, surround with three back-ticks to get proper formatting, e.g.)
We have 18 puppetmasters behind loadbalancer, along with 12 Foreman “Front-End” Servers behind another. The one item that we didn’t do HA was the CA, but it is dedicated, due to the trade-offs there. I’m hopeful that puppet 6 when supported will make that easier - along with allowing me to integrate my puppet certs into a private PKI infrastructure.
Check out this guide - we used it and it’s pretty comprehensive: https://blog.dobrev.eu/blog/2016/04/28/the-foreman-the-scalable-way-part-1/
Thanks for your reply. I have followed the given doc but our scenario is little different.
We have 2 servers frm-server01 and frm-server02 that are behind the hardware load balancer with virtual common name “foreman-poc.example.com”
I have built the puppet CA on a separate servers by following the document that serving certificates for both foreman instances. Smart proxy is not installed on it.
I have successfully installed the forman setup with below options on “frm-server01”
foreman-installer --foreman-db-type=mysql --foreman-db-manage=false --foreman-db-host=frm-mysql01.cadence.com --foreman-db-database=foreman --foreman-db-username=foreman --foreman-db-password=XXXXXX --no-enable-puppet --puppet-ca-server=frm-puppetca.cadence.com --foreman-proxy-puppetca=false --enable-foreman-plugin-ansible --enable-foreman-plugin-discovery --enable-foreman-plugin-docker --enable-foreman-plugin-expire-hosts --enable-foreman-plugin-hooks --foreman-admin-password=cadence --foreman-admin-username=admin
but when i am trying to install foreman on second node “frm-server02” with the same options than its getting failed with below error:
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[frm-server02.cadence.com]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed in get request to: https://frm-server02.cadence.com/api/v2/smart_proxies?search=name="frm-server02.cadence.com"
we are using external mysql database for both instances.
I would be really very thankful if you can help me on this.