How should I configure certificates with Foreman, Foreman Proxy + Puppet on one server?


I have an existing Foreman & Puppet server. The certificates have never worked quite right and I’d like to get it fixed. Our servers have mostly been working for over a year, but I need to add workarounds every time we re-run foreman-installer.

For example, I need to disable `ssl_ca in /etc/puppetlabs/puppet/foreman.yaml and I’ve never understood how to fix this. Starting last week, Puppetserver is unable to contact the Foreman report service. I’m sure I made a mistake when I set this server up 18 months ago, but I don’t really know what a correct configuration of certificates looks like and I don’t know how to fix the problem.

Our Foreman server configuration is fairly standard. It’s a single node, and Foreman & Puppet were installed by foreman-installer. Certificates are used at a few services:

  • The Foreman server which listens at . This webserver has a certificate that requires a intermediate CA. It works fine from my browser and curl. Puppet, however, seems unable to reach certain endpoints.
  • The Foreman Proxy on port 8443
  • The Puppet server on port 8140. The Puppet CA lives on the same host.

foreman-answers.yaml has this:

  server_port: 80
  server_ssl_port: 443
  server_ssl_ca: "/etc/puppetlabs/puppet/ssl/certs/ca.pem"
  server_ssl_chain: "/etc/ssl/certs/intermediate-cert.pem"
  server_ssl_cert: "/etc/ssl/certs/"
  server_ssl_certs_dir: ''
  server_ssl_key: "/etc/ssl/private/"
  server_ssl_crl: "/etc/puppetlabs/puppet/ssl/crl.pem"
  client_ssl_ca: "/etc/puppetlabs/puppet/ssl/certs/ca.pem"
  client_ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/"
  client_ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/"
  websockets_encrypt: true
  websockets_ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/"
  websockets_ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/"
  http_port: 8000
  ssl_port: 8443
  ssl_ca: "/etc/puppetlabs/puppet/ssl/certs/ca.pem"
  ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/"
  ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/"
  puppet_ssl_ca: "/etc/puppetlabs/puppet/ssl/certs/ca.pem"
  puppet_ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/"
  puppet_ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/"
  port: 8140
  server_port: 8140
  server_ssl_dir: "/etc/puppetlabs/puppet/ssl"
  server_ssl_chain_filepath: "/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem"

Expected outcome:

Foreman and Proxy versions:

  • Foreman 2.5.4
  • Puppetserver 5.3.16 (We will update to Puppet 6 soon)

Foreman and Proxy plugin versions:

Distribution and version:

Ubuntu 18.04.6

Other relevant data:

Unfortunately I’m not able to remember how I fixed this exactly. What I did do was to add our complete CA chain to the CA cert used by Puppet. That allowed all Foreman and Puppet things to work:

root@foreman:~ # cat /etc/ssl/certs/my-intermediate-cert-with-root.pem >> /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
1 Like