Problem:
I have an existing Foreman & Puppet server. The certificates have never worked quite right and I’d like to get it fixed. Our servers have mostly been working for over a year, but I need to add workarounds every time we re-run foreman-installer.
For example, I need to disable `ssl_ca in /etc/puppetlabs/puppet/foreman.yaml and I’ve never understood how to fix this. Starting last week, Puppetserver is unable to contact the Foreman report service. I’m sure I made a mistake when I set this server up 18 months ago, but I don’t really know what a correct configuration of certificates looks like and I don’t know how to fix the problem.
Our Foreman server configuration is fairly standard. It’s a single node, and Foreman & Puppet were installed by foreman-installer. Certificates are used at a few services:
- The Foreman server which listens at https://foreman.example.org/ . This webserver has a certificate that requires a intermediate CA. It works fine from my browser and curl. Puppet, however, seems unable to reach certain endpoints.
- The Foreman Proxy on port 8443
- The Puppet server on port 8140. The Puppet CA lives on the same host.
foreman-answers.yaml has this:
foreman:
server_port: 80
server_ssl_port: 443
server_ssl_ca: "/etc/puppetlabs/puppet/ssl/certs/ca.pem"
server_ssl_chain: "/etc/ssl/certs/intermediate-cert.pem"
server_ssl_cert: "/etc/ssl/certs/foreman.example.org-cert.pem"
server_ssl_certs_dir: ''
server_ssl_key: "/etc/ssl/private/foreman.example.org-key.pem"
server_ssl_crl: "/etc/puppetlabs/puppet/ssl/crl.pem"
client_ssl_ca: "/etc/puppetlabs/puppet/ssl/certs/ca.pem"
client_ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/foreman.example.org.pem"
client_ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.org.pem"
...
websockets_encrypt: true
websockets_ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.org.pem"
websockets_ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/foreman.example.org.pem"
...
foreman_proxy:
http_port: 8000
ssl_port: 8443
ssl_ca: "/etc/puppetlabs/puppet/ssl/certs/ca.pem"
ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/foreman.example.org.pem"
ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.org.pem"
puppet_ssl_ca: "/etc/puppetlabs/puppet/ssl/certs/ca.pem"
puppet_ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/foreman.example.org.pem"
puppet_ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.org.pem"
...
puppet:
port: 8140
server_port: 8140
server_ssl_dir: "/etc/puppetlabs/puppet/ssl"
server_ssl_chain_filepath: "/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem"
server_foreman_ssl_ca:
server_foreman_ssl_cert:
server_foreman_ssl_key:
Expected outcome:
Foreman and Proxy versions:
- Foreman 2.5.4
- Puppetserver 5.3.16 (We will update to Puppet 6 soon)
Foreman and Proxy plugin versions:
Distribution and version:
Ubuntu 18.04.6
Other relevant data: