I have an existing Foreman & Puppet server. The certificates have never worked quite right and I’d like to get it fixed. Our servers have mostly been working for over a year, but I need to add workarounds every time we re-run foreman-installer.
For example, I need to disable `ssl_ca in /etc/puppetlabs/puppet/foreman.yaml and I’ve never understood how to fix this. Starting last week, Puppetserver is unable to contact the Foreman report service. I’m sure I made a mistake when I set this server up 18 months ago, but I don’t really know what a correct configuration of certificates looks like and I don’t know how to fix the problem.
Our Foreman server configuration is fairly standard. It’s a single node, and Foreman & Puppet were installed by foreman-installer. Certificates are used at a few services:
- The Foreman server which listens at https://foreman.example.org/ . This webserver has a certificate that requires a intermediate CA. It works fine from my browser and curl. Puppet, however, seems unable to reach certain endpoints.
- The Foreman Proxy on port 8443
- The Puppet server on port 8140. The Puppet CA lives on the same host.
foreman-answers.yaml has this:
foreman: server_port: 80 server_ssl_port: 443 server_ssl_ca: "/etc/puppetlabs/puppet/ssl/certs/ca.pem" server_ssl_chain: "/etc/ssl/certs/intermediate-cert.pem" server_ssl_cert: "/etc/ssl/certs/foreman.example.org-cert.pem" server_ssl_certs_dir: '' server_ssl_key: "/etc/ssl/private/foreman.example.org-key.pem" server_ssl_crl: "/etc/puppetlabs/puppet/ssl/crl.pem" client_ssl_ca: "/etc/puppetlabs/puppet/ssl/certs/ca.pem" client_ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/foreman.example.org.pem" client_ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.org.pem" ... websockets_encrypt: true websockets_ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.org.pem" websockets_ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/foreman.example.org.pem" ... foreman_proxy: http_port: 8000 ssl_port: 8443 ssl_ca: "/etc/puppetlabs/puppet/ssl/certs/ca.pem" ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/foreman.example.org.pem" ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.org.pem" puppet_ssl_ca: "/etc/puppetlabs/puppet/ssl/certs/ca.pem" puppet_ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/foreman.example.org.pem" puppet_ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.org.pem" ... puppet: port: 8140 server_port: 8140 server_ssl_dir: "/etc/puppetlabs/puppet/ssl" server_ssl_chain_filepath: "/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem" server_foreman_ssl_ca: server_foreman_ssl_cert: server_foreman_ssl_key:
Foreman and Proxy versions:
- Foreman 2.5.4
- Puppetserver 5.3.16 (We will update to Puppet 6 soon)
Foreman and Proxy plugin versions:
Distribution and version:
Other relevant data: