How to install with own CA/Certs?

Christoph · February 11, 2022, 3:57pm

Ho to install foreman with own CA/Cert. I’ve generated the certs with FreeIPA and veryfied it with openssl verify.
If I do this:

foreman-installer --foreman-server-ssl-cert /etc/pki/tls/certs/HTTP_amon.home.chao5.net.crt --foreman-server-ssl-ca /etc/ipa/ca.crt --foreman-server-ssl-key /etc/pki/tls/private/HTTP_amon.home.chao5.net.key --foreman-proxy-foreman-ssl-ca /etc/ipa/ca.crt --puppet-server-foreman-ssl-ca /etc/ipa/ca.crt

I get this error:

2022-02-11 16:22:20 [ERROR ] [configure] /Stage[main]/Foreman::Register/Foreman_host[foreman-amon.home.chao5.net]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) in get request to: https://amon.home.chao5.net/api/v2/hosts?search=name%3D"amon.home.chao5.net"
2022-02-11 16:22:20 [ERROR ] [configure] Wrapped exception:
2022-02-11 16:22:20 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)

The certificates/key are 100% ok. What I’m doing wrong?

TiA
Greetz

ekohl · February 11, 2022, 5:41pm

This should be --foreman-server-ssl-chain. The CA file is which client certificates are allows for authentication, chain is what signed the certificate. Then I suspect it’ll work.

Christoph · February 11, 2022, 6:14pm

yep that was the right hint… installation worked.
But something doesnt work with puppet:

Fehler: ERF50-5345 [Foreman::WrappedException]: Verbindung kann nicht hergestellt werden ([ProxyAPI::ProxyException]: ERF12-7885 [ProxyAPI::ProxyException]: Logs konnten nicht abgerufen werden ([OpenSSL::SSL::SSLError]: SSL_read: tlsv1 alert unknown ca) für Proxy https://amon.home.chao5.net:8443/logs)

I’ve user the parameter --puppet-server-foreman-ssl-ca /etc/ipa/ca.crt for puppet, do I need any other parameters?

ekohl · February 11, 2022, 6:24pm

That looks like the Foreman → Foreman Proxy communication somehow doesn’t work. Did you also replace the server certs on the Foreman Proxy but not Foreman’s client certificates, or vice versa?

Christoph · February 11, 2022, 6:32pm

that was my line for install:

foreman-installer
–foreman-server-ssl-cert /etc/pki/tls/certs/HTTP_amon.home.chao5.net.crt
–foreman-server-ssl-chain /etc/ipa/ca.crt
–foreman-server-ssl-key /etc/pki/tls/private/HTTP_amon.home.chao5.net.key
–foreman-proxy-foreman-ssl-ca /etc/ipa/ca.crt
–puppet-server-foreman-ssl-ca /etc/ipa/ca.crt

do I missed something?

Christoph · February 11, 2022, 8:01pm

found it:

foreman-installer
–foreman-client-ssl-cert /etc/pki/tls/certs/HTTP_amon.home.chao5.net.crt
–foreman-client-ssl-key /etc/pki/tls/private/HTTP_amon.home.chao5.net.key
–puppet-server-foreman-ssl-cert /etc/pki/tls/certs/HTTP_amon.home.chao5.net.crt
–puppet-server-foreman-ssl-key /etc/pki/tls/private/HTTP_amon.home.chao5.net.key

and now all works as expected…

Should I make a howto with it?

ekohl · February 11, 2022, 8:31pm

I’ve been wanting to finish a blog post about this, but I’m not sure I will so for now I’ll only share the draft:

As you can see by the dates, it’s been a draft for a long time. Last time I checked it worked with Foreman 2.1. I just updated it to 3.1 but not sure if it actually works since I didn’t copy-paste to see if they work. It also ends abruptly.