How to install with own CA/Certs?

Ho to install foreman with own CA/Cert. I’ve generated the certs with FreeIPA and veryfied it with openssl verify.
If I do this:

foreman-installer --foreman-server-ssl-cert /etc/pki/tls/certs/HTTP_amon.home.chao5.net.crt --foreman-server-ssl-ca /etc/ipa/ca.crt --foreman-server-ssl-key /etc/pki/tls/private/HTTP_amon.home.chao5.net.key --foreman-proxy-foreman-ssl-ca /etc/ipa/ca.crt --puppet-server-foreman-ssl-ca /etc/ipa/ca.crt

I get this error:

2022-02-11 16:22:20 [ERROR ] [configure] /Stage[main]/Foreman::Register/Foreman_host[foreman-amon.home.chao5.net]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) in get request to: https://amon.home.chao5.net/api/v2/hosts?search=name%3D"amon.home.chao5.net"
2022-02-11 16:22:20 [ERROR ] [configure] Wrapped exception:
2022-02-11 16:22:20 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)

The certificates/key are 100% ok. What I’m doing wrong?

TiA
Greetz

This should be --foreman-server-ssl-chain. The CA file is which client certificates are allows for authentication, chain is what signed the certificate. Then I suspect it’ll work.

1 Like

yep that was the right hint… installation worked.
But something doesnt work with puppet:

Fehler: ERF50-5345 [Foreman::WrappedException]: Verbindung kann nicht hergestellt werden ([ProxyAPI::ProxyException]: ERF12-7885 [ProxyAPI::ProxyException]: Logs konnten nicht abgerufen werden ([OpenSSL::SSL::SSLError]: SSL_read: tlsv1 alert unknown ca) für Proxy https://amon.home.chao5.net:8443/logs)

I’ve user the parameter --puppet-server-foreman-ssl-ca /etc/ipa/ca.crt for puppet, do I need any other parameters?

That looks like the Foreman → Foreman Proxy communication somehow doesn’t work. Did you also replace the server certs on the Foreman Proxy but not Foreman’s client certificates, or vice versa?

that was my line for install:

foreman-installer
–foreman-server-ssl-cert /etc/pki/tls/certs/HTTP_amon.home.chao5.net.crt
–foreman-server-ssl-chain /etc/ipa/ca.crt
–foreman-server-ssl-key /etc/pki/tls/private/HTTP_amon.home.chao5.net.key
–foreman-proxy-foreman-ssl-ca /etc/ipa/ca.crt
–puppet-server-foreman-ssl-ca /etc/ipa/ca.crt

do I missed something?

found it:

foreman-installer
–foreman-client-ssl-cert /etc/pki/tls/certs/HTTP_amon.home.chao5.net.crt
–foreman-client-ssl-key /etc/pki/tls/private/HTTP_amon.home.chao5.net.key
–puppet-server-foreman-ssl-cert /etc/pki/tls/certs/HTTP_amon.home.chao5.net.crt
–puppet-server-foreman-ssl-key /etc/pki/tls/private/HTTP_amon.home.chao5.net.key

and now all works as expected…

Should I make a howto with it?

I’ve been wanting to finish a blog post about this, but I’m not sure I will so for now I’ll only share the draft:

As you can see by the dates, it’s been a draft for a long time. Last time I checked it worked with Foreman 2.1. I just updated it to 3.1 but not sure if it actually works since I didn’t copy-paste to see if they work. It also ends abruptly.