How to tell foreman-installer to NOT revert the certs to the default

Problem:
Each time I execute foreman-installer it reverts all the certificate settings to the defaults. To use my custom self-signed certs, after foreman installation I made some changes into to read different certs:

foreman/settings.yaml
foreman-proxy/settings.yml

Everything works fine… Until I execute foreman-installer.
I can’t install any new plugin because I think by default it tries to revert all the certificates to the default ones.
I even found 2 parameters which can be responsible for this behaviour:

  --reset-foreman-ssl                                                          Reset ssl to the default value (true)
  --reset-foreman-proxy-ssl                                                    Reset ssl to the default value (true)

Default values of both are true.
Is it possible to change it to false?
I tried to set both values to false but even with just 1 argument provided I am getting… :melting_face:

 foreman-installer --reset-foreman-ssl=false
2024-02-28 09:45:36 [NOTICE] [root] Loading installer configuration. This will take some time.
2024-02-28 09:45:39 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2024-02-28 09:45:39 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
ERROR: too many arguments

Expected outcome:
I do not want to regenerate certs each time foreman-installer is executed.

Foreman and Proxy versions:
3.9.1

Distribution and version:
Alma Linux 8

In general, the --reset-XY options of the installer are there to reset any XY option to its default value. Those parameters don’t do anything specific other than that and do not accept parameters.

For your actual problem at hand: You have to tell foreman-installer which certs to use instead of the default ones. You can take a look at the docs here for the required options, also here for smart-proxies.
These docs are written for Katello (which I’m not sure if you are using), but the general idea should work the same for plain Foreman.

Thanks for the clarity on reset options.

Yeah someone else provided me this link in other post.
Nope, I am not using katello :frowning:

I tried with these parameters as well, but there are so manyof them that perhaps I missed one as it still didn’t work:

--foreman-websockets-ssl-cert=
--foreman-websockets-ssl-key=
--foreman-server-ssl-ca=
--foreman-server-ssl-cert=
--foreman-server-ssl-key=
--foreman-proxy-foreman-ssl-ca= 
--foreman-proxy-foreman-ssl-cert=
--foreman-proxy-foreman-ssl-key=

Is there something else?

The foreman-installer replaces the configs every time you run it, which has to be done on every update/patch of Foreman. So, if you do any custom configs outside of the installer, you will constantly be fighting with it.

Really, the only way to keep it from redoing what IT wants to do is for you to provide your certs as part of ITS config so it does what you want it to do every time.

In your case, I think instead of just replacing the files yourself outside of the installer, you should provide it the options to use your certs you want via the --foreman-server-ssl… options.

I don’t think it is covered in the base Foreman docs, but in the Katello docs there is a section on running Foreman with custom certificates.

https://docs.theforeman.org/nightly/Installing_Server/index-katello.html#Configuring_Server_with_a_Custom_SSL_Certificate_foreman

Yes I know, @ areyus provided link to th same website… I am not using katello.

I am not using katello.

Yes but the information in the katello docs applies all the same to a stand alone Foreman install

Yes but the information in the katello docs applies all the same to a stand alone Foreman install

No it’s not.
It seems that cert-related parameter names are different.

KATELLO:

foreman-installer --scenario katello \
   --certs-server-cert "/root/foreman_cert/foreman_cert.pem" \
   --certs-server-key "/root/foreman_cert/foreman_cert_key.pem" \
   --certs-server-ca-cert "/root/foreman_cert/ca_cert_bundle.pem"

FOREMAN:

> foreman-installer --full-help | grep -i certs-server | wc -l
0

That’s why previously I asked If I am missing some parameters as below params are not enough:

--foreman-websockets-ssl-cert=
--foreman-websockets-ssl-key=
--foreman-server-ssl-ca=
--foreman-server-ssl-cert=
--foreman-server-ssl-key=
--foreman-proxy-foreman-ssl-ca= 
--foreman-proxy-foreman-ssl-cert=
--foreman-proxy-foreman-ssl-key=

OK I think I’ve figured it out. I’ve provided following parameters on 2 foreman servers:

 --foreman-websockets-ssl-cert /etc/foreman/TestCerts/Foreman_Proxy_Server.crt 
 --foreman-websockets-ssl-key /etc/foreman/TestCerts/Foreman_Proxy_Server.key 

 --foreman-server-ssl-ca /etc/foreman/TestCerts/Foreman_CA.crt 
 --foreman-server-ssl-cert /etc/foreman/TestCerts/Foreman_Proxy_Server.crt 
 --foreman-server-ssl-key /etc/foreman/TestCerts/Foreman_Proxy_Server.key

 --foreman-proxy-ssl-ca /etc/foreman/TestCerts/Foreman_CA.crt 
 --foreman-proxy-ssl-cert /etc/foreman/TestCerts/Foreman_Proxy_Server.crt 
 --foreman-proxy-ssl-key /etc/foreman/TestCerts/Foreman_Proxy_Server.key 

 --foreman-client-ssl-ca /etc/foreman/TestCerts/Foreman_CA.crt 
 --foreman-client-ssl-cert /etc/foreman/TestCerts/Foreman_Proxy_Client.crt 
 --foreman-client-ssl-key /etc/foreman/TestCerts/Foreman_Proxy_Client.key  

 --foreman-proxy-foreman-ssl-ca /etc/foreman/TestCerts/Foreman_CA.crt 
 --foreman-proxy-foreman-ssl-cert /etc/foreman/TestCerts/Foreman_Proxy_Server.crt 
 --foreman-proxy-foreman-ssl-key /etc/foreman/TestCerts/Foreman_Proxy_Server.key 

 --foreman-proxy-trusted-hosts	myForemanServer1.com
 --foreman-proxy-trusted-hosts	myForemanServer2.com

I don’t have any ssl errors and I can see both smart proxies on the Foreman Website. It works just fine.
However, I am not sure if it’s the correct way, perhaps some parameters are not required, some are missing. If it’s the case please let me know.

1 Like