Neeloj
September 17, 2021, 8:50am
1
First of all:@ekohl and @Marek_Hulan
Situation:
letsencrypt was installed on my Ubuntu 20.02 LTS Server.
Now I installed Foreman 3.0.1 and I want that Foreman use letsencrypt.
# foreman-installer \
--foreman-server-ssl-cert /etc/letsencrypt/live/foreman.local/cert.pem \
--foreman-server-ssl-chain /etc/letsencrypt/live/foreman.local/chain.pem \
--foreman-server-ssl-key /etc/letsencrypt/live/foreman.local/privkey.pem \
--foreman-proxy-foreman-ssl-ca /etc/ssl/certs/ca-certificates.crt \
--puppet-server-foreman-ssl-ca /etc/ssl/certs/ca-certificates.crt
*foreman.local = should be different on your Server.
Now Foreman use letsencrypt.
Neeloj
I hope I could help you
4 Likes
ekohl
September 20, 2021, 10:33am
2
I don’t think this is correct because you should not modify /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem. The correct solution is to point it at the actual CA file.
I posted the correct solution here:
This is for Foreman without Katello. What I’ve done is keep the Puppet CA for internal traffic and use Let’s Encrypt only for the UI.
You’d do something like:
# certbot certonly -d $HOSTNAME --webroot /var/lib/foreman/public
# foreman-installer \
--foreman-server-ssl-cert /etc/letsencrypt/live/$HOSTNAME/cert.pem \
--foreman-server-ssl-chain /etc/letsencrypt/live/$HOSTNAME/chain.pem \
--foreman-server-ssl-key /etc/letsencrypt/live/$HOSTNAME/privkey.pem \
--foreman-proxy-foreman-ssl-ca /…
The benefit of that is also that you can continue using the installer for upgrades.
1 Like
Neeloj
September 20, 2021, 10:36am
3
thanks for your answer @ekohl , what you posted is doesnt matter if I use Puppet/Katello right ?
Neeloj
September 20, 2021, 10:48am
4
is there an argument to show/get all current configuration of foreman-installer ? @ekohl because Ill recover all, and test your solution
ekohl
September 20, 2021, 10:52am
5
The instructions for Katello are slightly different since it uses a different design for certificates (we’re working on unification, but that’s a long process). I think this should work:
foreman-installer \
--scenario katello \
--certs-server-ca-cert /etc/letsencrypt/live/$HOSTNAME/chain.pem \
--certs-server-cert /etc/letsencrypt/live/$HOSTNAME/cert.pem \
--certs-server-key /etc/letsencrypt/live/$HOSTNAME/privkey.pem
You can use --full-help to see all options and the defaults it shows are what it uses. If you’re unsure, I’d recommend using the installer with --noop to see what would be changed.
Neeloj
September 20, 2021, 10:58am
6
thanks @ekohl , I’ll test for puppet so the first one with --noop and I saw that I can reset those fields too
Neeloj
September 20, 2021, 11:27am
7
@ekohl when I use that with:
# foreman-installer \
--foreman-server-ssl-cert /etc/letsencrypt/live/$HOSTNAME/cert.pem \
--foreman-server-ssl-chain /etc/letsencrypt/live/$HOSTNAME/chain.pem \
--foreman-server-ssl-key /etc/letsencrypt/live/$HOSTNAME/privkey.pem \
--foreman-proxy-foreman-ssl-ca /etc/ssl/certs/ca-certificates.crt \
--puppet-server-foreman-ssl-ca /etc/ssl/certs/ca-certificates.crt
I get below error:
2021-09-20 13:22:11 [DEBUG ] [configure] Foreman_smartproxy[foreman.local](provider=rest_v3): Making get request to https://foreman.local/api/v2/smart_proxies?search=name%3D%22foreman.local%22
2021-09-20 13:22:11 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foreman.local]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate
verify failed (self signed certificate in certificate chain) in get request to: https://foreman.local/api/v2/smart_proxies?search=name%3D%22foreman.local%22
2021-09-20 13:22:11 [ERROR ] [configure] Wrapped exception:
2021-09-20 13:22:11 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
ekohl
September 20, 2021, 12:44pm
8
That’s a problem with noop: some actions can’t really be determined. In this case it uses the new CA certificate to verify the connection, but the actual server hasn’t been changed to use the new certificate. You can ignore that.
1 Like
Neeloj
September 20, 2021, 1:15pm
9
thanks @ekohl , I’ll run it without --noop
Neeloj
September 27, 2021, 6:28am
10
This works for me without any problems, so the above steps doesnt work correctly, so below is the right & tested solution:
# foreman-installer \
--foreman-server-ssl-cert /etc/letsencrypt/live/$HOSTNAME/cert.pem \
--foreman-server-ssl-chain /etc/letsencrypt/live/$HOSTNAME/chain.pem \
--foreman-server-ssl-key /etc/letsencrypt/live/$HOSTNAME/privkey.pem \
--foreman-proxy-foreman-ssl-ca /etc/ssl/certs/ca-certificates.crt \
--puppet-server-foreman-ssl-ca /etc/ssl/certs/ca-certificates.crt
2 Likes
ekohl
September 27, 2021, 8:26am
11
Should I convert the tutorial to a wiki so you can modify the instructions?
Neeloj
September 27, 2021, 8:36am
12
Yes @ekohl , its good idea, the users should not read that first and try!!!
ekohl
September 27, 2021, 8:47am
13
You should be able to edit the first post now.
2 Likes
Neeloj
September 27, 2021, 9:24am
14
its changed, thank you so much
2 Likes
