How-To use Foreman with Let'sEncrypt

First of all:
Sorry for my english language but I try to help one or another. Big thanks to @ekohl and @Marek_Hulan

Situation:
Some of us want use LetsEncrypt with Foreman 3.0.1 ( in my case )

letsencrypt was installed on my Ubuntu 20.02 LTS Server.

Now I installed Foreman 3.0.1 and I want that Foreman use letsencrypt.

# foreman-installer \
  --foreman-server-ssl-cert /etc/letsencrypt/live/foreman.local/cert.pem \
  --foreman-server-ssl-chain /etc/letsencrypt/live/foreman.local/chain.pem \
  --foreman-server-ssl-key /etc/letsencrypt/live/foreman.local/privkey.pem \
  --foreman-proxy-foreman-ssl-ca  /etc/ssl/certs/ca-certificates.crt \
  --puppet-server-foreman-ssl-ca  /etc/ssl/certs/ca-certificates.crt

*foreman.local = should be different on your Server.

Now Foreman use letsencrypt.

Neeloj

I hope I could help you

4 Likes

I don’t think this is correct because you should not modify /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem. The correct solution is to point it at the actual CA file.

I posted the correct solution here:

The benefit of that is also that you can continue using the installer for upgrades.

1 Like

thanks for your answer @ekohl , what you posted is doesnt matter if I use Puppet/Katello right ?

is there an argument to show/get all current configuration of foreman-installer ? @ekohl because Ill recover all, and test your solution

The instructions for Katello are slightly different since it uses a different design for certificates (we’re working on unification, but that’s a long process). I think this should work:

foreman-installer \
  --scenario katello \
  --certs-server-ca-cert /etc/letsencrypt/live/$HOSTNAME/chain.pem \
  --certs-server-cert /etc/letsencrypt/live/$HOSTNAME/cert.pem \
  --certs-server-key /etc/letsencrypt/live/$HOSTNAME/privkey.pem

You can use --full-help to see all options and the defaults it shows are what it uses. If you’re unsure, I’d recommend using the installer with --noop to see what would be changed.

thanks @ekohl , I’ll test for puppet so the first one with --noop and I saw that I can reset those fields too :slight_smile:

@ekohl when I use that with:

# foreman-installer \
  --foreman-server-ssl-cert /etc/letsencrypt/live/$HOSTNAME/cert.pem \
  --foreman-server-ssl-chain /etc/letsencrypt/live/$HOSTNAME/chain.pem \
  --foreman-server-ssl-key /etc/letsencrypt/live/$HOSTNAME/privkey.pem \
  --foreman-proxy-foreman-ssl-ca  /etc/ssl/certs/ca-certificates.crt \
  --puppet-server-foreman-ssl-ca  /etc/ssl/certs/ca-certificates.crt

I get below error:


2021-09-20 13:22:11 [DEBUG ] [configure] Foreman_smartproxy[foreman.local](provider=rest_v3): Making get request to https://foreman.local/api/v2/smart_proxies?search=name%3D%22foreman.local%22
2021-09-20 13:22:11 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foreman.local]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate
 verify failed (self signed certificate in certificate chain) in get request to: https://foreman.local/api/v2/smart_proxies?search=name%3D%22foreman.local%22
2021-09-20 13:22:11 [ERROR ] [configure] Wrapped exception:
2021-09-20 13:22:11 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)

That’s a problem with noop: some actions can’t really be determined. In this case it uses the new CA certificate to verify the connection, but the actual server hasn’t been changed to use the new certificate. You can ignore that.

1 Like

thanks @ekohl , I’ll run it without --noop :slight_smile: And I hope it will work :crossed_fingers:

This works for me without any problems, so the above steps doesnt work correctly, so below is the right & tested solution:

# foreman-installer \
  --foreman-server-ssl-cert /etc/letsencrypt/live/$HOSTNAME/cert.pem \
  --foreman-server-ssl-chain /etc/letsencrypt/live/$HOSTNAME/chain.pem \
  --foreman-server-ssl-key /etc/letsencrypt/live/$HOSTNAME/privkey.pem \
  --foreman-proxy-foreman-ssl-ca  /etc/ssl/certs/ca-certificates.crt \
  --puppet-server-foreman-ssl-ca  /etc/ssl/certs/ca-certificates.crt
2 Likes

Should I convert the tutorial to a wiki so you can modify the instructions?

Yes @ekohl , its good idea, the users should not read that first and try!!!
Because all will do that and dont read the page/answers until the end!

You should be able to edit the first post now.

2 Likes

its changed, thank you so much :slight_smile:

2 Likes