How to use Let's Encrypt cert & different hostname for Foreman 3.5 webserver?

Problem: While setting up a new Foreman 3.5 instance we are unable to configure the installer to use our Let’s Encrypt certificates for the webserver only. We want to do this to avoid any warnings because of self-signed certificates. The server’s local hostname is foreman.example.loc - this should be used for the Puppet clients. For actually browsing the web UI we want to use foreman.example.com with our LE certificate.
I read the setup guide multiple times and tried different configs, but there are so many SSL sections and I have no idea how the different components are interacting.

Expected outcome: We tried to copy our setup Foreman 1.24 setup and set foreman_url, server_ssl_chain, server_ssl_cert, server_ssl_key & server_foreman_url to the new values. But when I try to run the installer afterwards I get

2023-02-06 17:30:44 [NOTICE] [configure] Starting system configuration.
2023-02-06 17:30:50 [NOTICE] [configure] 250 configuration steps out of 1219 steps complete.
2023-02-06 17:30:50 [NOTICE] [configure] 500 configuration steps out of 1224 steps complete.
2023-02-06 17:30:50 [NOTICE] [configure] 750 configuration steps out of 1228 steps complete.
2023-02-06 17:31:00 [NOTICE] [configure] 1000 configuration steps out of 1228 steps complete.
2023-02-06 17:31:14 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foreman.example.loc]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch) in get request to: https://foreman.example.loc/api/v2/smart_proxies?search=name%3D%22foreman.example.loc%22
2023-02-06 17:31:14 [ERROR ] [configure] Wrapped exception:
2023-02-06 17:31:14 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch)
2023-02-06 17:31:14 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foreman.example.loc]: Failed to call refresh: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch) in get request to: https://foreman.example.loc/api/v2/smart_proxies?search=name%3D%22foreman.example.loc%22
2023-02-06 17:31:14 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foreman.example.loc]: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch) in get request to: https://foreman.example.loc/api/v2/smart_proxies?search=name%3D%22foreman.example.loc%22
2023-02-06 17:31:14 [ERROR ] [configure] Wrapped exception:
2023-02-06 17:31:14 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch)
2023-02-06 17:31:14 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_host[foreman-proxy-foreman.example.loc]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch) in get request to: https://foreman.example.loc/api/v2/hosts?search=name%3D%22foreman.example.loc%22
2023-02-06 17:31:14 [ERROR ] [configure] Wrapped exception:
2023-02-06 17:31:14 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch)
2023-02-06 17:31:16 [NOTICE] [configure] System configuration has finished.

Foreman and Proxy versions: 3.5.1

Foreman and Proxy plugin versions: ?

Distribution and version: AlmaLinux 8.7

Other relevant data:

I now set foreman_base_url as well and the foreman-installer completes, but now puppet is complaining about an incorrect certificate:

(on remote host)
# puppet agent -t
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Failed when searching for node hostname.example.loc: Failed to find hostname.example.loc via exec: Execution of '/etc/puppetlabs/puppet/node.rb hostname.example.loc' returned 1:
(on foreman host)
# /etc/puppetlabs/puppet/node.rb hostname.example.loc
During fact upload occured an exception: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
Serving cached ENC: Could not send facts to Foreman: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
Unable to read from Cache file: No such file or directory @ rb_sysopen - /opt/puppetlabs/server/data/puppetserver/yaml/foreman/hostname.example.loc.yaml

Since I can’t edit my old posts: I tried what @ekohl suggested here, however I get the same error as in the first post with these options, so I guess something has changed in the last 1,5 years.

Okay, after trying for several hours I finally gave up and took the easy way - I used the default foreman-answers.yaml and simply created a copy of the /etc/httpd/conf.d/05-foreman-ssl.conf file and adjusted server name & certificates. Works for now, but it would be nice if the setup would be a bit easier.

1 Like

Have you seen How-To use Foreman with Let'sEncrypt - #14 by Neeloj? Does that work well?

Hey Marek, thanks for answering! I saw the same commands in this post, unfortunately it didn’t help and I got the same errors as mentioned in the first post. However our system is running now with my workaround and I don’t really want to break it again.

What exactly did you change in 05-foreman-ssl.conf? With the exact change it should be possible to identify the correct foreman-installer options to use…

I didn’t touch it, I just created a second vhost with the correct different hostname & certificate.

From what I found I think puppet used a wrong CA certificate (debugged /etc/puppetlabs/puppet/node.rb a bit), in /etc/puppetlabs/puppet/foreman.yaml there is a CA certificate mentioned that I couldn’t find in the code anywhere (/etc/puppetlabs/puppetserver/ca/ca_crt.pem).

If you don’t want to post it, then you’ll have to figure it out yourself. You can check the answers file in /etc/foreman-installer/scenario.d/' for the installation scenario you have used (usually foreman-answers or katello-answers) and also check the installer –full-help` output. You’ll find the server name and certificates paths used somewhere there. It’s all configurable…