Hi, I’m a bit confused with the SSL certificates in foreman.
By default the repository are published using https, and I’m not able to use them in this configuration. If I change the URL for http, it works fine.
I understand the certificate mechanism, but not really well how it works during the deployment of a new host.
Can someone help me ?
to use repos from Katello via HTTPS, your hosts need to be registered and subscribed to the correct products through subscription-manager. The docs should have all the infos you need to set everything up, but here is the short version of what is required:
In short:
HTTPS repos are protected through client SSL certificates and cannot be accessed without. You need to use subscription-manager to access repos through HTTPS.
Somewhat longer:
Your hosts need to have the “consumer” RPM installed for the content-smart-proxy they are connected to (the main Foreman server also acts as a smart-proxy if you are connecting hosts directly). This RPM can by default be found at http://<smart-proxy fqdn>/pub/katello-ca-consumer-latest.noarch.rpm. This is for general SSL/TLS certificates, so that the hosts trust Foreman’s/Smart-Proxy’s CA and certificates.
Then your hosts will need to register via subscription-manager, either manually with username/password, or better automatically through an activation key. This will download client certificates that allow access to the HTTPS repos (and also configures the repos automatically, according to how everything was set up in Foreman)
Your hosts will now have access to the HTTPS repos, and changes to the repos need to be made via subscription-manager
Thanks for your answer.
And for a complete new host built by pxe ? How does this work ?
And why this messages in the Activation key section : " This organization has Simple Content Access enabled. Hosts are not required to have subscriptions attached to access repositories. " ?
Regards,
JF
For new hosts, you should run subscription-manager register somewhere during provisioning (usually in the post section).
The message you receive in the activation key page is simply a hint. SCA (Simple Content Access) is enabled in your organization (which is the default for new organizations since a few versions ago), which means you do not need to assign any products/subscriptions to activation keys anymore. Lifecycle Environment and Content View should be enough.
If you follow the docs I linked, everything you need to do should be explained there.
Thanks a lot.
It works… except I need packages from Codeready-buiders repo, and the one I mirrored in foreman is not accessible during install process :-(…
It was not so complicated with our previous method (script/templates/repo with dnf reposync). Hoped centralization of all in foreman will simplify the management, but i’m not really sure today.
JF
