Install Options for (1) Foreman Server + (2) Puppet Master and CA

My lack of acquired knowledge!!
Everything works for a period, then I get SSL errors.

Expected outcome:

Foreman to receive logs, reports, facts.
Also to be capable of ENC.
Not to be a (CA) Certificate Authority.
Does not necessarily need to be a Puppet Server (if it is not required).

Existing Puppet Master to maintain this role.
Maintain being the CA.
Install foreman-proxy and send reports, logs, facts to Foreman.
Continue to except new hosts requests as it currently does.

Foreman and Proxy versions:
1.23.0 -> I have noticed 1.23.1 is out.

Distribution and version:
Centos 7

What I would dearly love:
I have tried this setup 7-8 times now with varying levels of success. Just when I think I have nailed it - something messes with SSL and reports stop making it to Foreman, all nodes go out of sync. Each time I am adjusting my install options on both the Foreman Server and the Puppet Master.

Could someone please give me a set of options for both installs and point me in the right direction?

Anyone have this setup in production? …and wants to share some configs?

I’ve never set it up like you describe. And I’m really just hypothesizing, BUT:


All contain various settings related to ssl.

I know it’s totally possible to run foreman installer and “not” install any proxy or puppet roles, so it should also work as a complete standalone.

Generally it’d be puppet=false and proxy=false

Be sure to explicitly set ALL ssl options for “foreman” to your existing puppet agents cert location (should be like /etc/puppetlabs/puppet/ssl which should already exist on your server.

You will then need to manually configure ENC on your puppetmasters to utilize foreman using the rb script.

From there your existing puppetmaster “should” reach out to your New ENC which “should” implicitly trust and allow the connection??

I might me missing something, but give it a try and see where it blows up (short of a Dev coming along and telling me all the reasons this can never work)

I’d start off with reading Foreman :: Manual.

Then I’d have a look at a test scenario:

Note that still has some issues and goes further than what you usually want. If you run Foreman Proxy and Puppetserver on the same machine then reporting will just work.