Installing a puppet smart proxy against a katello main server

This is a summary of Foreman-installer scenario for foreman-proxy installation

Setup: already running a katello 4.5 server (foreman8.example.com), adding a smart proxy foreman8-puppet.dkrz.de for a puppet master only (puppet ca is on katello server) without using the foreman-proxy-content scenario and installing the whole pulpcore/content stuff. The closest docs I have found are these but they don’t work like that if you are using katello.

We are also using certificates from a external ca in our setup.

  • foreman8-puppet.cer is the certificate from the external ca
  • foreman8-puppet.key is the private key
  • foreman8-puppet_interm.cer is the chain including the root of the external ca

Step 1: check certs (as usual) on katello server:

[root@foreman8 ~]# katello-certs-check -t foreman-proxy \
   -c /root/certs/foreman8-puppet/foreman8-puppet.example.com_cert.cer \
   -k /root/certs/foreman8-puppet/foreman8-puppet.key \
   -b /root/certs/foreman8-puppet/foreman8-puppet.example.com_interm.cer
...
Validation succeeded
...

Step 2: create certs tar on your katello server:

[root@foreman8 ~]# foreman-proxy-certs-generate \
    --foreman-proxy-fqdn "foreman8-puppet.example.com" \
    --certs-tar  "~/foreman8-puppet.example.com-certs.tar" \
    --server-cert "/root/certs/foreman8-puppet/foreman8-puppet.cer" \
    --server-key "/root/certs/foreman8-puppet/foreman8-puppet.key" \
    --server-ca-cert "/root/certs/foreman8-puppet/foreman8-puppet_interm.cer"
...

Step 3: copy certs tar to smart proxy:

[root@foreman8 ~]# scp ~/foreman8-puppet.example.com-certs.tar foreman8-puppet:

Step 4: Unpack tar as root into root home (i.e. everything will be in /root/ssl-build/)

[root@foreman8-puppet ~]# tar xvf foreman8-puppet.dkrz.de-certs.tar

Step 5: The katello server is running a puppet master with puppet CA. We are using only the puppet CA on the katello server. For this to work, the smart proxy must already have a certificate from the puppet ca (e.g. puppet agent is already running and working against the main server), or you can bootstrap the smart proxy:

on smart proxy

[root@foreman8-puppet ~]# cat >> /etc/puppetlabs/puppet/puppet.conf <<EOF
[main]
server = foreman8.example.com

EOF
[root@foreman8-puppet ~]# /opt/puppetlabs/bin/puppet ssl bootstrap
Info: Creating a new RSA SSL key for foreman8-puppet.example.com
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for foreman8-puppet.example.com
Info: Certificate Request fingerprint (SHA256): E0:E5:DD:7E:26:35:CE:13:9C:C5:01:4B:28:C3:77:22:BD:E4:0F:9C:CF:0D:BC:5D:CB:37:F7:B9:65:D2:14:F1
Info: Certificate for foreman8-puppet.example.com has not been signed yet
Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (foreman8-puppet.example.com).
Info: Will try again in 120 seconds.
...

Sign cert in puppetserver on main server.

[root@foreman8 ~]# puppetserver ca sign --certname foreman8-puppet.example.com

on smart proxy: continues

...
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for foreman8-puppet.example.com
Info: Certificate Request fingerprint (SHA256): E0:E5:DD:7E:26:35:CE:13:9C:C5:01:4B:28:C3:77:22:BD:E4:0F:9C:CF:0D:BC:5D:CB:37:F7:B9:65:D2:14:F1
Info: Downloaded certificate for foreman8-puppet.example.com from https://foreman8.example.com:8140/puppet-ca/v1
Notice: Completed SSL initialization

Step 6: set up the necessary repositories for foreman and puppet and install foreman-installer and foreman-proxy (as per foreman docs):

[root@foreman8-puppet ~]# dnf localinstall https://yum.theforeman.org/releases/3.3/el8/x86_64/foreman-release.rpm
[root@foreman8-puppet ~]# dnf localinstall https://yum.puppet.com/puppet7-release-el-8.noarch.rpm
[root@foreman8-puppet ~]# dnf module enable foreman:el8
[root@foreman8-puppet ~]# dnf -y install foreman-installer foreman-proxy
...

Step 7: Installing foreman-proxy rpm created /etc/foreman-proxy. Now copy certificates from certs tar (just like katello/foreman-proxy-content would do):

[root@foreman8-puppet ~]# cd /etc/foreman-proxy/
[root@foreman8-puppet foreman-proxy]# cp ~/ssl-build/katello-default-ca.crt ssl_ca.pem
[root@foreman8-puppet foreman-proxy]# cp ~/ssl-build/foreman8-puppet.example.com/foreman8-puppet.example.com-foreman-proxy.crt ssl_cert.pem
[root@foreman8-puppet foreman-proxy]# cp ~/ssl-build/foreman8-puppet.example.com/foreman8-puppet.example.com-foreman-proxy.key ssl_key.pem
[root@foreman8-puppet foreman-proxy]# cp ~/ssl-build/katello-server-ca.crt foreman_ssl_ca.pem
[root@foreman8-puppet foreman-proxy]# cp ~/ssl-build/foreman8-puppet.example.com/foreman8-puppet.example.com-foreman-proxy-client.crt foreman_ssl_cert.pem
[root@foreman8-puppet foreman-proxy]# cp ~/ssl-build/foreman8-puppet.example.com/foreman8-puppet.example.com-foreman-proxy-client.key foreman_ssl_key.pem
[root@foreman8-puppet foreman-proxy]# chmod 440 {foreman_,}ssl_{ca,key}.pem
[root@foreman8-puppet foreman-proxy]# chmod 444 {foreman_,}ssl_cert.pem
[root@foreman8-puppet foreman-proxy]# chgrp foreman-proxy {foreman_,}ssl_{ca,key,cert}.pem
[root@foreman8-puppet foreman-proxy]# ls -l 
total 56
drwxr-xr-x.   3 root root           205 Jul 19 10:48 .
drwxr-xr-x. 104 root root          8192 Jul 14 18:38 ..
-r--r-----.   1 root foreman-proxy 6189 Jul 19 10:48 foreman_ssl_ca.pem
-r--r--r--.   1 root foreman-proxy 8371 Jul 19 10:48 foreman_ssl_cert.pem
-r--r-----.   1 root foreman-proxy 3272 Jul 19 10:48 foreman_ssl_key.pem
-rw-r--r--.   1 root root             0 Jun  9 16:46 migration_state
drwxr-xr-x.   2 root root          4096 Jul 14 15:57 settings.d
-rw-r-----.   1 root foreman-proxy 3353 Jul 14 16:34 settings.yml
-r--r-----.   1 root foreman-proxy 2524 Jul 14 12:53 ssl_ca.pem
-r--r--r--.   1 root foreman-proxy 3004 Jul 14 12:09 ssl_cert.pem
-r--r-----.   1 root foreman-proxy 3272 Jul 14 12:10 ssl_key.pem

Step 8: Set up certificates for puppet proxy:

[root@foreman8-puppet ~]# mkdir -p /etc/pki/katello/puppet
[root@foreman8-puppet ~]# chmod 750 /etc/pki/katello/puppet/
[root@foreman8-puppet ~]# cd /etc/pki/katello/puppet/
[root@foreman8-puppet puppet]# cp ~/ssl-build/katello-server-ca.crt puppet_client_ca.crt
[root@foreman8-puppet puppet]# cp ~/ssl-build/foreman8-puppet.example.com/foreman8-puppet.example.com-puppet-client.crt puppet_client.crt
[root@foreman8-puppet puppet]# cp ~/ssl-build/foreman8-puppet.example.com/foreman8-puppet.example.com-puppet-client.key puppet_client.key
[root@foreman8-puppet puppet]# chmod 440 puppet_client*
[root@foreman8-puppet puppet]# chgrp -R puppet .
[root@foreman8-puppet puppet]# ls -al
total 24
drwxr-x---. 2 root puppet   84 Jul 14 18:22 .
drwxr-xr-x. 3 root root     20 Jul 14 18:17 ..
-r--r-----. 1 root puppet 6189 Jul 14 18:21 puppet_client_ca.crt
-r--r-----. 1 root puppet 8355 Jul 14 18:22 puppet_client.crt
-r--r-----. 1 root puppet 3272 Jul 14 18:22 puppet_client.key

Step 9: configure the firewall on the proxy to allow necessary connections:

[root@foreman8-puppet ~]# firewall-cmd --add-service=puppetmaster --add-service=foreman-proxy
success
[root@foreman8-puppet ~]# firewall-cmd --add-port="8088/tcp"
success
[root@foreman8-puppet ~]# firewall-cmd --runtime-to-permanent
success

Step 10: finally run foreman-installer to set it up. Make sure to fill in foreman-proxy-oauth-consumer info as printed out on the main server during the foreman-proxy-certs-generate run:

[root@foreman8-puppet ~]# foreman-installer \
  --no-enable-foreman \
  --no-enable-foreman-cli \
  --no-enable-foreman-plugin-puppet \
  --no-enable-foreman-cli-puppet \
  --enable-puppet \
  --puppet-ca-server=foreman8.example.com \
  --puppet-server-ca=false \
  --puppet-server-foreman-url=https://foreman8.example.com/ \
  --enable-foreman-proxy \
  --foreman-proxy-ssl-ca=/etc/foreman-proxy/ssl_ca.pem \
  --foreman-proxy-ssl-cert=/etc/foreman-proxy/ssl_cert.pem \
  --foreman-proxy-ssl-key=/etc/foreman-proxy/ssl_key.pem \
  --foreman-proxy-foreman-ssl-ca=/etc/foreman-proxy/foreman_ssl_ca.pem \
  --foreman-proxy-foreman-ssl-cert=/etc/foreman-proxy/foreman_ssl_cert.pem \
  --foreman-proxy-foreman-ssl-key=/etc/foreman-proxy/foreman_ssl_key.pem \
  --puppet-server-foreman-ssl-ca=/etc/pki/katello/puppet/puppet_client_ca.crt \
  --puppet-server-foreman-ssl-cert=/etc/pki/katello/puppet/puppet_client.crt \
  --puppet-server-foreman-ssl-key=/etc/pki/katello/puppet/puppet_client.key \
  --foreman-proxy-puppetca=false \
  --foreman-proxy-tftp=false \
  --foreman-proxy-foreman-base-url=https://foreman8.example.com/ \
  --foreman-proxy-trusted-hosts=foreman8.example.com \
  --foreman-proxy-oauth-consumer-key=oAuth_Consumer_Key \
  --foreman-proxy-oauth-consumer-secret= oAuth_Consumer_Secret

That should do it. The proxy should be automatically registered on the katello server. You should have an empty puppet server running on the proxy, which should forward puppet reports to the katello server.