Installing commercial SSL Certificate on existing Katello/Foreman

Eric_du_Toit · March 18, 2015, 7:20pm

I have an existing Katello 2.7 server which I'd like to add a wildcard
certificate to. I've generated the key and CSR using openssl. The signed
certificate is from DigiCert. I attempted to update the certificate using :

katello-installer
–certs-update-server-ca
–certs-update-server
–certs-server-cert="/etc/pki/tls/certs/star_myorg_org.crt"
–certs-server-cert-req "/etc/pki/tls/certs/foreman-katello.csr"
–certs-server-key="/etc/pki/tls/private/foreman-katello.key"
–certs-server-ca-cert="/etc/pki/tls/certs/DigiCertCA.crt"
–foreman-server-ssl-ca="/etc/pki/tls/certs/DigiCertCA.crt"
–foreman-server-ssl-key="/etc/pki/tls/private/foreman-katello.key"
–foreman-server-ssl-cert="/etc/pki/tls/certs/star_myorg_org.crt"
–foreman-server-ssl-chain="/etc/pki/tls/certs/DigiCertCA.crt"
–foreman-foreman-url="https://foreman.myorg.org"

The install completed without error, however, the SmartProxy has this error:

ProxyAPI::ProxyException
ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates
([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verif…) for proxy
https://hostname.myorg.org:9090/puppet/ca
lib/proxy_api/puppetca.rb:47:in rescue in all' lib/proxy_api/puppetca.rb:45:inall'
app/services/smart_proxies/puppet_ca.rb:21:in all' app/services/smart_proxies/puppet_ca.rb:36:infind_by_state'
app/controllers/puppetca_controller.rb:8:in index' app/models/concerns/foreman/thread_session.rb:33:inclear_thread'
lib/middleware/catch_json_parse_errors.rb:9:in `call'

and my nodes/hosts cannot run - presumably because of the above error. I
have a snapshot of this VM so I can go back to Self-Signed, but I'd prefer
to use a signed cert.

Eric_du_Toit · March 18, 2015, 7:23pm

Sorry for not giving a question :

did I miss something in the installation command above?
do I need to do something with capsule?

It appears that I just need to fix the smartProxy - am I right?

The web interface shows to have the correct certificate installed.

lawre · June 25, 2015, 2:31pm

I need help with the next step. For my capsule server, which is another
server with a different FQDN, What do I need to do to this machine? From
the linked "Certificates" section of the katello-installer github page, I
am not sure if I need to run 'capsule-certs-generate' or not for the
capsule. Also, what would the $CAPSULE variable be set as… the FQDN of
the capsule server? or the Katello/Foreman server? Or do I not need to
update certs at all since the capsule server is not the one having new
certs installed? Thanks.

ehelms · March 18, 2015, 7:35pm

Howdy,

It appears you have over-specified the update and likely broken the chain
of certificates based on how Katello generates what it needs. Please take a
look at https://github.com/Katello/katello-installer#certificates

Eric

···

On Wed, Mar 18, 2015 at 3:23 PM, Eric du Toit wrote:

Sorry for not giving a question :

did I miss something in the installation command above?
do I need to do something with capsule?

It appears that I just need to fix the smartProxy - am I right?

The web interface shows to have the correct certificate installed.

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Eric_du_Toit · March 18, 2015, 8:13pm

That is true from what I see.

On my install, puppet has already signed keys for 10 hosts so I don't know
that I want to update everything.

The only thing I'm trying to accomplish is to update SSL for the foreman
web interface so that users don't see a self-signed certificate error in
their browsers if it is possible to set one and not affect the others.

···

On Wednesday, March 18, 2015 at 2:35:44 PM UTC-5, Eric Helms wrote: > > > It appears you have over-specified the update and likely broken the chain > of certificates >

Eric_du_Toit · March 18, 2015, 9:09pm

Is my assumption correct that I should use :

katello-installer
–foreman-server-ssl-ca="/etc/pki/tls/certs/DigiCertCA.crt"
–foreman-server-ssl-key="/etc/pki/tls/private/foreman-katello.key"
–foreman-server-ssl-cert="/etc/pki/tls/certs/star_myorg_org.crt"
–foreman-server-ssl-chain="/etc/pki/tls/certs/DigiCertCA.crt"

Executing that updated /etc/httpd/conf.d/05-foreman-ssl.conf with the
correct SSLCertificate* entries, but after restarting Apache, the web
browsers still show the self-signed
/etc/pki/katello/certs/katello-apache.crt

The only place I can find that cert referenced in Apache is for crane which
runs on :5000

When I update the SSLCertificate* in 03-crane.conf and restart Apache, the
correct self-signed SSL Certificates are in place.

This accomplished what I set out to do - Trusted ssl for the foreman web
gui, but I have a few questions:

Shouldn't SSLCertificate* be contained within the <VirtualHost :5000>
container of 03-crane.conf and then the SSLCertificate* options in
05-foreman-ssl.conf contained within the <VirtualHost *:443> container
being different is ok?
This accomplished what I was trying to do, but it's not the right way of
doing it. Should I be able to do what I was trying to do with
katello-installer?

···

On Wednesday, March 18, 2015 at 3:13:12 PM UTC-5, Eric du Toit wrote: > > > > The only thing I'm trying to accomplish is to update SSL for the foreman > web interface so that users don't see a self-signed certificate error in > their browsers if it is possible to set one and not affect the others. >

ehelms · March 18, 2015, 9:14pm

Did you read through
https://github.com/Katello/katello-installer#certificates ? There is also a
section on updating certificates after you have run a standard install. We
only support custom server certificates at the moment. You will want to
remove the foreman-server-ssl entries from your answer file so that they
are reset to the default generated certs and follow the procedure
previously mentioned.

Eric

···

On Wed, Mar 18, 2015 at 5:09 PM, Eric du Toit wrote:

On Wednesday, March 18, 2015 at 3:13:12 PM UTC-5, Eric du Toit wrote:

The only thing I’m trying to accomplish is to update SSL for the foreman
web interface so that users don’t see a self-signed certificate error in
their browsers if it is possible to set one and not affect the others.

Is my assumption correct that I should use :

katello-installer
–foreman-server-ssl-ca="/etc/pki/tls/certs/DigiCertCA.crt"
–foreman-server-ssl-key="/etc/pki/tls/private/foreman-katello.key"
–foreman-server-ssl-cert="/etc/pki/tls/certs/star_myorg_org.crt"
–foreman-server-ssl-chain="/etc/pki/tls/certs/DigiCertCA.crt"

Executing that updated /etc/httpd/conf.d/05-foreman-ssl.conf with the
correct SSLCertificate* entries, but after restarting Apache, the web
browsers still show the self-signed
/etc/pki/katello/certs/katello-apache.crt

The only place I can find that cert referenced in Apache is for crane
which runs on :5000

When I update the SSLCertificate* in 03-crane.conf and restart Apache, the
correct self-signed SSL Certificates are in place.

This accomplished what I set out to do - Trusted ssl for the foreman web
gui, but I have a few questions:

Shouldn’t SSLCertificate* be contained within the
container of 03-crane.conf and then the SSLCertificate* options in
05-foreman-ssl.conf contained within the <VirtualHost *:443> container
being different is ok?

This accomplished what I was trying to do, but it’s not the right way of
doing it. Should I be able to do what I was trying to do with
katello-installer?

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Eric_du_Toit · March 18, 2015, 9:45pm

>
> Did you read through
> https://github.com/Katello/katello-installer#certificates ?
>

Yes I did. It appeared that procedure was going to do more than I wanted
it to. katello-certs-check is missing, may need to be updated.

There is also a section on updating certificates after you have run a
> standard install.
>

Yes, I reverted my VM snapshot, followed that process on an install with 10
hosts already signed by my self-signed cert, and the smart proxy link
stopped working. Puppet runs failed and I assumed it is because of the
smart-proxy failure.

We only support custom server certificates at the moment.
>

I'm not sure what you mean - does this mean that trusted CA certificates do
not work?

I'm sorry if I haven't been clear on what I'm trying to accomplish - it is
fine and desired to use self-signed certificates for everything (puppet,
smart proxy, etc…) , however, I want the Foreman web interface to have a
trusted CA signed certificate for those who have to use the interface.

I was able to get that working as I expected by reverting my snapshot
again, running the katello-installer with my --foreman-server-ssl-*
options, and mucking with the /etc/httpd/conf.d/03-crane.conf.

If what I'm trying to do shouldn't be done or isn't something the installer
is capable of, no problem, I'm just trying to figure out the right way of
doing it if it can/should be done.

···

On Wednesday, March 18, 2015 at 4:14:20 PM UTC-5, Eric Helms wrote:

ehelms · March 18, 2015, 9:53pm

>
>
>>
>> Did you read through https://github.com/Katello/katello-installer#
>> certificates ?
>>
>
> Yes I did. It appeared that procedure was going to do more than I wanted
> it to. katello-certs-check is missing, may need to be updated.
>

It was added only very recently. We should move these docs to our versioned
website docs to point users at as they evolve.

>
> There is also a section on updating certificates after you have run a
>> standard install.
>>
>
> Yes, I reverted my VM snapshot, followed that process on an install with
> 10 hosts already signed by my self-signed cert, and the smart proxy link
> stopped working. Puppet runs failed and I assumed it is because of the
> smart-proxy failure.
>
> We only support custom server certificates at the moment.
>>
>
> I'm not sure what you mean - does this mean that trusted CA certificates
> do not work?
>

Assuming you have a certificate, key and signing request that you would
like to use for the web server then following the procedure I linked should
accomplish what you describe wanting to accomplish.

>
>
> I'm sorry if I haven't been clear on what I'm trying to accomplish - it is
> fine and desired to use self-signed certificates for everything (puppet,
> smart proxy, etc…) , however, I want the Foreman web interface to have a
> trusted CA signed certificate for those who have to use the interface.
>
> I was able to get that working as I expected by reverting my snapshot
> again, running the katello-installer with my --foreman-server-ssl-*
> options, and mucking with the /etc/httpd/conf.d/03-crane.conf.
>

Crane is a service for serving docker images, nothing related to it should
affect what you are trying to accomplish unless we are deploying it with a
bad configuration.

···

On Wed, Mar 18, 2015 at 5:45 PM, Eric du Toit wrote: > On Wednesday, March 18, 2015 at 4:14:20 PM UTC-5, Eric Helms wrote:

If what I’m trying to do shouldn’t be done or isn’t something the
installer is capable of, no problem, I’m just trying to figure out the
right way of doing it if it can/should be done.

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Eric_du_Toit · March 19, 2015, 4:18pm

>
> It was added only very recently. We should move these docs to our
> versioned website docs to point users at as they evolve.
>

no problem, I didn't think that was a necessary step.

> Assuming you have a certificate, key and signing request that you would
> like to use for the web server then following the procedure I linked should
> accomplish what you describe wanting to accomplish.
>

I have a key that I generated outside of katello using openssl as I would
have for an Apache server. I created a CSR which I submitted to DigiCert
and now I have a Signed CRT from them (wildcard).

Is that the right process or should I have done something differently in my
CSR generation?

I reverted the VM to a known good config, verified that my answer file
didn't have bad information in it (it was a snapshot from before I started
this whole thing so I was fairly certain it was clean already) and this
was the result :

katello-installer \

–certs-update-server-ca
–certs-update-server
–certs-server-cert="/etc/pki/tls/certs/star_myorg_org.crt"
–certs-server-cert-req "/etc/pki/tls/certs/foreman-katello.csr"
–certs-server-key="/etc/pki/tls/private/foreman-katello.key"
–certs-server-ca-cert="/etc/pki/tls/certs/DigiCertCA.crt"
–foreman-foreman-url="https://foreman.myorg.org"

Marking certificate
/root/ssl-build/mylonghostname.myorg.org/mylonghostname.myorg.org-apache
for update
Marking certificate /root/ssl-build/mylonghostname.myorg.org-foreman-proxy
for update
Marking certificate /root/ssl-build/katello-server-ca for update
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[mylonghostname.myorg.org]:
Failed to call refresh: 422 Unprocessable Entity
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[mylonghostname.myorg.org]:
422 Unprocessable Entity

The web interface has the DigiCert trusted certificate in place.
SmartProxy access :
https://foreman.myorg.org/smart_proxies/1-mylonghostname-myorg-org/puppetca
has the following error:

ProxyAPI::ProxyException
ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates
([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verif…) for proxy
https://mylonghostname.myorg.org:9090/puppet/ca
lib/proxy_api/puppetca.rb:47:in rescue in all' lib/proxy_api/puppetca.rb:45:inall'
app/services/smart_proxies/puppet_ca.rb:21:in all' app/services/smart_proxies/puppet_ca.rb:36:infind_by_state'
app/controllers/puppetca_controller.rb:8:in index' app/models/concerns/foreman/thread_session.rb:33:inclear_thread'
lib/middleware/catch_json_parse_errors.rb:9:in `call'

On a new unregistered host:

puppet agent -t

Info: Creating a new SSL key for mynewhost.myorg.org
Info: Caching certificate for ca
Info: Caching certificate for mynewhost.myorg.org
Error: Could not request certificate: The certificate retrieved from the
master does not match the agent's private key.
Certificate fingerprint: <fingerprint>
To fix this, remove the certificate from both the master and the agent and
then start a puppet run, which will automatically regenerate a certficate.

On the katello/puppet master :

/etc/puppet/node.rb myexistinghost.myorg.org

Could not send facts to Foreman: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed

It could be that I just failed to start correctly by generating a SSL and
CSR outside katello using openssl?

···

On Wednesday, March 18, 2015 at 4:53:41 PM UTC-5, Eric Helms wrote:

ehelms · March 19, 2015, 6:18pm

Hrmm, lets try and verify a few items first. If you don't mind downloading

github.com

Katello/katello-installer/blob/master/bin/katello-certs-check

#!/usr/bin/env bash

function usage () {
  cat <<HELP >&2
Verifies, that custom ssl cert files are usable
as part of the Katello installation.

usage: $0 -c CERT_FILE -k KEY_FILE -r REQ_FILE -b CA_BUNDLE_FILE
HELP
}

while getopts "c:k:r:b:" opt; do
    case $opt in
        c)
            CERT_FILE="$(readlink -f $OPTARG)"
            ;;
        k)
            KEY_FILE="$(readlink -f $OPTARG)"
            ;;
        r)

This file has been truncated. show original

to your box, you can use it to first verify your custom certificates. You
mentioned have a snapshot – I'd roll back to that snapshot before you
imported custom certs to do the test so that the original Katello
certificates are still in tact.

···

On Thu, Mar 19, 2015 at 12:18 PM, Eric du Toit wrote:

On Wednesday, March 18, 2015 at 4:53:41 PM UTC-5, Eric Helms wrote:

It was added only very recently. We should move these docs to our
versioned website docs to point users at as they evolve.

no problem, I didn’t think that was a necessary step.

Assuming you have a certificate, key and signing request that you would
like to use for the web server then following the procedure I linked should
accomplish what you describe wanting to accomplish.

I have a key that I generated outside of katello using openssl as I would
have for an Apache server. I created a CSR which I submitted to DigiCert
and now I have a Signed CRT from them (wildcard).

Is that the right process or should I have done something differently in
my CSR generation?

I reverted the VM to a known good config, verified that my answer file
didn’t have bad information in it (it was a snapshot from before I started
this whole thing so I was fairly certain it was clean already) and this
was the result :

katello-installer \

–certs-update-server-ca
–certs-update-server
–certs-server-cert="/etc/pki/tls/certs/star_myorg_org.crt"
–certs-server-cert-req “/etc/pki/tls/certs/foreman-katello.csr”
–certs-server-key="/etc/pki/tls/private/foreman-katello.key"
–certs-server-ca-cert="/etc/pki/tls/certs/DigiCertCA.crt"
–foreman-foreman-url=“https://foreman.myorg.org”

Marking certificate /root/ssl-build/
mylonghostname.myorg.org/mylonghostname.myorg.org-apache for update
Marking certificate /root/ssl-build/mylonghostname.myorg.org-foreman-proxy
for update
Marking certificate /root/ssl-build/katello-server-ca for update
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[
mylonghostname.myorg.org]: Failed to call refresh: 422 Unprocessable
Entity
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[
mylonghostname.myorg.org]: 422 Unprocessable Entity

The web interface has the DigiCert trusted certificate in place.

SmartProxy access :
https://foreman.myorg.org/smart_proxies/1-mylonghostname-myorg-org/puppetca
has the following error:

ProxyAPI::ProxyException
ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA
certificates ([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verif…) for proxy
https://mylonghostname.myorg.org:9090/puppet/ca
https://mylonghostname.myorg.org:9090/puppet/ca
lib/proxy_api/puppetca.rb:47:in rescue in all' lib/proxy_api/puppetca.rb:45:inall’
app/services/smart_proxies/puppet_ca.rb:21:in all' app/services/smart_proxies/puppet_ca.rb:36:infind_by_state’
app/controllers/puppetca_controller.rb:8:in index' app/models/concerns/foreman/thread_session.rb:33:inclear_thread’
lib/middleware/catch_json_parse_errors.rb:9:in `call’

On a new unregistered host:

puppet agent -t

Info: Creating a new SSL key for mynewhost.myorg.org
Info: Caching certificate for ca
Info: Caching certificate for mynewhost.myorg.org
Error: Could not request certificate: The certificate retrieved from the
master does not match the agent’s private key.
Certificate fingerprint:
To fix this, remove the certificate from both the master and the agent and
then start a puppet run, which will automatically regenerate a certficate.

On the katello/puppet master :

/etc/puppet/node.rb myexistinghost.myorg.org

Could not send facts to Foreman: SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verify failed

It could be that I just failed to start correctly by generating a SSL and
CSR outside katello using openssl?

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Eric_du_Toit · March 19, 2015, 6:45pm

I reverted to the snapshot. Here is what I found when I ran
katello-certs-check on my wildcard/DigiCert certs:

Validating the certificate subject= <trim>
Check private key matches the certificate: [OK]
Check ca bundle verifies the cert file: [FAIL]
The /etc/pki/tls/certs/DigiCertCA.crt does not verify the
/etc/pki/tls/certs/star_myorg_org.crt
/etc/pki/tls/certs/star_myorg_org.crt: C = US, O = DigiCert Inc, CN =
DigiCert SHA2 Secure Server CA error 2 at 1 depth lookup:unable to get
issuer certificate

DigiCertCA.crt is only the intermediate. I added their TrustedRoot.crt to
the top and received Validation succeeded.

I ran the katello-installer on the reverted snapshot with the TrustedRoot &
DigiCertCA intermediate combined and on initial inspection, it looks like
everyone is happy now.

Eric - thanks for taking the time to help.

···

On Thursday, March 19, 2015 at 1:18:52 PM UTC-5, Eric Helms wrote: > > Hrmm, lets try and verify a few items first. If you don't mind downloading > https://github.com/Katello/katello-installer/blob/master/bin/katello-certs-check > to your box, you can use it to first verify your custom certificates. You > mentioned have a snapshot -- I'd roll back to that snapshot before you > imported custom certs to do the test so that the original Katello > certificates are still in tact >

lawre · June 24, 2015, 6:46pm

Running katello-certs-check and the resulting output for katello-installer
worked for me as well… thanks katello team for creating this easy way to
swap out the certs! My only caution is you should feed your certs to the
katello-certs-check program using absolute paths instead of relative paths
(i.e. ./certname). Many .conf files are updated using the path you give it.

···

On Thursday, March 19, 2015 at 1:45:29 PM UTC-5, Eric du Toit wrote: > > > I ran the katello-installer on the reverted snapshot with the TrustedRoot > & DigiCertCA intermediate combined and on initial inspection, it looks like > everyone is happy now. > > > Eric - thanks for taking the time to help. > > > > > >