Issues with Not Using Client Auth


I’m using the following installation script to install Foreman:

I’m running into a weird issue that if I don’t explicitly set --foreman-server-ssl-ca to a file, it uses “/etc/puppetlabs/puppet/ssl/certs/ca.pem”. How do i omit client auth altogether since i’m not using Puppet (but rather Ansible) or Smart Proxy?

Expected outcome:

By omitting that flag or setting it to an empty string, I would expect the value to not be set.

Foreman and Proxy versions:


Foreman and Proxy plugin versions:

foreman-tasks: 0.13.4
foreman_ansible: 2.2.9
foreman_hooks: 0.3.4
foreman_openscap: 0.10.2
foreman_remote_execution: 1.5.6

Other relevant data:
[e.g. logs from Foreman and/or the Proxy, modified templates, commands issued, etc]

Hmm, what do you want to control with foreman if you don’t want to have a smart proxy at all? Ansible needs remote execution, which runs on a smart proxy (even if that smart proxy runs locally). As you’ll set-up foreman, you’ll quickly see that, as you configure your subnet (which in turn gets linked to your host), that remote execution is linked to a smart proxy (if it is not, foreman would not know who should run the ansible playbook, as a smart proxy can be in different subnets).
Perhaps I should rephrase the question: what’s the harm of having the file? Client auth can, for the API, be omitted by passing a username and password instead (but as Auth header); but I’m not sure that’s what you’re really after?

I would suggest to read the documentation a bit through and set-up the wanted set-up with the least amount of (premature?) optimizations and see if it works for you. Afterwards you can still remove things that you are sure you don’t need.

1 Like

Thanks for the great explanation. I’ll give that a try!

1 Like