Curious if anyone has been able to get working successfully for
LDAPS. I have exported the key and csr, uploaded the CSR to our AD cert
server, generated a .crt file. At this point I am unaware of where / how
to configure this in foreman. I have successfully added it to apache under
05-foreman-ssl.conf in the /etc/httpd/conf.d/ folder…but it seems the
LDAPS keys must be specified somewhere else. Any thoughts ? Thank you in
advance!
See section 4.1.1, I think, of the manual at theforeman.org.
Basically you copy the crt file to /etc/pki/tls/certs and run the
following command adapted to your filename conventions:
ln -s example.crt /etc/pki/tls/certs/$(openssl x509 -noout -hash -in
/etc/pki/tls/certs/example.crt).0
Joop
···
On 14-4-2015 19:45, Brian I wrote:
> Hello All;
>
> Curious if anyone has been able to get working successfully for
> LDAPS. I have exported the key and csr, uploaded the CSR to our AD
> cert server, generated a .crt file. At this point I am unaware of
> where / how to configure this in foreman. I have successfully added
> it to apache under 05-foreman-ssl.conf in the /etc/httpd/conf.d/
> folder...but it seems the LDAPS keys must be specified somewhere
> else. Any thoughts ? Thank you in advance!
> --
> You received this message because you are subscribed to the Google
> Groups "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to foreman-users+unsubscribe@googlegroups.com
> .
> To post to this group, send email to foreman-users@googlegroups.com
> .
> Visit this group at http://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/d/optout.
I saw that section, but is that all I need to do? Are there any
configuration files to be updated in order to have the LDAPS actually use
that crt?
Also, I tried editing the 05-foreman-ssl.conf with the new crt and key but
that broke puppet (presumeably I'd need to re-cert all servers if I had to
do that, is that true?)
Anyway thanks again for the reply and let me know if any additional configs
need to be updated other than just linking the files as mentioned below.
thanks!!
···
On Wednesday, April 15, 2015 at 3:19:39 AM UTC-4, jvandewege wrote:
>
> On 14-4-2015 19:45, Brian I wrote:
>
> Hello All;
>
> Curious if anyone has been able to get working successfully for
> LDAPS. I have exported the key and csr, uploaded the CSR to our AD cert
> server, generated a .crt file. At this point I am unaware of where / how
> to configure this in foreman. I have successfully added it to apache under
> 05-foreman-ssl.conf in the /etc/httpd/conf.d/ folder...but it seems the
> LDAPS keys must be specified somewhere else. Any thoughts ? Thank you in
> advance!
> --
> You received this message because you are subscribed to the Google Groups
> "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to foreman-user...@googlegroups.com .
> To post to this group, send email to forema...@googlegroups.com
> .
> Visit this group at http://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/d/optout.
>
> See section 4.1.1, I think, of the manual at theforeman.org.
> Basically you copy the crt file to /etc/pki/tls/certs and run the
> following command adapted to your filename conventions:
> ln -s example.crt /etc/pki/tls/certs/$(openssl x509 -noout -hash -in
> /etc/pki/tls/certs/example.crt).0
>
> Joop
>
>
Yes thats all you need to do. Getting the .crt might be the hard part,
don't have MS AD only Samba4 AD.
Joop
···
On 15-4-2015 12:44, Brian I wrote:
> Thanks Joop!
>
> I saw that section, but is that *all* I need to do? Are there any
> configuration files to be updated in order to have the LDAPS actually
> use that crt?
> Also, I tried editing the 05-foreman-ssl.conf with the new crt and key
> but that broke puppet (presumeably I'd need to re-cert all servers if
> I had to do that, is that true?)
>
i restarted foreman, foreman proxy and httpd, but i'm still getting the
same error, I got a .crt from our AD by generating a CSR on the server
itself, putting that into AD and it gave me a .crt back.
Could it be the wrong SSL version or something?
···
On Thursday, April 16, 2015 at 2:47:50 AM UTC-4, jvandewege wrote:
>
> On 15-4-2015 12:44, Brian I wrote:
> > Thanks Joop!
> >
> > I saw that section, but is that *all* I need to do? Are there any
> > configuration files to be updated in order to have the LDAPS actually
> > use that crt?
> > Also, I tried editing the 05-foreman-ssl.conf with the new crt and key
> > but that broke puppet (presumeably I'd need to re-cert all servers if
> > I had to do that, is that true?)
> >
> Yes thats all you need to do. Getting the .crt might be the hard part,
> don't have MS AD only Samba4 AD.
>
> Joop
>
>
For the record, this was fixed (Thanks to sonixblaze) by adding the CA cert
of our authority server to /etc/tls/pki/certs/ca-bundle.crt and restarting
foreman.
···
On Thursday, April 16, 2015 at 10:28:52 AM UTC-4, Brian I wrote:
>
> So I did that:
>
> foreman01 ~ $ ls -l /etc/pki/tls/certs/
> total 1780
> lrwxrwxrwx 1 root root 11 Apr 14 12:04 212b0000.0 -> certnew.crt
> -rw-r--r-- 1 root root 1224 Apr 14 09:58 certnew.crt
>
> i restarted foreman, foreman proxy and httpd, but i'm still getting the
> same error, I got a .crt from our AD by generating a CSR on the server
> itself, putting that into AD and it gave me a .crt back.
>
> Could it be the wrong SSL version or something?
>
>
>
> On Thursday, April 16, 2015 at 2:47:50 AM UTC-4, jvandewege wrote:
>>
>> On 15-4-2015 12:44, Brian I wrote:
>> > Thanks Joop!
>> >
>> > I saw that section, but is that *all* I need to do? Are there any
>> > configuration files to be updated in order to have the LDAPS actually
>> > use that crt?
>> > Also, I tried editing the 05-foreman-ssl.conf with the new crt and key
>> > but that broke puppet (presumeably I'd need to re-cert all servers if
>> > I had to do that, is that true?)
>> >
>> Yes thats all you need to do. Getting the .crt might be the hard part,
>> don't have MS AD only Samba4 AD.
>>
>> Joop
>>
>>
> For the record, this was fixed (Thanks to sonixblaze) by adding the CA cert
> of our authority server to /etc/tls/pki/certs/ca-bundle.crt and restarting
> foreman.
If you feel like this will be a source of confusion for more users in
the future, please submit a pull request to https://github.com/theforeman/theforeman.org to the manual. 4.1.1 Foreman :: Manual is
probably where this explanation belongs in.
Glad to see it's fixed!
···
On 04/20, Brian I wrote:
>
> On Thursday, April 16, 2015 at 10:28:52 AM UTC-4, Brian I wrote:
> >
> > So I did that:
> >
> > foreman01 ~ $ ls -l /etc/pki/tls/certs/
> > total 1780
> > lrwxrwxrwx 1 root root 11 Apr 14 12:04 212b0000.0 -> certnew.crt
> > -rw-r--r-- 1 root root 1224 Apr 14 09:58 certnew.crt
> >
> > i restarted foreman, foreman proxy and httpd, but i'm still getting the
> > same error, I got a .crt from our AD by generating a CSR on the server
> > itself, putting that into AD and it gave me a .crt back.
> >
> > Could it be the wrong SSL version or something?
> >
> >
> >
> > On Thursday, April 16, 2015 at 2:47:50 AM UTC-4, jvandewege wrote:
> >>
> >> On 15-4-2015 12:44, Brian I wrote:
> >> > Thanks Joop!
> >> >
> >> > I saw that section, but is that *all* I need to do? Are there any
> >> > configuration files to be updated in order to have the LDAPS actually
> >> > use that crt?
> >> > Also, I tried editing the 05-foreman-ssl.conf with the new crt and key
> >> > but that broke puppet (presumeably I'd need to re-cert all servers if
> >> > I had to do that, is that true?)
> >> >
> >> Yes thats all you need to do. Getting the .crt might be the hard part,
> >> don't have MS AD only Samba4 AD.
> >>
> >> Joop
> >>
> >>
>
> --
> You received this message because you are subscribed to the Google Groups "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com.
> To post to this group, send email to foreman-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/d/optout.
