Hi @ekohl - these were brand new installs. I deployed 4 of them in the past month but didn’t notice until I switched from Firefox to Brave (Chromium-based). I even re-built it in my homelab last weekend (was playing around with Katello) to check. It’s the certificate validity length I believe, it has to be less than 825 days.That’s the only thing I change with my internal CA when I regenerate certs.
Here is the openssl command my script uses to generate valid certs for Catalina:
/usr/bin/openssl x509 -req -SHA256 -extfile $hostname.ext -days 824 -in $hostname.csr -CA ./ca/ca.crt -CAkey ./ca/ca.key -CAcreateserial -out $hostname.crt
Nothing special with that except the expiration length I believe?
Then I re-run this to point to the new certs, and all is well:
foreman-installer --foreman-server-ssl-cert /etc/puppetlabs/puppet/ssl/certs/puppet.crt \
--foreman-server-ssl-key /etc/puppetlabs/puppet/ssl/certs/puppet.key \
--puppet-server-foreman-ssl-ca /etc/puppetlabs/puppet/ssl/certs/ca.crt \