We discovered that the ssl_ca: parameter in /etc/puppetlabs/puppet/foreman.yaml is causing Puppet to fail with SSL errors. One of my coworkers commented it out. Now, when I run foreman-installer, the installer to put that parameter back into the file which will break Puppet:
I expect Foreman Installer to have an option to manage this file, but it does not. How can I manage this file using Foreman Installer?
oot@foreman:~# foreman-installer --help | grep /etc/puppetlabs/puppet/ssl/
Defaults to client_ssl_ca (current: "/etc/puppetlabs/puppet/ssl/certs/ca.pem")
Defaults to client_ssl_cert (current: "/etc/puppetlabs/puppet/ssl/certs/foreman.example.org.pem")
Defaults to client_ssl_key (current: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.org.pem")
--foreman-proxy-puppet-ssl-ca SSL CA used to verify connections when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/certs/ca.pem")
--foreman-proxy-puppet-ssl-cert SSL certificate used when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/certs/foreman.example.org.pem")
--foreman-proxy-puppet-ssl-key SSL private key used when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.org.pem")
--foreman-proxy-ssl-ca SSL CA to validate the client certificates used to access the proxy (current: "/etc/puppetlabs/puppet/ssl/certs/ca.pem")
--foreman-proxy-ssl-cert SSL certificate to be used to run the foreman proxy via https. (current: "/etc/puppetlabs/puppet/ssl/certs/foreman.example.org.pem")
--foreman-proxy-ssl-key Corresponding key to a ssl_cert certificate (current: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.org.pem")
root@foreman:~#
For what it’s worth, once I found the correct certificate for ssl_ca_file, I never had this problem again. Make sure you are using a modern version of Foreman (Currently, that’s Foreman 3.6 & 3.7).
I agree that this foreman-installer still doesn’t have a way to disable the ssl_ca parameter. If I try to disable the parameter in /etc/puppetlabs/puppet/foreman.yaml, the installer will re-enable it.
Using –puppet-server-foreman-ssl-caoption doesn’t seem to update /etc/puppetlabs/puppet/foreman.yamlin my case.
The foreman-installer keeps resetting the value of ssl_ca back to etc/pki/katello/puppet/puppet_client_ca.crt:
[root@smart-proxy~]# foreman-installer --scenario foreman-proxy-content --puppet-server-foreman-ssl-ca “/etc/foreman-proxy/ssl_ca_combined.pem”
2026-04-15 07:21:40 [WARN ] [boot] [“Unsetting environment variable ‘http_proxy’ for the duration of the install.”]
2026-04-15 07:21:40 [WARN ] [boot] [“Unsetting environment variable ‘https_proxy’ for the duration of the install.”]
2026-04-15 07:21:41 [NOTICE] [root] Loading installer configuration. This will take some time.
2026-04-15 07:21:44 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2026-04-15 07:21:44 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
2026-04-15 07:21:45 [NOTICE] [checks] System checks passed
2026-04-15 07:21:51 [NOTICE] [configure] Starting system configuration.
2026-04-15 07:21:56 [NOTICE] [configure] 250 configuration steps out of 1567 steps complete.
2026-04-15 07:21:57 [NOTICE] [configure] 500 configuration steps out of 1569 steps complete.
2026-04-15 07:21:57 [NOTICE] [configure] 750 configuration steps out of 1574 steps complete.
2026-04-15 07:21:57 [NOTICE] [configure] 1000 configuration steps out of 1575 steps complete.
2026-04-15 07:21:58 [NOTICE] [configure] 1250 configuration steps out of 1575 steps complete.
2026-04-15 07:22:05 [NOTICE] [configure] 1500 configuration steps out of 1576 steps complete.
2026-04-15 07:22:21 [NOTICE] [configure] System configuration has finished.
Success!
* Foreman Proxy is running at https://smartproxy.foo.com:9090
