Managing `ssl_ca:` in /etc/puppetlabs/puppet/foreman.yaml using foreman-installer?

Stefan_Lasiewski · February 7, 2020, 7:05pm

Problem:

We discovered that the ssl_ca: parameter in /etc/puppetlabs/puppet/foreman.yaml is causing Puppet to fail with SSL errors. One of my coworkers commented it out. Now, when I run foreman-installer, the installer to put that parameter back into the file which will break Puppet:

root@foreman:/etc/foreman-installer/scenarios.d# foreman-installer --noop --dont-save-answers --verbose
...
[ WARN 2020-02-06T17:01:15 verbose]  /Stage[main]/Foreman::Puppetmaster/File[/etc/puppetlabs/puppet/foreman.yaml]/content:
[ WARN 2020-02-06T17:01:15 verbose] --- /etc/puppetlabs/puppet/foreman.yaml     2020-01-06 15:32:36.681282894 -0800
[ WARN 2020-02-06T17:01:15 verbose] +++ /tmp/puppet-file20200206-8074-7me5vo    2020-02-06 17:01:15.857371440 -0800
[ WARN 2020-02-06T17:01:15 verbose] @@ -1,6 +1,6 @@
[ WARN 2020-02-06T17:01:15 verbose]  ---
[ WARN 2020-02-06T17:01:15 verbose]  :url: "https://foreman.example.org"
[ WARN 2020-02-06T17:01:15 verbose] -#:ssl_ca: "/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem"
[ WARN 2020-02-06T17:01:15 verbose] +:ssl_ca: "/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem"
[ WARN 2020-02-06T17:01:15 verbose]  :ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/foreman.example.org.pem"
[ WARN 2020-02-06T17:01:15 verbose]  :ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.org.pem"
[ WARN 2020-02-06T17:01:15 verbose]  :user: ""

We want to remove or manage that parameter using Foreman Installer:

Expected outcome:

I expect Foreman Installer to have an option to manage this file, but it does not. How can I manage this file using Foreman Installer?

oot@foreman:~# foreman-installer --help | grep /etc/puppetlabs/puppet/ssl/
                                  Defaults to client_ssl_ca (current: "/etc/puppetlabs/puppet/ssl/certs/ca.pem")
                                  Defaults to client_ssl_cert (current: "/etc/puppetlabs/puppet/ssl/certs/foreman.example.org.pem")
                                  Defaults to client_ssl_key (current: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.org.pem")
    --foreman-proxy-puppet-ssl-ca  SSL CA used to verify connections when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/certs/ca.pem")
    --foreman-proxy-puppet-ssl-cert  SSL certificate used when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/certs/foreman.example.org.pem")
    --foreman-proxy-puppet-ssl-key  SSL private key used when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.org.pem")
    --foreman-proxy-ssl-ca        SSL CA to validate the client certificates used to access the proxy (current: "/etc/puppetlabs/puppet/ssl/certs/ca.pem")
    --foreman-proxy-ssl-cert      SSL certificate to be used to run the foreman proxy via https. (current: "/etc/puppetlabs/puppet/ssl/certs/foreman.example.org.pem")
    --foreman-proxy-ssl-key       Corresponding key to a ssl_cert certificate (current: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.org.pem")
root@foreman:~#

Foreman and Proxy versions:

Version 1.23.1

Foreman and Proxy plugin versions:

n/a

Distribution and version:

Ubuntu 18.04.3 LTS
Puppetsever version 5.3.10

Other relevant data:

Stefan_Lasiewski · August 21, 2020, 6:50pm

For the record, follow-up for this issue can be found here: