Managing `ssl_ca:` in /etc/puppetlabs/puppet/foreman.yaml using foreman-installer?

Stefan_Lasiewski · February 7, 2020, 7:05pm

Problem:

We discovered that the ssl_ca: parameter in /etc/puppetlabs/puppet/foreman.yaml is causing Puppet to fail with SSL errors. One of my coworkers commented it out. Now, when I run foreman-installer, the installer to put that parameter back into the file which will break Puppet:

root@foreman:/etc/foreman-installer/scenarios.d# foreman-installer --noop --dont-save-answers --verbose
...
[ WARN 2020-02-06T17:01:15 verbose]  /Stage[main]/Foreman::Puppetmaster/File[/etc/puppetlabs/puppet/foreman.yaml]/content:
[ WARN 2020-02-06T17:01:15 verbose] --- /etc/puppetlabs/puppet/foreman.yaml     2020-01-06 15:32:36.681282894 -0800
[ WARN 2020-02-06T17:01:15 verbose] +++ /tmp/puppet-file20200206-8074-7me5vo    2020-02-06 17:01:15.857371440 -0800
[ WARN 2020-02-06T17:01:15 verbose] @@ -1,6 +1,6 @@
[ WARN 2020-02-06T17:01:15 verbose]  ---
[ WARN 2020-02-06T17:01:15 verbose]  :url: "https://foreman.example.org"
[ WARN 2020-02-06T17:01:15 verbose] -#:ssl_ca: "/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem"
[ WARN 2020-02-06T17:01:15 verbose] +:ssl_ca: "/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem"
[ WARN 2020-02-06T17:01:15 verbose]  :ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/foreman.example.org.pem"
[ WARN 2020-02-06T17:01:15 verbose]  :ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.org.pem"
[ WARN 2020-02-06T17:01:15 verbose]  :user: ""

We want to remove or manage that parameter using Foreman Installer:

Expected outcome:

I expect Foreman Installer to have an option to manage this file, but it does not. How can I manage this file using Foreman Installer?

oot@foreman:~# foreman-installer --help | grep /etc/puppetlabs/puppet/ssl/
                                  Defaults to client_ssl_ca (current: "/etc/puppetlabs/puppet/ssl/certs/ca.pem")
                                  Defaults to client_ssl_cert (current: "/etc/puppetlabs/puppet/ssl/certs/foreman.example.org.pem")
                                  Defaults to client_ssl_key (current: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.org.pem")
    --foreman-proxy-puppet-ssl-ca  SSL CA used to verify connections when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/certs/ca.pem")
    --foreman-proxy-puppet-ssl-cert  SSL certificate used when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/certs/foreman.example.org.pem")
    --foreman-proxy-puppet-ssl-key  SSL private key used when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.org.pem")
    --foreman-proxy-ssl-ca        SSL CA to validate the client certificates used to access the proxy (current: "/etc/puppetlabs/puppet/ssl/certs/ca.pem")
    --foreman-proxy-ssl-cert      SSL certificate to be used to run the foreman proxy via https. (current: "/etc/puppetlabs/puppet/ssl/certs/foreman.example.org.pem")
    --foreman-proxy-ssl-key       Corresponding key to a ssl_cert certificate (current: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.org.pem")
root@foreman:~#

Foreman and Proxy versions:

Version 1.23.1

Foreman and Proxy plugin versions:

n/a

Distribution and version:

Ubuntu 18.04.3 LTS
Puppetsever version 5.3.10

Other relevant data:

Stefan_Lasiewski · August 21, 2020, 6:50pm

For the record, follow-up for this issue can be found here:

parryb · August 1, 2023, 1:05am

OK so thanks for all of the above really helped me sort it out. I think the actual solution seems to be missing. The defaults in the installer are incorrect so if like me you enabled puppet without reading the manual the n find it doesn’t work as above follow this guide which points you at the correct files to use;
https://docs.theforeman.org/3.1/Managing_Configurations_Puppet/index-katello.html#Enabling_Puppet_Integration_managing-configurations-puppet

Stefan_Lasiewski · August 14, 2023, 5:44pm

For what it’s worth, once I found the correct certificate for ssl_ca_file, I never had this problem again. Make sure you are using a modern version of Foreman (Currently, that’s Foreman 3.6 & 3.7).

I agree that this foreman-installer still doesn’t have a way to disable the ssl_ca parameter. If I try to disable the parameter in /etc/puppetlabs/puppet/foreman.yaml, the installer will re-enable it.

2023-08-14 10:35:08 [INFO  ] [configure] --- /etc/puppetlabs/puppet/foreman.yaml        2023-08-14 10:34:25.892114462 -0700
2023-08-14 10:35:08 [INFO  ] [configure] +++ /tmp/puppet-file20230814-1018794-z2kfjp    2023-08-14 10:35:08.527760243 -0700
2023-08-14 10:35:08 [INFO  ] [configure] @@ -1,6 +1,6 @@
2023-08-14 10:35:08 [INFO  ] [configure] ---
2023-08-14 10:35:08 [INFO  ] [configure] :url: "https://foreman .example.org"
2023-08-14 10:35:08 [INFO  ] [configure] -#:ssl_ca: "/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem"
2023-08-14 10:35:08 [INFO  ] [configure] +:ssl_ca: "/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem"