Problem: When attempting to access the webGUI for Foreman, I receive the error response in the title of this post.
Expected outcome: Foreman login page
Foreman and Proxy versions: 3.7
Foreman and Proxy plugin versions: 3.7
Distribution and version: Ubuntu 20.04
Other relevant data:
I recently joined a new company and as my first task, I have been given the responsibility of regaining proper functionality of puppet and Foreman for automation/management of VMs we have in our infrastructure. I was able to fix all of the ERRORs received during the foreman-installer process, so I moved on to trying to access Foreman via the webGUI. Unfortunately, I receive NET::ERR_CERT_AUTHORITY_INVALID when attempting to access the page. I have already disabled HSTS. The issuer for the cert it is pulling is Puppet CA: myPuppetNode.dev - is this causing the issue? I assume it is from the error’s naming convention; however, I have googled for the past couple of days trying things to no avail.
I’m hoping to get this up and running sooner than later so we can move forward with establishing proper functionality of Foreman and make things easier on our devs.
I assume this is the error in Chrome when you try to access the WebUI?
From what I found, this is most likely caused by Foreman using a self-signed CA Certificate by default, like you have already discovered (the Puppet CA).
You have two options here:
Distribute the Puppet CA Certificate to everyone who needs to access the Foreman UI and tell them to import it into their browser.
Switch Foreman UI to use a certificate that’s trusted by your corporate devices by default. There is currently only documentation for this for Katello on EL, but you should be able to adjust that that to a Foreman installation. Main differences are
You won’t have katello-cert-check available, so you need to make sure your Certs are good yourself.
You don’t want to specify --scenario katello in the installer command
You should not need to propagate the change to your hosts
If you have external smart-proxies, you will need to figure out the correct command by yourself (foreman-installer --full-help should help)
If you decide to try option 2, remember to take snapshots/full system backups of your Foreman and smart-proxy servers beforehand.
Thanks for your response, and sorry its been a few days.
Yes, the error is in Chrome.
I haven’t tried the first option yet; however, with option 2, I believe
that’s already been done/set… when checking both /etc/foreman and
/etc/foreman-proxy settings.yml, it shows the ssl_certificates being set as
the Puppet ones.
Should I still attempt to export it and load it in my browser to see if
that works? I feel it’s redundant, but maybe it will fix it? We only need a
few people to have it, I think, but I’d like it to be simpler than
exporting it to everyone in the company.
Scenario 2 would be replacing what the WebUI uses, from the default (certificates generated by Puppet) to something your company trusts. If you only need a few people to access the Foreman UI, it’s probably easier to tell people to import the Puppet CA Cert into their browser.
So, say for instance we have stuff running behind nginx, safe to say I could use whatever cert(s) they have in place for that as the certs in the foreman and foreman-proxy settings yamls and that could rectify the issue, too?
You could generate a cert from the same CA as that nginx and use that, yes.
Though you should only replace what the WebUI uses, I would recommend against replacing smart-proxy certs, as that is a different topic. You will need to reconfigure the smart-proxy though to tell it about Foreman using a new cert for the web components.
As already mentioned, this is an advanced configuration and currently not covered by the docs for Foreman without Katello, so you need to expect some fiddling until it works.
