The foreman server is controlled by the foreman puppet module. So all of the settings listed in the ssl document in apache are there. Here are the settings for reference:
Is this correct? It looks like you’re using a different CA for Foreman than the client certs - if so, it would be unsurprising that the proxy cannot verify the certificate of the Foreman server.
I don’t understand the question. Can you please post which parameters are different?
The foremen server’s apache config uses a verified ca (digicert). The foreman_ca.pem contains the digicert ca and the puppet server’s ca. As I stated before, the foreman server is able to connect with the foreman-proxies and vise versa. The only component that doesn’t work is the node.rb which is indeed surprising to me.
Could you test changing ssl_cert and ssl_key to the values in the apache conf? Namely ‘"/etc/ssl/certs/WEB.pem"’ and “/etc/ssl/private/WEB.key”?
I think the problem could be that you’re making a POST request from node.rb without the right certificates, however the proxy could be working because it’s only using GET?
The only way I got this working was to comment out the ssl_ca. Its a pain because I use theforeman/puppet and theforeman/foreman_proxy puppet modules. I have to end up keeping the puppet agent ‘off’ on my puppet masters otherwise on the next puppet run, the ssl_ca will be re-enabled.
No. But I am using Ubuntu 16.04 for both the foreman server and puppet servers.
I also use puppet to manage foreman and the foreman proxies (not using the installer method). I use the theforeman puppet modules. This means that my puppet agents on both the foreman server and puppet servers need to be disabled as they will always revert the changes to the CA.