Hi,
We have freeipa attached to Katello/foreman and now I want to use the
certmonger ssl certificates for Katello/foreman/puppet.
After reading several manuals, blogposts and other info (most of it is a
bit outdated); I found a solution that appears to work. The webserver
has a new certificate, but still it fails on candlepin.
qpid-config --ssl-certificate
/etc/pki/katello/certs/java-client.crt --ssl-key
/etc/pki/katello/private/java-client.key -b
'amqps://<servername>:5671' add exchange topic event --durable
returned 1 instead of one of [0]
/Stage[main]/Certs::Candlepin/Exec[create candlepin qpid
exchange]/returns: change from notrun to 0 failed: qpid-config
--ssl-certificate /etc/pki/katello/certs/java-client.crt --ssl-key
/etc/pki/katello/private/java-client.key -b
'amqps://deployen.netbulae.mgmt:5671' add exchange topic event
--durable returned 1 instead of one of [0]
Failed: ConnectError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert
unknown ca (_ssl.c:765)
What I did so far:
mkdir /etc/ipa/private
cd /etc/ipa/private
kinit admin
cat << EOF > /etc/ipa/private/passout.txt
****************Password************
EOF
HOSTNAME=`hostname`
openssl genrsa -aes256 -out $HOSTNAME.pem -passout
file:/etc/ipa/private/passout.txt 2048
openssl rsa -in $HOSTNAME.pem -out $HOSTNAME.password.key -passin
file:/etc/ipa/private/passout.txt
openssl req -new -key $HOSTNAME.password.key -out $HOSTNAME.csr
-subj "/C=NL/ST=Enschede/L=Overijssel/O=Netbulae/CN=<servername>"
ipa service-add HTTP/$HOSTNAME
ipa cert-request $HOSTNAME.csr --principal HTTP/$HOSTNAME
#use the serial number output above to provide the SERIALNUMBER below.
ipa cert-show <SERIALNUMBER> --out=$HOSTNAME.crt
openssl rsa -in $HOSTNAME.password.key -out
$HOSTNAME.passwordless.key -passin file:/etc/ipa/private/passout.txt
cp $HOSTNAME.passwordless.key $HOSTNAME.key
# this checks to make sure the certs will work with the installer it
will provide commands to install the certs
katello-certs-check -c $HOSTNAME.crt -k $HOSTNAME.key -r
$HOSTNAME.csr -b /etc/ipa/ca.crt
foreman-installer --scenario katello\
--certs-server-cert
"/etc/ipa/private/deployen.netbulae.mgmt.crt"\
--certs-server-cert-req
"/etc/ipa/private/deployen.netbulae.mgmt.csr"\
--certs-server-key
"/etc/ipa/private/deployen.netbulae.mgmt.key"\
--certs-server-ca-cert "/etc/ipa/ca.crt" \
--certs-update-server --certs-update-server-ca
Met vriendelijke groet, With kind regards,
Jorick Astrego
Netbulae Virtualization Experts
···
----------------Tel: 053 20 30 270 info@netbulae.eu Staalsteden 4-3A KvK 08198180
Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede BTW NL821234584B01