Problem:
I updated the certificates on my foreman machine because the old one had expired. I had some problems with foreman-installer, but after many attempts it finally worked. The working command looked as follows (Instead of domain, the full domain name was entered, and there was IPv4 addres in the last line):
foreman-installer --scenario katello
–certs-server-cert “/etc/pki/sig-foreman.domain/sig-foreman.pem”
–certs-server-key “/etc/pki/sig-foreman.domain/private.key”
–certs-server-ca-cert “/etc/pki/sig-foreman.domain/ca_bundle.pem”
–foreman-proxy-ssl-ca “/etc/pki/sig-foreman.domain/ca_bundle.pem”
–foreman-proxy-ssl-cert “/etc/pki/sig-foreman.domain/sig-foreman.pem”
–foreman-proxy-ssl-key “/etc/pki/sig-foreman.domain/private.key”
–foreman-plugin-puppetdb-ssl-ca-file “/etc/pki/sig-foreman.domain/ca_bundle.pem”
–foreman-plugin-puppetdb-ssl-certificate “/etc/pki/sig-foreman.domain/sig-foreman.pem”
–foreman-plugin-puppetdb-ssl-private-key “/etc/pki/sig-foreman.domain/private.key”
–foreman-proxy-foreman-ssl-ca “/etc/pki/sig-foreman.domain/ca_bundle.pem”
–foreman-proxy-foreman-ssl-cert “/etc/pki/sig-foreman.domain/sig-foreman.pem”
–foreman-proxy-foreman-ssl-key “/etc/pki/sig-foreman.domain/private.key”
–foreman-proxy-puppet-ssl-ca “/etc/pki/sig-foreman.domain/ca_bundle.pem”
–foreman-proxy-puppet-ssl-cert “/etc/pki/sig-foreman.domain/sig-foreman.pem”
–foreman-proxy-puppet-ssl-key “/etc/pki/sig-foreman.domain/private.key”
–foreman-client-ssl-ca “/etc/pki/sig-foreman.domain/ca_bundle.pem”
–foreman-client-ssl-cert “/etc/pki/sig-foreman.domain/sig-foreman.pem”
–foreman-client-ssl-key “/etc/pki/sig-foreman.domain/private.key”
–foreman-server-ssl-ca “/etc/pki/sig-foreman.domain/ca_bundle.pem”
–foreman-server-ssl-cert “/etc/pki/sig-foreman.domain/sig-foreman.pem”
–foreman-server-ssl-key “/etc/pki/sig-foreman.domain/private.key”
–foreman-plugin-puppetdb-ssl-ca-file “/etc/pki/sig-foreman.domain/ca_bundle.pem”
–foreman-plugin-puppetdb-ssl-certificate “/etc/pki/sig-foreman.domain/sig-foreman.pem”
–foreman-plugin-puppetdb-ssl-private-key “/etc/pki/sig-foreman.domain/private.key”
–puppet-server-foreman-ssl-ca “/etc/pki/sig-foreman.domain/ca_bundle.pem”
–puppet-server-foreman-ssl-cert “/etc/pki/sig-foreman.domain/sig-foreman.pem”
–puppet-server-foreman-ssl-key “/etc/pki/sig-foreman.domain/private.key”
–certs-update-server --certs-update-server-ca
–certs-update-all
–foreman-proxy-trusted-hosts sig-foreman.domain
–foreman-proxy-trusted-hosts domain
–foreman-proxy-trusted-hosts *.domain
–foreman-proxy-trusted-hosts .domain
–foreman-proxy-trusted-hosts (foreman machine IP) --foreman-proxy-trusted-hosts 127.0.0.1
After that on one client I’ve updated package:
yum remove katello-ca-consumer-sig-foreman.domain-1.0-12.noarch
curl --insecure --output katello-ca-consumer-latest.noarch.rpm sig-foreman.domain/pub/katello-ca-consumer-latest.noarch.rpm
yum install katello-ca-consumer-latest.noarch.rpm
However when I tried to perform: subscription-manager refresh
I recived: Unable to verify server’s identity: tlsv1 alert unknown ca
Expected outcome:
Ability to upgrade machines
Foreman and Proxy versions:
foreman-release-3.6.1-1.el8.noarch
foreman-proxy-3.6.1-1.el8.noarch
Distribution and version:
Rocky Linux 8.7