Problem:
I installed a Foreman 3.5 Katello 4.7 with custom certificates signed by our internal CA.
At the end of the installation, these errors appeared :
2023-03-20 14:31:27 [NOTICE] [configure] 1750 configuration steps out of 1850 steps complete.
2023-03-20 14:31:58 [ERROR ] [configure] Error making POST request to Foreman at https://foreman.example.com/api/v2/smart_proxies: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)) for proxy https://foreman.example.com:9090/v2/features Please check the proxy is configured and running on the host.
2023-03-20 14:31:58 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foreman.example.com]/ensure: change from 'absent' to 'present' failed: Error making POST request to Foreman at https://[[foreman.example.com](http://foreman.example.com)](http://foreman.example.com)/api/v2/smart_proxies: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)) for proxy https://foreman.example.com:9090/v2/features Please check the proxy is configured and running on the host.
2023-03-20 14:32:02 [NOTICE] [configure] System configuration has finished.
Services are up and running, the GUI seems ok. The Foreman is installed with an integrated puppet server. The installation command :
foreman-installer --scenario katello \
> --certs-server-cert "/root/certs/server_cert.pem" \
> --certs-server-key "/root/certs/server_cert_key.pem" \
> --certs-server-ca-cert "/root/certs/CA_bundle.pem" \
> --enable-foreman-plugin-puppet \
> --enable-foreman-cli-puppet \
> --foreman-proxy-puppet true \
> --foreman-proxy-puppetca true \
> --foreman-proxy-content-puppet true \
> --enable-puppet \
> --puppet-server true \
> --puppet-server-foreman-ssl-ca /etc/pki/katello/puppet/puppet_client_ca.crt \
> --puppet-server-foreman-ssl-cert /etc/pki/katello/puppet/puppet_client.crt \
> --puppet-server-foreman-ssl-key /etc/pki/katello/puppet/puppet_client.key \
> --enable-foreman-plugin-column-view \
> --enable-foreman-plugin-monitoring \
> --foreman-initial-organization 'Test'
Now Iāve got an issue with the puppet agent :
Info: Using environment 'production'
Debug: Resolving service 'fileserver' using Puppet::HTTP::Resolver::Settings
Debug: Creating new connection for https://foreman.example.com:8140
Debug: Starting connection for https://foreman.example.com:8140
Error: certificate verify failed [self signed certificate in certificate chain for CN=<our internal CA>]
Indeed when trying with openssl s_client -connect foreman.example.com:8140, the same error is displayed.
CONNECTED(00000003)
depth=2 CN = Puppet Root CA: 7f5d08af7c925e
verify error:num=19:self signed certificate in certificate chain
verify return:1
If I add the puppet CA to this command itās ok : openssl s_client -CAfile /etc/puppetlabs/puppet/ssl/certs/ca.pem -connect foreman.example.com:8140
SSL handshake has read 5601 bytes and written 652 bytes
Verification: OK
But with the CA trust store, error again :
openssl s_client -CAfile /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt -connect foreman.example.com.ch:8140
CONNECTED(00000003)
depth=2 CN = Puppet Root CA: 7f5d08af7c925e
verify error:num=19:self signed certificate in certificate chain
I managed to create a link to the puppet CA cert in /etc/pki/ca-trust/source/anchors, and ran update-ca-trust. Then the openssl check is always ok, but I couldnāt find the correct settings for the puppet server to make it work.
I tried to point the ssl_trust_store setting to the ca-bundle-trust.crt file, but the issue is still present.
Any Idea how to fix this ? Did I miss an option in the installer ?
Expected outcome:
Puppet server should work with custom certificates
Foreman and Proxy versions:
Foreman 3.5
Katello 4.7
Foreman and Proxy plugin versions:
Distribution and version:
RHEL 8.7
Other relevant data: