I'm just starting to investigate using Foreman. We setup a test system
using the foreman-installer which worked well, but now I'm at the stage
where I want to integrating our live puppet servers.
I want to start by just sending the reports to foreman, so I've added the
foreman.rb script, modified the /etc/puppet/puppet.conf by adding the lines
in the sections below:
[main]
…
show_diff = true
report=true
[master]
…
reports = log,foreman
and I've added a /etc/puppet/foreman.yaml file as below:
···
---
# Update for your Foreman and Puppet master hostname(s)
:url: "https://foremanserver.somedomain.com"
:ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem"
:ssl_cert: "/var/lib/puppet/ssl/certs/puppetserver.somedomain.com.pem"
:ssl_key: "/var/lib/puppet/ssl/private_keys/puppetserver.somedomain.com.pem"
Advanced settings
:puppetdir: “/var/lib/puppet”
:puppetuser: “puppet”
:facts: true
:timeout: 10
:threads: null
When I check the puppet master, the reports are not being sent to the
foreman server - checking the logs I can see:
Error: Report processor failed: Could not send report to Foreman at https://cisvirfmn.int.dur.ac.uk/api/reports:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed
Foreman is version 1.9.1 and puppet is 3.6.2 - can anyone suggest what’s
wrong here?
Thanks
It looks like to me that the CA could be different between your live
Puppet servers and the Foreman server. The SSL verification may be
failing because of that.
Foreman's installer, when using a standalone, clean server will generate
a new Puppet CA. If you have a simple, single CA Puppet infrastructure
then you may simply want to generate a new set for the Foreman server
from that (puppet cert generate) and copy them to the Foreman server
replacing the ones it generated. Or vice-versa, swap the existing
Puppet environment's certs for the CA on the Foreman host - depending on
how you want it.
···
On 18/09/15 13:53, Simon Hanmer wrote:
> I'm just starting to investigate using Foreman. We setup a test system
> using the foreman-installer which worked well, but now I'm at the stage
> where I want to integrating our live puppet servers.
>
> I want to start by just sending the reports to foreman, so I've added
> the foreman.rb script, modified the /etc/puppet/puppet.conf by adding
> the lines in the sections below:
>
> >
> [main]
> ...
> show_diff =true
> report=true
>
>
> [master]
> ...
> reports =log,foreman
> >
>
>
> and I've added a /etc/puppet/foreman.yaml file as below:
>
> >
> ---
> # Update for your Foreman and Puppet master hostname(s)
> :url:"https://foremanserver.somedomain.com"
> :ssl_ca:"/var/lib/puppet/ssl/certs/ca.pem"
> :ssl_cert:"/var/lib/puppet/ssl/certs/puppetserver.somedomain.com.pem"
> :ssl_key:"/var/lib/puppet/ssl/private_keys/puppetserver.somedomain.com.pem"
>
>
> # Advanced settings
> :puppetdir:"/var/lib/puppet"
> :puppetuser:"puppet"
> :facts:true
> :timeout:10
> :threads:null
> >
>
>
> When I check the puppet master, the reports are not being sent to the
> foreman server - checking the logs I can see:
>
> >
> Error:Reportprocessor failed:Couldnotsend report to Foremanat
> https://cisvirfmn.int.dur.ac.uk/api/reports: SSL_connect returned=1
> errno=0 state=SSLv3 read server certificate B: certificate verify failed
> >
–
Dominic Cleal
dominic@cleal.org
Dominic, thanks for the response - would this just be the ca.pem or would I
need to regenerate the private key and cert for the puppet server?
Thanks, Simon
···
On Friday, September 18, 2015 at 2:47:40 PM UTC+1, Dominic Cleal wrote:
>
> On 18/09/15 13:53, Simon Hanmer wrote:
> > I'm just starting to investigate using Foreman. We setup a test system
> > using the foreman-installer which worked well, but now I'm at the stage
> > where I want to integrating our live puppet servers.
> >
> > I want to start by just sending the reports to foreman, so I've added
> > the foreman.rb script, modified the /etc/puppet/puppet.conf by adding
> > the lines in the sections below:
> >
> > >
> > [main]
> > ...
> > show_diff =true
> > report=true
> >
> >
> > [master]
> > ...
> > reports =log,foreman
> > >
> >
> >
> > and I've added a /etc/puppet/foreman.yaml file as below:
> >
> > >
> > ---
> > # Update for your Foreman and Puppet master hostname(s)
> > :url:"https://foremanserver.somedomain.com"
> > :ssl_ca:"/var/lib/puppet/ssl/certs/ca.pem"
> >
> :ssl_cert:"/var/lib/puppet/ssl/certs/puppetserver.somedomain.com.pem"
> >
> :ssl_key:"/var/lib/puppet/ssl/private_keys/puppetserver.somedomain.com.pem"
> >
> >
> > # Advanced settings
> > :puppetdir:"/var/lib/puppet"
> > :puppetuser:"puppet"
> > :facts:true
> > :timeout:10
> > :threads:null
> > >
> >
> >
> > When I check the puppet master, the reports are not being sent to the
> > foreman server - checking the logs I can see:
> >
> > >
> > Error:Reportprocessor failed:Couldnotsend report to Foremanat
> > https://cisvirfmn.int.dur.ac.uk/api/reports: SSL_connect returned=1
> > errno=0 state=SSLv3 read server certificate B: certificate verify
> failed
> > >
>
> It looks like to me that the CA could be different between your live
> Puppet servers and the Foreman server. The SSL verification may be
> failing because of that.
>
> Foreman's installer, when using a standalone, clean server will generate
> a new Puppet CA. If you have a simple, single CA Puppet infrastructure
> then you may simply want to generate a new set for the Foreman server
> from that (puppet cert generate) and copy them to the Foreman server
> replacing the ones it generated. Or vice-versa, swap the existing
> Puppet environment's certs for the CA on the Foreman host - depending on
> how you want it.
>
> --
> Dominic Cleal
> dom...@cleal.org
>
The key and cert would need to be regenerated, since it's signed by the
CA. I'd simply move /var/lib/puppet/ssl out of the way, keeping a backup.
You'll find you need to restart everything (httpd, foreman-proxy etc) to
read the new certs.
···
--
Dominic Cleal
dominic@cleal.org
On 18/09/15 15:09, Simon Hanmer wrote:
Dominic, thanks for the response - would this just be the ca.pem or
would I need to regenerate the private key and cert for the puppet server?
Thanks, Simon
On Friday, September 18, 2015 at 2:47:40 PM UTC+1, Dominic Cleal wrote:
On 18/09/15 13:53, Simon Hanmer wrote:
> I'm just starting to investigate using Foreman. We setup a test
system
> using the foreman-installer which worked well, but now I'm at the
stage
> where I want to integrating our live puppet servers.
>
> I want to start by just sending the reports to foreman, so I've added
> the foreman.rb script, modified the /etc/puppet/puppet.conf by adding
> the lines in the sections below:
>
> >
> [main]
> ...
> show_diff =true
> report=true
>
>
> [master]
> ...
> reports =log,foreman
> >
>
>
> and I've added a /etc/puppet/foreman.yaml file as below:
>
> >
> ---
> # Update for your Foreman and Puppet master hostname(s)
> :url:"https://foremanserver.somedomain.com
<https://foremanserver.somedomain.com>"
> :ssl_ca:"/var/lib/puppet/ssl/certs/ca.pem"
>
:ssl_cert:"/var/lib/puppet/ssl/certs/puppetserver.somedomain.com.pem"
>
:ssl_key:"/var/lib/puppet/ssl/private_keys/puppetserver.somedomain.com.pem"
>
>
> # Advanced settings
> :puppetdir:"/var/lib/puppet"
> :puppetuser:"puppet"
> :facts:true
> :timeout:10
> :threads:null
> >
>
>
> When I check the puppet master, the reports are not being sent to
the
> foreman server - checking the logs I can see:
>
> >
> Error:Reportprocessor failed:Couldnotsend report to Foremanat
> https://cisvirfmn.int.dur.ac.uk/api/reports
<https://cisvirfmn.int.dur.ac.uk/api/reports>: SSL_connect returned=1
> errno=0 state=SSLv3 read server certificate B: certificate
verify failed
> >
It looks like to me that the CA could be different between your live
Puppet servers and the Foreman server. The SSL verification may be
failing because of that.
Foreman's installer, when using a standalone, clean server will
generate
a new Puppet CA. If you have a simple, single CA Puppet infrastructure
then you may simply want to generate a new set for the Foreman server
from that (puppet cert generate) and copy them to the Foreman server
replacing the ones it generated. Or vice-versa, swap the existing
Puppet environment's certs for the CA on the Foreman host -
depending on
how you want it.
--
Dominic Cleal
dom...@cleal.org <javascript:>
Dominic, apologies - I'm used to getting puppet servers to generate their
own certs, but not sure how to take the certs from an existing server and
move them to the foreman server. I've had a google but can't find anything
obvious to explain the process.
Are you aware of any documents or breakdown of the steps required to allow
foreman to speak to an existing puppet server?
Thanks
···
On Friday, September 18, 2015 at 3:18:02 PM UTC+1, Dominic Cleal wrote:
>
> The key and cert would need to be regenerated, since it's signed by the
> CA. I'd simply move /var/lib/puppet/ssl out of the way, keeping a backup.
>
> You'll find you need to restart everything (httpd, foreman-proxy etc) to
> read the new certs.
>
> --
> Dominic Cleal
> dom...@cleal.org
>
> On 18/09/15 15:09, Simon Hanmer wrote:
> > Dominic, thanks for the response - would this just be the ca.pem or
> > would I need to regenerate the private key and cert for the puppet
> server?
> >
> > Thanks, Simon
> >
> > On Friday, September 18, 2015 at 2:47:40 PM UTC+1, Dominic Cleal wrote:
> >
> > On 18/09/15 13:53, Simon Hanmer wrote:
> > > I'm just starting to investigate using Foreman. We setup a test
> > system
> > > using the foreman-installer which worked well, but now I'm at the
> > stage
> > > where I want to integrating our live puppet servers.
> > >
> > > I want to start by just sending the reports to foreman, so I've
> added
> > > the foreman.rb script, modified the /etc/puppet/puppet.conf by
> adding
> > > the lines in the sections below:
> > >
> > > >
> > > [main]
> > > ...
> > > show_diff =true
> > > report=true
> > >
> > >
> > > [master]
> > > ...
> > > reports =log,foreman
> > > >
> > >
> > >
> > > and I've added a /etc/puppet/foreman.yaml file as below:
> > >
> > > >
> > > ---
> > > # Update for your Foreman and Puppet master hostname(s)
> > > :url:"https://foremanserver.somedomain.com
> > "
> > > :ssl_ca:"/var/lib/puppet/ssl/certs/ca.pem"
> > >
> >
> :ssl_cert:"/var/lib/puppet/ssl/certs/puppetserver.somedomain.com.pem"
> > >
> >
> :ssl_key:"/var/lib/puppet/ssl/private_keys/puppetserver.somedomain.com.pem"
> >
> > >
> > >
> > > # Advanced settings
> > > :puppetdir:"/var/lib/puppet"
> > > :puppetuser:"puppet"
> > > :facts:true
> > > :timeout:10
> > > :threads:null
> > > >
> > >
> > >
> > > When I check the puppet master, the reports are not being sent to
> > the
> > > foreman server - checking the logs I can see:
> > >
> > > >
> > > Error:Reportprocessor failed:Couldnotsend report to Foremanat
> > > https://cisvirfmn.int.dur.ac.uk/api/reports
> > : SSL_connect
> returned=1
> > > errno=0 state=SSLv3 read server certificate B: certificate
> > verify failed
> > > >
> >
> > It looks like to me that the CA could be different between your live
> > Puppet servers and the Foreman server. The SSL verification may be
> > failing because of that.
> >
> > Foreman's installer, when using a standalone, clean server will
> > generate
> > a new Puppet CA. If you have a simple, single CA Puppet
> infrastructure
> > then you may simply want to generate a new set for the Foreman
> server
> > from that (puppet cert generate) and copy them to the Foreman server
> > replacing the ones it generated. Or vice-versa, swap the existing
> > Puppet environment's certs for the CA on the Foreman host -
> > depending on
> > how you want it.
> >
> > --
> > Dominic Cleal
> > dom...@cleal.org
> >
>
>
The "SSL certificate authority setup" part here shows it reasonably
well:
http://theforeman.org/manuals/1.9/index.html#3.2.3InstallationScenarios
You'd run the puppet cert generate command on your Puppet CA for
your Foreman server, which'll generate a new key and certificate,
storing them on the CA.
Once you've got those two files, plus ca.pem from the CA server, copy
them over to the Foreman server to the same paths. You may also need to
copy over the CRL from /var/lib/puppet/ssl/ca/ as httpd is configured to
read this by default.
Restarting httpd and foreman-proxy should ensure Foreman uses the certs
from your Puppet CA, which should ensure everything can easily talk to
each other.
···
--
Dominic Cleal
dominic@cleal.org
On 18/09/15 15:48, Simon Hanmer wrote:
Dominic, apologies - I’m used to getting puppet servers to generate
their own certs, but not sure how to take the certs from an existing
server and move them to the foreman server. I’ve had a google but can’t
find anything obvious to explain the process.
Are you aware of any documents or breakdown of the steps required to
allow foreman to speak to an existing puppet server?
Thanks
On Friday, September 18, 2015 at 3:18:02 PM UTC+1, Dominic Cleal wrote:
The key and cert would need to be regenerated, since it's signed by the
CA. I'd simply move /var/lib/puppet/ssl out of the way, keeping a
backup.
You'll find you need to restart everything (httpd, foreman-proxy
etc) to
read the new certs.
--
Dominic Cleal
dom...@cleal.org <javascript:>
On 18/09/15 15:09, Simon Hanmer wrote:
> Dominic, thanks for the response - would this just be the ca.pem or
> would I need to regenerate the private key and cert for the puppet
server?
>
> Thanks, Simon
>
> On Friday, September 18, 2015 at 2:47:40 PM UTC+1, Dominic Cleal > wrote:
>
> On 18/09/15 13:53, Simon Hanmer wrote:
> > I'm just starting to investigate using Foreman. We setup a test
> system
> > using the foreman-installer which worked well, but now I'm
at the
> stage
> > where I want to integrating our live puppet servers.
> >
> > I want to start by just sending the reports to foreman, so
I've added
> > the foreman.rb script, modified the /etc/puppet/puppet.conf
by adding
> > the lines in the sections below:
> >
> > >
> > [main]
> > ...
> > show_diff =true
> > report=true
> >
> >
> > [master]
> > ...
> > reports =log,foreman
> > >
> >
> >
> > and I've added a /etc/puppet/foreman.yaml file as below:
> >
> > >
> > ---
> > # Update for your Foreman and Puppet master hostname(s)
> > :url:"https://foremanserver.somedomain.com
<https://foremanserver.somedomain.com>
> <https://foremanserver.somedomain.com
<https://foremanserver.somedomain.com>>"
> > :ssl_ca:"/var/lib/puppet/ssl/certs/ca.pem"
> >
>
:ssl_cert:"/var/lib/puppet/ssl/certs/puppetserver.somedomain.com.pem"
> >
>
:ssl_key:"/var/lib/puppet/ssl/private_keys/puppetserver.somedomain.com.pem"
>
> >
> >
> > # Advanced settings
> > :puppetdir:"/var/lib/puppet"
> > :puppetuser:"puppet"
> > :facts:true
> > :timeout:10
> > :threads:null
> > >
> >
> >
> > When I check the puppet master, the reports are not being
sent to
> the
> > foreman server - checking the logs I can see:
> >
> > >
> > Error:Reportprocessor failed:Couldnotsend report to
Foremanat
> > https://cisvirfmn.int.dur.ac.uk/api/reports
<https://cisvirfmn.int.dur.ac.uk/api/reports>
> <https://cisvirfmn.int.dur.ac.uk/api/reports
<https://cisvirfmn.int.dur.ac.uk/api/reports>>: SSL_connect returned=1
> > errno=0 state=SSLv3 read server certificate B: certificate
> verify failed
> > >
>
> It looks like to me that the CA could be different between
your live
> Puppet servers and the Foreman server. The SSL verification
may be
> failing because of that.
>
> Foreman's installer, when using a standalone, clean server will
> generate
> a new Puppet CA. If you have a simple, single CA Puppet
infrastructure
> then you may simply want to generate a new set for the Foreman
server
> from that (puppet cert generate) and copy them to the Foreman
server
> replacing the ones it generated. Or vice-versa, swap the
existing
> Puppet environment's certs for the CA on the Foreman host -
> depending on
> how you want it.
>
> --
> Dominic Cleal
> dom...@cleal.org <javascript:>
>
–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com
mailto:foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com
mailto:foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
Dominic,
thanks for your help - have it all up and running now 
Have a good weekend!
···
On Friday, September 18, 2015 at 3:52:27 PM UTC+1, Dominic Cleal wrote:
>
> The "SSL certificate authority setup" part here shows it reasonably
> well:
> http://theforeman.org/manuals/1.9/index.html#3.2.3InstallationScenarios
>
> You'd run the `puppet cert generate` command on your Puppet CA *for*
> your Foreman server, which'll generate a new key and certificate,
> storing them on the CA.
>
> Once you've got those two files, plus ca.pem from the CA server, copy
> them over to the Foreman server to the same paths. You may also need to
> copy over the CRL from /var/lib/puppet/ssl/ca/ as httpd is configured to
> read this by default.
>
> Restarting httpd and foreman-proxy should ensure Foreman uses the certs
> from your Puppet CA, which should ensure everything can easily talk to
> each other.
>
> --
> Dominic Cleal
> dom...@cleal.org
>
> On 18/09/15 15:48, Simon Hanmer wrote:
> > Dominic, apologies - I'm used to getting puppet servers to generate
> > their own certs, but not sure how to take the certs from an existing
> > server and move them to the foreman server. I've had a google but can't
> > find anything obvious to explain the process.
> >
> > Are you aware of any documents or breakdown of the steps required to
> > allow foreman to speak to an existing puppet server?
> >
> > Thanks
> >
> > On Friday, September 18, 2015 at 3:18:02 PM UTC+1, Dominic Cleal wrote:
> >
> > The key and cert would need to be regenerated, since it's signed by
> the
> > CA. I'd simply move /var/lib/puppet/ssl out of the way, keeping a
> > backup.
> >
> > You'll find you need to restart everything (httpd, foreman-proxy
> > etc) to
> > read the new certs.
> >
> > --
> > Dominic Cleal
> > dom...@cleal.org
> >
> > On 18/09/15 15:09, Simon Hanmer wrote:
> > > Dominic, thanks for the response - would this just be the ca.pem
> or
> > > would I need to regenerate the private key and cert for the puppet
> > server?
> > >
> > > Thanks, Simon
> > >
> > > On Friday, September 18, 2015 at 2:47:40 PM UTC+1, Dominic Cleal > > wrote:
> > >
> > > On 18/09/15 13:53, Simon Hanmer wrote:
> > > > I'm just starting to investigate using Foreman. We setup a
> test
> > > system
> > > > using the foreman-installer which worked well, but now I'm
> > at the
> > > stage
> > > > where I want to integrating our live puppet servers.
> > > >
> > > > I want to start by just sending the reports to foreman, so
> > I've added
> > > > the foreman.rb script, modified the /etc/puppet/puppet.conf
> > by adding
> > > > the lines in the sections below:
> > > >
> > > > >
> > > > [main]
> > > > ...
> > > > show_diff =true
> > > > report=true
> > > >
> > > >
> > > > [master]
> > > > ...
> > > > reports =log,foreman
> > > > >
> > > >
> > > >
> > > > and I've added a /etc/puppet/foreman.yaml file as below:
> > > >
> > > > >
> > > > ---
> > > > # Update for your Foreman and Puppet master hostname(s)
> > > > :url:"https://foremanserver.somedomain.com
> >
> > > > >"
> > > > :ssl_ca:"/var/lib/puppet/ssl/certs/ca.pem"
> > > >
> > >
> >
> :ssl_cert:"/var/lib/puppet/ssl/certs/puppetserver.somedomain.com.pem"
> > > >
> > >
> >
> :ssl_key:"/var/lib/puppet/ssl/private_keys/puppetserver.somedomain.com.pem"
> >
> > >
> > > >
> > > >
> > > > # Advanced settings
> > > > :puppetdir:"/var/lib/puppet"
> > > > :puppetuser:"puppet"
> > > > :facts:true
> > > > :timeout:10
> > > > :threads:null
> > > > >
> > > >
> > > >
> > > > When I check the puppet master, the reports are not being
> > sent to
> > > the
> > > > foreman server - checking the logs I can see:
> > > >
> > > > >
> > > > Error:Reportprocessor failed:Couldnotsend report to
> > Foremanat
> > > > https://cisvirfmn.int.dur.ac.uk/api/reports
> >
> > > > >: SSL_connect
> returned=1
> > > > errno=0 state=SSLv3 read server certificate B:
> certificate
> > > verify failed
> > > > >
> > >
> > > It looks like to me that the CA could be different between
> > your live
> > > Puppet servers and the Foreman server. The SSL verification
> > may be
> > > failing because of that.
> > >
> > > Foreman's installer, when using a standalone, clean server
> will
> > > generate
> > > a new Puppet CA. If you have a simple, single CA Puppet
> > infrastructure
> > > then you may simply want to generate a new set for the Foreman
> > server
> > > from that (puppet cert generate) and copy them to the Foreman
> > server
> > > replacing the ones it generated. Or vice-versa, swap the
> > existing
> > > Puppet environment's certs for the CA on the Foreman host -
> > > depending on
> > > how you want it.
> > >
> > > --
> > > Dominic Cleal
> > > dom...@cleal.org
> > >
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "Foreman users" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> > an email to foreman-user...@googlegroups.com
> > <mailto:foreman-users+unsubscribe@googlegroups.com >.
> > To post to this group, send email to forema...@googlegroups.com
>
> > <mailto:forema...@googlegroups.com >.
> > Visit this group at http://groups.google.com/group/foreman-users.
> > For more options, visit https://groups.google.com/d/optout.
>
>
