Hi all,
Trying to deploy Foreman 1.9.1 (foreman + proxy + master all on the same
server) with a third party certificate (from Comodo in our case) for the
webserver. Followed the instructions on
http://www.zem.org.uk/2015/05/11/foreman-ssl/ but puppet won't run!
I put the third party certificate files in /etc/foreman/tls/. The apache
vhost is configured as instructed:
SSL directives
> SSLEngine on
> SSLCertificateFile "/etc/foreman/tls/certificate.crt"
> SSLCertificateKeyFile "/etc/foreman/tls/private.key"
> SSLCertificateChainFile "/etc/foreman/tls/ca_chain.pem"
> SSLCACertificatePath "/etc/ssl/certs"
> SSLCACertificateFile "/var/lib/puppet/ssl/certs/ca.pem"
> SSLCARevocationFile "/var/lib/puppet/ssl/ca/ca_crl.pem"
> SSLCARevocationCheck "chain"
> SSLVerifyClient optional
> SSLVerifyDepth 3
> SSLOptions +StdEnvVars
>
Openssl s_client without a CAfile fails of course but remarkably both these
do result in a "Verify return code: 0 (ok)":
openssl s_client -connect <hostname>:443 -CAfile
> /var/lib/puppet/ssl/certs/ca.pem
> openssl s_client -connect <hostname>:443 -CAfile
> /etc/foreman/tls/ca_chain.pem
>
Foreman runs just fine but puppet won't run. If I set :ssl_ca in
/etc/puppet/foreman.yaml to either puppet's ca.pem or my third party CA
chain file I get:
/etc/puppet/node.rb <hostname>
> SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
> certificate verify failed
>
If I unset :ssl_ca then puppet will run. If I concatenate puppet's ca.pem
and my third party ca_chain.pem and point :ssl_ca to the concatenated CA
file then puppet will also run. I don't think that's supposed to be done
to get this to work.
So how am I supposed to get this to work?
Thanks for the help!
Tom