Hi,
to practice an upgrade operation of a rather unkempt installation of
Foreman 1.12, I have copied the entire host over to a new machine, with
a new host name and a new IP. To be able to log in, I replaced the
certificate with a self-signed one which makes the browser happy.
However, this does not make Foreman happy. Configuring the new host name
as a smart proxy failed:
Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
Judging from searching for this error message, Foreman does not like the
certificate presented by the smart proxy. Dual-checking the Certificate
with openssl s_client -connect=my.new.hostname.example:8443 shows that
it actually returns the new self-signed cert.
My guess is that Foreman wants to see a certificate from the Puppet CA.
How do I generate one manually? I know about puppet cert list and puppet
cert sign, but I am at a loss about how to make my certificate request
show up in the list. Do I only need to dump the certificate request in a
certain directory (which one?) with a file name matching a certain
pattern (which one?), or do I also need to call a certain command (which
one?)?
Or is the recommended way to create the certificate just calling puppet
ca generate? As never having done this, who creates the private key and
the certificate request with puppet ca generate? The man page for puppet
ca generate is a bit terse.
I'd appreciate any help in doing this, while I know that what I am
trying to do is really dirty, I am actually doing this to not having to
do unpracticed things in production.
Greetings
Marc
···
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
> Judging from searching for this error message, Foreman does not like the
> certificate presented by the smart proxy. Dual-checking the Certificate
> with openssl s_client -connect=my.new.hostname.example:8443 shows that
> it actually returns the new self-signed cert.
Turned out that I did the dual-checking from my own workstation, which
was cause for some confusion, see below.
> My guess is that Foreman wants to see a certificate from the Puppet CA.
> How do I generate one manually? I know about puppet cert list and puppet
> cert sign, but I am at a loss about how to make my certificate request
> show up in the list. Do I only need to dump the certificate request in a
> certain directory (which one?) with a file name matching a certain
> pattern (which one?), or do I also need to call a certain command (which
> one?)?
You just dump the certificate request, named
full.qualified.host.name.pem, in /var/lib/puppet/ssl/ca/requests, and
it'll automatically show up in puppet cert list, and can therefore be
signed with puppet cert sign. The puppet CA only signs requests that
don't have some of the extensions made by openssl in the default, but
gives quite clear error messages, so tailoring the openssl.cnf to
puppet's needs was rather easy.
The signed certificate can then be picked up from
/var/lib/puppet/ssl/ca/signed.
After I put the new certificate on the new host, the error message
changed. But that was PEBCAK.
Admin tip of the day: If you rename a copy of a system by means of find
/etc | xargs sed -i s/old/new/g, make sure to run the same replacement
for the IP address as well, or you'll find your system talking to the
old box instead of to itself.
Greetings
Marc
···
On Tue, Jun 06, 2017 at 02:16:10PM +0200, Marc Haber wrote:
–
Marc Haber | “I don’t trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things.” Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421