We have replaced the foreman web ssl certificate to a "trusted certificate following this guide :-
https://theforeman.org/2015/11/foreman-ssl.html
Access to the foreman admin web page is now using a trusted cert and working fine but this creates two issues :-
- Stopping the ability to rollout new manifests to the puppet clients ( The manifest is assigned ok in the foreman web pages but the puppet client doesn’t pick it up )
- Stopping all puppet clients from sending reports to foreman when they have run.
The errors we are getting in /var/log/puppetlabs/puppetserver/puppetsever.log are :-
WARN [qtp1707921485-64] [c.p.p.ShellUtils] Executed an external process which logged to STDERR: During fact upload occurred an exception: SSL_connect returned=1 errno=0 state=error: certificate verify failed.
ERROR [qtp1707921485-68] [puppetserver] Puppet Report processor failed: Could not send report to Foreman at https://FQDN/api/config_reports: No message available
The version of foreman we are running is 1.15.4
The version of puppet we are running is 4.10.8
Files we have changed to point to the New Trusted cert key and chain which is held in /opt/CDT/foreman-certs.
File :- /etc/httpd/conf.d/05-foreman-ssl.conf
SSLCertificateFile - /opt/CDT/foreman-certs/FQDN-Our-Puppet-Server.crt - was - /etc/puppetlabs/puppet/ssl/certs/FQDN-Our-Puppet-Server.pem
SSLCertificateKeyFile - /opt/CDT/foreman-certs/FQDN-Our-Puppet-Server.key - was - /etc/puppetlabs/puppet/ssl/private_keys/FQDN-Our-Puppet-Server.pem
SSLCertificateChainFile - /opt/CDT/foreman-certs/pre-chain.crt - was - /etc/puppetlabs/puppet/ssl/certs/ca.pem
File :- /etc/puppetlabs/puppet/foreman.yaml
ssl_ca - /opt/CDT/foreman-certs/pre-chain.crt - was - /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
Other existing ssl_CA settings.
/etc/foreman/settings.yaml - ssl_ca_file - /etc/puppetlabs/puppet/ssl/certs/ca.pem
/etc/foreman-proxy/settings.yml - ssl_ca_file - /etc/puppetlabs/puppet/ssl/certs/ca.pem
/etc/foreman-proxy/settings.d/puppet_proxy_legacy.yml - puppet_ssl_ca - /etc/puppetlabs/puppet/ssl/certs/ca.pem
/etc/foreman-proxy/settings.d/puppet_proxy_puppet_api.yml - puppet_ssl_ca - /etc/puppetlabs/puppet/ssl/certs/ca.pem
/etc/hammer/cli.modules.d/foreman.yml - ssl_ca_file - /etc/puppetlabs/puppet/ssl/certs/ca.pem
/etc/smart_proxy_dynflow_core/settings.yml - ssl_ca_file - /etc/puppetlabs/puppet/ssl/certs/ca.pem
Other existing ssl_cert settings.
/etc/foreman/settings.yaml - websockets_ssl_cert - /etc/puppetlabs/puppet/ssl/certs/FQDN-Our-Puppet-Server.pem
/etc/foreman/settings.yaml - ssl_certificate - /etc/puppetlabs/puppet/ssl/certs/FQDN-Our-Puppet-Server.pem
/etc/foreman-proxy/settings.d/puppet_proxy_legacy.yml - puppet_ssl_cert - /etc/puppetlabs/puppet/ssl/certs/FQDN-Our-Puppet-Server.pem
/etc/foreman-proxy/settings.d/puppet_proxy_puppet_api.yml - puppet_ssl_cert - /etc/puppetlabs/puppet/ssl/certs/FQDN-Our-Puppet-Server.pem
/etc/foreman-proxy/settings.yml - ssl_certificate - /etc/puppetlabs/puppet/ssl/certs/FQDN-Our-Puppet-Server.pem
/etc/puppetlabs/puppet/foreman.yaml - ssl_cert - /etc/puppetlabs/puppet/ssl/certs/FQDN-Our-Puppet-Server.pem
/etc/puppetlabs/puppetserver/conf.d/webserver.conf - ssl_cert - /etc/puppetlabs/puppet/ssl/certs/FQDN-Our-Puppet-Server.pem
/etc/smart_proxy_dynflow_core/settings.yml - ssl_certificate - /etc/puppetlabs/puppet/ssl/certs/FQDN-Our-Puppet-Server.pem
Another slightly wierd thing we have noticed when trying to resolve this issue is that if we run puppetserver as “root” then it all works - but when running it as “puppet” we have the issue described above.
Any pointers gladly received.