Replacing foreman's web ssl certificate - stops reports and new manifests being deployed

Support
1

We have replaced the foreman web ssl certificate to a "trusted certificate following this guide :-
https://theforeman.org/2015/11/foreman-ssl.html

Access to the foreman admin web page is now using a trusted cert and working fine but this creates two issues :-

  1. Stopping the ability to rollout new manifests to the puppet clients ( The manifest is assigned ok in the foreman web pages but the puppet client doesn’t pick it up )
  2. Stopping all puppet clients from sending reports to foreman when they have run.

The errors we are getting in /var/log/puppetlabs/puppetserver/puppetsever.log are :-
WARN [qtp1707921485-64] [c.p.p.ShellUtils] Executed an external process which logged to STDERR: During fact upload occurred an exception: SSL_connect returned=1 errno=0 state=error: certificate verify failed.
ERROR [qtp1707921485-68] [puppetserver] Puppet Report processor failed: Could not send report to Foreman at https://FQDN/api/config_reports: No message available

The version of foreman we are running is 1.15.4
The version of puppet we are running is 4.10.8

Files we have changed to point to the New Trusted cert key and chain which is held in /opt/CDT/foreman-certs.

File :- /etc/httpd/conf.d/05-foreman-ssl.conf

SSLCertificateFile - /opt/CDT/foreman-certs/FQDN-Our-Puppet-Server.crt - was - /etc/puppetlabs/puppet/ssl/certs/FQDN-Our-Puppet-Server.pem

SSLCertificateKeyFile - /opt/CDT/foreman-certs/FQDN-Our-Puppet-Server.key - was - /etc/puppetlabs/puppet/ssl/private_keys/FQDN-Our-Puppet-Server.pem

SSLCertificateChainFile - /opt/CDT/foreman-certs/pre-chain.crt - was - /etc/puppetlabs/puppet/ssl/certs/ca.pem

File :- /etc/puppetlabs/puppet/foreman.yaml

ssl_ca - /opt/CDT/foreman-certs/pre-chain.crt - was - /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem

Other existing ssl_CA settings.

/etc/foreman/settings.yaml - ssl_ca_file - /etc/puppetlabs/puppet/ssl/certs/ca.pem

/etc/foreman-proxy/settings.yml - ssl_ca_file - /etc/puppetlabs/puppet/ssl/certs/ca.pem

/etc/foreman-proxy/settings.d/puppet_proxy_legacy.yml - puppet_ssl_ca - /etc/puppetlabs/puppet/ssl/certs/ca.pem

/etc/foreman-proxy/settings.d/puppet_proxy_puppet_api.yml - puppet_ssl_ca - /etc/puppetlabs/puppet/ssl/certs/ca.pem

/etc/hammer/cli.modules.d/foreman.yml - ssl_ca_file - /etc/puppetlabs/puppet/ssl/certs/ca.pem

/etc/smart_proxy_dynflow_core/settings.yml - ssl_ca_file - /etc/puppetlabs/puppet/ssl/certs/ca.pem

Other existing ssl_cert settings.

/etc/foreman/settings.yaml - websockets_ssl_cert - /etc/puppetlabs/puppet/ssl/certs/FQDN-Our-Puppet-Server.pem

/etc/foreman/settings.yaml - ssl_certificate - /etc/puppetlabs/puppet/ssl/certs/FQDN-Our-Puppet-Server.pem

/etc/foreman-proxy/settings.d/puppet_proxy_legacy.yml - puppet_ssl_cert - /etc/puppetlabs/puppet/ssl/certs/FQDN-Our-Puppet-Server.pem

/etc/foreman-proxy/settings.d/puppet_proxy_puppet_api.yml - puppet_ssl_cert - /etc/puppetlabs/puppet/ssl/certs/FQDN-Our-Puppet-Server.pem

/etc/foreman-proxy/settings.yml - ssl_certificate - /etc/puppetlabs/puppet/ssl/certs/FQDN-Our-Puppet-Server.pem

/etc/puppetlabs/puppet/foreman.yaml - ssl_cert - /etc/puppetlabs/puppet/ssl/certs/FQDN-Our-Puppet-Server.pem

/etc/puppetlabs/puppetserver/conf.d/webserver.conf - ssl_cert - /etc/puppetlabs/puppet/ssl/certs/FQDN-Our-Puppet-Server.pem

/etc/smart_proxy_dynflow_core/settings.yml - ssl_certificate - /etc/puppetlabs/puppet/ssl/certs/FQDN-Our-Puppet-Server.pem

Another slightly wierd thing we have noticed when trying to resolve this issue is that if we run puppetserver as “root” then it all works - but when running it as “puppet” we have the issue described above.

Any pointers gladly received.