This is an authorized repost of http://www.zem.org.uk/2015/05/11/foreman-ssl
This is a companion discussion topic for the original entry at https://theforeman.org/2015/11/foreman-ssl.html
This is an authorized repost of http://www.zem.org.uk/2015/05/11/foreman-ssl
Paths have changed or are different when installed with recent version of foreman-installer:
/etc/foreman-proxy/settings.yaml
-> /etc/foreman-proxy/settings.yml
/etc/puppet/foreman.yaml
-> /etc/puppetlabs/puppet/foreman.yaml
Also, I’m missing a hint about if changes like these are “foreman-installer” - stable if changed manually and installer gets re-executed to enable/change plugins.
At first it seems to have a bug related to “smart-proxy” if you have the “remote execution” plugin enabled. I did all the configuration via “foreman-installer” and installed it correctly.
When executing a remote command, everything happens correctly, but the task is always waiting.
I’m using the latest version of foreman.
Hey @infomatico, did you manage to resolve the issue with regards to the task hanging? I actually have the same issue after I changed my certificates to a custom variant. (I only changed them for the foreman core, not the smart-proxies though)
Hey @UXabre,
Unfortunately not!! From what I have been accompanying the staff of the foreman is in contact with the people of ruby-concurrent, because there are some bug is giving a headache to solve.
Here are all the files you need to update
look for where I’ve placed NEWCERT, NEWKEY and NEWCHAIN for the CERT/KEY/CHAIN of your publicly trusted cert from a CA
/etc/httpd/conf.d/05-foreman-ssl.conf
This is the foreman website listening on 443 under apache/passenger
Change apache to hand out a new cert/key, (and chain)
#OLD SSLCertificateFile “/etc/puppetlabs/puppet/ssl/certs/foreman.example.com.pem”
#OLD SSLCertificateKeyFile “/etc/puppetlabs/puppet/ssl/private_keys/foreman.example.com.pem”
#OLD SSLCertificateChainFile “/etc/puppetlabs/puppet/ssl/certs/ca.pem”
SSLCertificateFile “/etc/puppetlabs/puppet/ssl/certs/NEWCERT.pem”
SSLCertificateKeyFile “/etc/puppetlabs/puppet/ssl/private_keys/NEWKEY.pem”
SSLCertificateChainFile “/etc/puppetlabs/puppet/ssl/certs/NEWCHAIN.pem”
/etc/foreman/settings.yaml
For the console feature to work (via websockets)
#OLD:websockets_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/foreman.example.com.pem
#OLD:websockets_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/foreman.example.com.pem
:websockets_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/NEWKEY.pem
:websockets_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/NEWCERT.pem
/etc/foreman-proxy/settings.yml
Foreman smart proxy, listening on 8443
You need to ensure it trusts the new CA when it connects back to the webUI
This section is for other things talking to the foreman proxy, no change
:ssl_ca_file: /etc/puppetlabs/puppet/ssl/certs/ca.pem
:ssl_certificate: /etc/puppetlabs/puppet/ssl/certs/foreman.example.com.pem
:ssl_private_key: /etc/puppetlabs/puppet/ssl/private_keys/foreman.example.com.pem
This is for the proxy talking back to foreman webUI; the ca needs to be the system CA, + new key & new cert. Normally these are commented out, uncomment and update
:foreman_ssl_ca: /etc/pki/tls/certs/ca-bundle.crt
:foreman_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/NEWCERT.pem
:foreman_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/NEWKEY.pem
/etc/puppetlabs/puppet/foreman.yaml
This is for when puppet talks back to foreman; it needs to trust the new cert on the webui (ie it needs to trust public certs)
#OLD:ssl_ca: “/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem”
:ssl_ca: “/etc/pki/tls/certs/ca-bundle.crt”
hello @boffin
Where did you get the bundle /etc/pki/tls/certs/ca-bundle.crt?