Replacing Foreman's web SSL certificate.

This is an authorized repost of http://www.zem.org.uk/2015/05/11/foreman-ssl


This is a companion discussion topic for the original entry at https://theforeman.org/2015/11/foreman-ssl.html

Paths have changed or are different when installed with recent version of foreman-installer:

  1. /etc/foreman-proxy/settings.yaml -> /etc/foreman-proxy/settings.yml
  2. /etc/puppet/foreman.yaml-> /etc/puppetlabs/puppet/foreman.yaml

Also, I’m missing a hint about if changes like these are “foreman-installer” - stable if changed manually and installer gets re-executed to enable/change plugins.

At first it seems to have a bug related to “smart-proxy” if you have the “remote execution” plugin enabled. I did all the configuration via “foreman-installer” and installed it correctly.

When executing a remote command, everything happens correctly, but the task is always waiting.

I’m using the latest version of foreman.

Hey @infomatico, did you manage to resolve the issue with regards to the task hanging? I actually have the same issue after I changed my certificates to a custom variant. (I only changed them for the foreman core, not the smart-proxies though)

Hey @UXabre,

Unfortunately not!! From what I have been accompanying the staff of the foreman is in contact with the people of ruby-concurrent, because there are some bug is giving a headache to solve.

In our setup we have 2 foreman server behind the load balancer. I followed this guide and change the certificate on both the foreman instances but after that it breaks and error says as below

“Failure: ERF50-5345 [Foreman::WrappedException]: Unable to connect ([ProxyAPI::ProxyException]: ERF12-7885 [ProxyAPI::ProxyException]: Unable to fetch logs ([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A) for proxy https://frmserver02.cadence.com:8443/logs)”

foreman url : http://foreman-ha.cadence.com
Backend server behind load balancer : frmserver01 and frmserver02

that would be great if you can provide the complete installation flag with foreman-installer

We have used as below.

foreman-installer --foreman-foreman-url=http://foreman-ha.cadence.com --enable-foreman-plugin-remote-execution --enable-foreman-proxy-plugin-remote-execution-ssh --foreman-db-type=mysql --foreman-db-manage=false --foreman-db-host=frmserverdb.cadence.com --foreman-db-database=foreman --foreman-db-username=foreman --foreman-db-password=C@dence123 --foreman-organizations-enabled=true --foreman-initial-organization=Cadence --foreman-locations-enabled=true --foreman-initial-location=SanJose --enable-foreman-plugin-ansible --enable-foreman-plugin-discovery --enable-foreman-plugin-docker --enable-foreman-plugin-expire-hosts --enable-foreman-plugin-hooks --foreman-admin-password=cadence --foreman-admin-username=admin

Here are all the files you need to update
look for where I’ve placed NEWCERT, NEWKEY and NEWCHAIN for the CERT/KEY/CHAIN of your publicly trusted cert from a CA

/etc/httpd/conf.d/05-foreman-ssl.conf

This is the foreman website listening on 443 under apache/passenger
Change apache to hand out a new cert/key, (and chain)

#OLD SSLCertificateFile “/etc/puppetlabs/puppet/ssl/certs/foremanrmd01.mda.ca.pem”
#OLD SSLCertificateKeyFile “/etc/puppetlabs/puppet/ssl/private_keys/foremanrmd01.mda.ca.pem”
#OLD SSLCertificateChainFile “/etc/puppetlabs/puppet/ssl/certs/ca.pem”
SSLCertificateFile “/etc/puppetlabs/puppet/ssl/certs/NEWCERT.pem”
SSLCertificateKeyFile “/etc/puppetlabs/puppet/ssl/private_keys/NEWKEY.pem”
SSLCertificateChainFile “/etc/puppetlabs/puppet/ssl/certs/NEWCHAIN.pem”

/etc/foreman/settings.yaml

For the console feature to work (via websockets)

#OLD:websockets_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/foremanrmd01.mda.ca.pem
#OLD:websockets_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/foremanrmd01.mda.ca.pem
:websockets_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/NEWKEY.pem
:websockets_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/NEWCERT.pem

/etc/foreman-proxy/settings.yml

Foreman smart proxy, listening on 8443
You need to ensure it trusts the new CA when it connects back to the webUI

this section is for other things talking to the foreman proxy, no change

:ssl_ca_file: /etc/puppetlabs/puppet/ssl/certs/ca.pem
:ssl_certificate: /etc/puppetlabs/puppet/ssl/certs/foremanrmd01.mda.ca.pem
:ssl_private_key: /etc/puppetlabs/puppet/ssl/private_keys/foremanrmd01.mda.ca.pem

this is for the proxy talking back to foreman webUI

the ca needs to be the system CA, + new key & new cert.

Normally these are commented out

:foreman_ssl_ca: /etc/pki/tls/certs/ca-bundle.crt
:foreman_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/NEWCERT.pem
:foreman_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/NEWKEY.pem

/etc/puppetlabs/puppet/foreman.yaml

This is for when puppet talks back to foreman,
it needs to trust the new cert on the webui (ie it needs to trust public certs)

#OLD:ssl_ca: “/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem”
:ssl_ca: “/etc/pki/tls/certs/ca-bundle.crt”