Replacing Foreman's web SSL certificate.

This is an authorized repost of

This is a companion discussion topic for the original entry at

Paths have changed or are different when installed with recent version of foreman-installer:

  1. /etc/foreman-proxy/settings.yaml -> /etc/foreman-proxy/settings.yml
  2. /etc/puppet/foreman.yaml-> /etc/puppetlabs/puppet/foreman.yaml

Also, I’m missing a hint about if changes like these are “foreman-installer” - stable if changed manually and installer gets re-executed to enable/change plugins.

At first it seems to have a bug related to “smart-proxy” if you have the “remote execution” plugin enabled. I did all the configuration via “foreman-installer” and installed it correctly.

When executing a remote command, everything happens correctly, but the task is always waiting.

I’m using the latest version of foreman.

Hey @infomatico, did you manage to resolve the issue with regards to the task hanging? I actually have the same issue after I changed my certificates to a custom variant. (I only changed them for the foreman core, not the smart-proxies though)

Hey @UXabre,

Unfortunately not!! From what I have been accompanying the staff of the foreman is in contact with the people of ruby-concurrent, because there are some bug is giving a headache to solve.

Here are all the files you need to update
look for where I’ve placed NEWCERT, NEWKEY and NEWCHAIN for the CERT/KEY/CHAIN of your publicly trusted cert from a CA

This is the foreman website listening on 443 under apache/passenger
Change apache to hand out a new cert/key, (and chain)

#OLD SSLCertificateFile “/etc/puppetlabs/puppet/ssl/certs/”
#OLD SSLCertificateKeyFile “/etc/puppetlabs/puppet/ssl/private_keys/”
#OLD SSLCertificateChainFile “/etc/puppetlabs/puppet/ssl/certs/ca.pem”
SSLCertificateFile “/etc/puppetlabs/puppet/ssl/certs/NEWCERT.pem”
SSLCertificateKeyFile “/etc/puppetlabs/puppet/ssl/private_keys/NEWKEY.pem”
SSLCertificateChainFile “/etc/puppetlabs/puppet/ssl/certs/NEWCHAIN.pem”

For the console feature to work (via websockets)

#OLD:websockets_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/
#OLD:websockets_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/
:websockets_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/NEWKEY.pem
:websockets_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/NEWCERT.pem

Foreman smart proxy, listening on 8443
You need to ensure it trusts the new CA when it connects back to the webUI
This section is for other things talking to the foreman proxy, no change

:ssl_ca_file: /etc/puppetlabs/puppet/ssl/certs/ca.pem
:ssl_certificate: /etc/puppetlabs/puppet/ssl/certs/
:ssl_private_key: /etc/puppetlabs/puppet/ssl/private_keys/

This is for the proxy talking back to foreman webUI; the ca needs to be the system CA, + new key & new cert. Normally these are commented out, uncomment and update

:foreman_ssl_ca: /etc/pki/tls/certs/ca-bundle.crt
:foreman_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/NEWCERT.pem
:foreman_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/NEWKEY.pem

This is for when puppet talks back to foreman; it needs to trust the new cert on the webui (ie it needs to trust public certs)

#OLD:ssl_ca: “/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem”
:ssl_ca: “/etc/pki/tls/certs/ca-bundle.crt”

hello @boffin

Where did you get the bundle /etc/pki/tls/certs/ca-bundle.crt?