Is there a way to replace the self-signed certificate foreman is running on after it is installed? I see that the certificates are linked via Apache configuration. Can I just replace the links to custom ones or do I need to re-run the foreman-installer with the custom certificates specified?
Yes, I’ve been meaning to write a blog about this. I’ll leave placing the certificates in the right place as a users exercise (I used LetsEncrypt). You want to change the CA that’s used to verify as well. I was lazy and used the system CA bundle. You gain additional security against another CA issuing a cert by using the the exact certificate but IMHO that’s a very small chance and not a relevant attack vector for my personal infra.
--foreman-server-ssl-cert /etc/letsencrypt/live/$HOSTNAME/cert.pem
--foreman-server-ssl-chain /etc/letsencrypt/live/$HOSTNAME/chain.pem
--foreman-server-ssl-key /etc/letsencrypt/live/$HOSTNAME/privkey.pem
--puppet-server-foreman-ssl-ca /etc/ssl/certs/ca-bundle.crt
--foreman-proxy-foreman-ssl-ca /etc/ssl/certs/ca-bundle.crt
When using katello the parameters are slightly different and I need to look them up.