Serving Foreman + Smart Proxy on a second Domain with separate SSL Cert

Problem:

I want to deploy a Foreman installation into an OpenStack based private cloud, as detailed in this post:

tl;dr: My environment doesn’t allow me to directly assign IPv4 addresses to a networking interface that belongs to my instance. The Centos installation, and therefore Foreman, have no knowledge over what public IPv4 is assigned to them. On install, FQDN resolution will fail because of this (see the mentioned post for details.)

@gvde mentioned, that the correct solution would be to set up the FQDN as a server alias inside Foreman:

Instead, set up the vm with a private, local host name which is bound to your private ip address. Set up the public fqdn as server alias instead, thus your server knows that it serves this host name as well. IMHO that’s the correct way to set this up.

As an addition to the above, I would also like to use Let’s Encrypt SSL Certificates to encrypt the Traffic to the Foreman Webinterface.
As I understand, this would involve adding a second Virtual Host with my FQDN as server name under:
/etc/httpd/conf.d/05-foreman.conf.

I’m not sure what the correct process is here:

  1. For starters, can I just clone the existing Virtual Host configuration, modifiy the ServerName and required SSL attributes and then use that as another virtual host configuration? Surely it is more intricate than that, no?

  2. On the topic of Apache Virtual Hosts, Puppetlabs Hiera is mentioned several times:
    Configuring apache access logging through custom-hiera.yml using foreman-installer
    Manage Apache Vhosts

Indeed, the virtual hosts file seems to be managed by puppet, according to the first few lines under /etc/httpd/conf.d/05-foreman.conf:

# ************************************
# Vhost template in module puppetlabs-apache
# Managed by Puppet
# ************************************
# 

And in one of the mentioned posts, it is said that any modification to the vhosts file will vanish on a Server restart. I am assuming, from context, that puppet will regenerate them from some template somewhere. Unfortunately I have almost no experience with Puppet (I am coming from Ansible and have been able to ignore/circumvent Puppet thus far when dealing with Foreman), so I do not know, where I should start for editing and managing the default Foreman Vhosts Template.

It is probably quite obvious, I’m lacking guidance. Again, I’d just like my Foreman Installation to essentially be “mirrored”, on a domain alias, i.e. offer the same featureset on this second domain name, as would be expected from a Foreman Install that has a proper public IP with FQDN configured.

Any guidance is highly, highly appreciated.

Regards

Foreman versions:
3.1
Distribution and version:
Centos 8 Stream

No. You don’t need that. You can set the certificate paths with foreman-installer. See the certs options, certs-server-ca-cert, certs-server-cert, certs-server-key.

You can also use katello-certs-check (if you are using katello) to check the three files and it prints out the command to use to set it up…

Nothing what you wrote requires adding custom settings into apache…

1 Like