SSL Certificate

Support
1

Hi

We're trying to change the webserver ssl certificate to a internal signed
one.
I changed the following settings to replace the certificate.

/etc/puppet/foreman.yaml

··· --- #:url: "https://hostname.fqdn.local" #:ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem" #:ssl_cert: "/var/lib/puppet/ssl/certs/hostname.fqdn.local.pem" #:ssl_key: "/var/lib/puppet/ssl/private_keys/hostname.fqdn.local.pem" :url: "https://foreman-test.fqdn.local" :ssl_ca: "/var/lib/puppet/ssl/certs/fqdn-root-int-ca1.pem" :ssl_cert: "/var/lib/puppet/ssl/certs/foreman-test.fqdn.local.crt" :ssl_key: "/var/lib/puppet/ssl/private_keys/foreman-test.fqdn.local.key"

/etc/httpd/conf.d/05-foreman-ssl.conf

<VirtualHost *:443>
ServerName foreman-test.fqdn.local

SSL directives

SSLEngine on

SSLCertificateFile

“/var/lib/puppet/ssl/certs/hostname.fqdn.local.pem”

SSLCertificateKeyFile

“/var/lib/puppet/ssl/private_keys/hostname.fqdn.local.pem”

SSLCertificateChainFile “/var/lib/puppet/ssl/certs/ca.pem”

SSLCertificateFile
"/var/lib/puppet/ssl/certs/foreman-test.fqdn.local.pem"
SSLCertificateKeyFile
"/var/lib/puppet/ssl/private_keys/foreman-test.fqdn.local.key"
SSLCertificateChainFile “/var/lib/puppet/ssl/certs/fqdn-root-int-ca1.pem”

Restarted apache and now it works fine in the web browser. But puppet
clients are not able to send reports any more.
I think the problem is this…

sudo -u puppet /etc/puppet/node.rb hostname.fqdn.local

Could not send facts to Foreman: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed

I have searched through the topics here and goggled but nothing seems to
work…
I have also setup a new foreman installation with the installer ssl
parameters but the results are the same.

foreman-installer -v
–foreman-foreman-url=foreman-test.fqdn.local
–foreman-server-ssl-cert=/etc/pki/tls/certs/foreman-test.fqdn.local.pem
–foreman-server-ssl-key=/etc/pki/tls/private/foreman-test.fqdn.local.key

Any ideas would be appreciated!

Thanks
Sandro

2

Have you seen this?

http://projects.theforeman.org/projects/foreman/wiki/Troubleshooting#How-do-I-change-the-FQDN-of-the-Foreman-host

I did not investigate your problem yet, please read it and confirm.

LZ

··· On Tue, Sep 23, 2014 at 11:38:57PM -0700, Sandro Roth wrote: > Hi > > We're trying to change the webserver ssl certificate to a internal signed > one. > I changed the following settings to replace the certificate. > > /etc/puppet/foreman.yaml > --- > #:url: "https://hostname.fqdn.local" > #:ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem" > #:ssl_cert: "/var/lib/puppet/ssl/certs/hostname.fqdn.local.pem" > #:ssl_key: "/var/lib/puppet/ssl/private_keys/hostname.fqdn.local.pem" > :url: "https://foreman-test.fqdn.local" > :ssl_ca: "/var/lib/puppet/ssl/certs/fqdn-root-int-ca1.pem" > :ssl_cert: "/var/lib/puppet/ssl/certs/foreman-test.fqdn.local.crt" > :ssl_key: "/var/lib/puppet/ssl/private_keys/foreman-test.fqdn.local.key" > > /etc/httpd/conf.d/05-foreman-ssl.conf > > > ServerName foreman-test.fqdn.local > ... > ## SSL directives > SSLEngine on > # SSLCertificateFile > "/var/lib/puppet/ssl/certs/hostname.fqdn.local.pem" > # SSLCertificateKeyFile > "/var/lib/puppet/ssl/private_keys/hostname.fqdn.local.pem" > # SSLCertificateChainFile "/var/lib/puppet/ssl/certs/ca.pem" > SSLCertificateFile > "/var/lib/puppet/ssl/certs/foreman-test.fqdn.local.pem" > SSLCertificateKeyFile > "/var/lib/puppet/ssl/private_keys/foreman-test.fqdn.local.key" > SSLCertificateChainFile "/var/lib/puppet/ssl/certs/fqdn-root-int-ca1.pem" > > > Restarted apache and now it works fine in the web browser. But puppet > clients are not able to send reports any more. > I think the problem is this.. > > # sudo -u puppet /etc/puppet/node.rb hostname.fqdn.local > Could not send facts to Foreman: SSL_connect returned=1 errno=0 state=SSLv3 > read server certificate B: certificate verify failed > > I have searched through the topics here and goggled but nothing seems to > work.. > I have also setup a new foreman installation with the installer ssl > parameters but the results are the same. > > foreman-installer -v \ > --foreman-foreman-url=foreman-test.fqdn.local \ > --foreman-server-ssl-cert=/etc/pki/tls/certs/foreman-test.fqdn.local.pem \ > --foreman-server-ssl-key=/etc/pki/tls/private/foreman-test.fqdn.local.key > > Any ideas would be appreciated! > > > Thanks > Sandro > > -- > You received this message because you are subscribed to the Google Groups "Foreman users" group. > To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com. > To post to this group, send email to foreman-users@googlegroups.com. > Visit this group at http://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/d/optout.


Later,
Lukas #lzap Zapletal

3

Not sure if this really applies to my issue…
We're not trying to rename the foreman server or something like that.

I don't think it's necessary to replace the proxy's certificate?

But I did replace the paths to the new certificate and key file in the ENC
node script, report script and in foreman settings.
Still the same issue.

··· On Thursday, September 25, 2014 6:18:21 PM UTC+2, Lukas Zapletal wrote: > > Have you seen this? > > > http://projects.theforeman.org/projects/foreman/wiki/Troubleshooting#How-do-I-change-the-FQDN-of-the-Foreman-host > > I did not investigate your problem yet, please read it and confirm. > > LZ > > On Tue, Sep 23, 2014 at 11:38:57PM -0700, Sandro Roth wrote: > > Hi > > > > We're trying to change the webserver ssl certificate to a internal > signed > > one. > > I changed the following settings to replace the certificate. > > > > /etc/puppet/foreman.yaml > > --- > > #:url: "https://hostname.fqdn.local" > > #:ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem" > > #:ssl_cert: "/var/lib/puppet/ssl/certs/hostname.fqdn.local.pem" > > #:ssl_key: "/var/lib/puppet/ssl/private_keys/hostname.fqdn.local.pem" > > :url: "https://foreman-test.fqdn.local" > > :ssl_ca: "/var/lib/puppet/ssl/certs/fqdn-root-int-ca1.pem" > > :ssl_cert: "/var/lib/puppet/ssl/certs/foreman-test.fqdn.local.crt" > > :ssl_key: "/var/lib/puppet/ssl/private_keys/foreman-test.fqdn.local.key" > > > > /etc/httpd/conf.d/05-foreman-ssl.conf > > > > > > ServerName foreman-test.fqdn.local > > ... > > ## SSL directives > > SSLEngine on > > # SSLCertificateFile > > "/var/lib/puppet/ssl/certs/hostname.fqdn.local.pem" > > # SSLCertificateKeyFile > > "/var/lib/puppet/ssl/private_keys/hostname.fqdn.local.pem" > > # SSLCertificateChainFile "/var/lib/puppet/ssl/certs/ca.pem" > > SSLCertificateFile > > "/var/lib/puppet/ssl/certs/foreman-test.fqdn.local.pem" > > SSLCertificateKeyFile > > "/var/lib/puppet/ssl/private_keys/foreman-test.fqdn.local.key" > > SSLCertificateChainFile > "/var/lib/puppet/ssl/certs/fqdn-root-int-ca1.pem" > > > > > > Restarted apache and now it works fine in the web browser. But puppet > > clients are not able to send reports any more. > > I think the problem is this.. > > > > # sudo -u puppet /etc/puppet/node.rb hostname.fqdn.local > > Could not send facts to Foreman: SSL_connect returned=1 errno=0 > state=SSLv3 > > read server certificate B: certificate verify failed > > > > I have searched through the topics here and goggled but nothing seems to > > work.. > > I have also setup a new foreman installation with the installer ssl > > parameters but the results are the same. > > > > foreman-installer -v \ > > --foreman-foreman-url=foreman-test.fqdn.local \ > > --foreman-server-ssl-cert=/etc/pki/tls/certs/foreman-test.fqdn.local.pem > \ > > > --foreman-server-ssl-key=/etc/pki/tls/private/foreman-test.fqdn.local.key > > > > Any ideas would be appreciated! > > > > > > Thanks > > Sandro > > > > -- > > You received this message because you are subscribed to the Google > Groups "Foreman users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to foreman-user...@googlegroups.com . > > To post to this group, send email to forema...@googlegroups.com > . > > Visit this group at http://groups.google.com/group/foreman-users. > > For more options, visit https://groups.google.com/d/optout. > > -- > Later, > Lukas #lzap Zapletal >
4

> > > Restarted apache and now it works fine in the web browser. But puppet
> > > clients are not able to send reports any more.

Hmmm have you re-signed the client certs?

I don't know what is wrong either.

··· -- Later, Lukas #lzap Zapletal
5

I think I figured it out.

I placed my own cert and key file unter /etc/pki and pointed apache to it:

SSLCertificateFile "/etc/pki/tls/certs/foreman-test.fqdn.local.pem"
SSLCertificateKeyFile "/etc/pki/tls/private/foreman-test.fqdn.local.key"

And then added our root cert to puppet's CA:

cat /etc/pki/ca-trust/source/anchors/fqdn-root-int-ca1.pem >>

/var/lib/puppet/ssl/certs/ca.pem

Puppet works again:

sudo -u puppet /etc/puppet/node.rb $(hostname)

··· --- classes: {} parameters: puppetmaster: foreman-test.fqdn.local root_pw: foreman_env: production environment: production

And the web browser is also happy about foreman’s certificate!

Thanks for your help
Sandro

On Monday, September 29, 2014 11:16:15 AM UTC+2, Lukas Zapletal wrote:

Restarted apache and now it works fine in the web browser. But
puppet

clients are not able to send reports any more.

Hmmm have you re-signed the client certs?

I don’t know what is wrong either.


Later,
Lukas #lzap Zapletal

6

Sandro, I am running into the same issue, and I think there may be
something missing in your proposed fix. Can you elaborate on the changes
that got a replacement SSL to work?