Sorry, I messed up I can’t edit my post so here is the full message :
Hello,
I am playing with foreman and I try to setup the following :
one foreman server with only GUI
one smart proxy which is my puppet server,
my OS i Debian 9.
I setup my foreman gui with the following options :
foreman-installer -i
[✓] Configure foreman
[✓] Configure foreman_cli
The smart proxy is setup with debian package
When I’m on the webui, I try to add the proxy but I got an error :
can’t communicate with proxy : ERF12-2530 [ProxyAPI::ProxyException]: can’t detect capabilites :
([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=unknown state: tlsv1 alert unknown ca) pour le proxy https://puppetserver.domain.net:8443/features
I followed the documentation as follow for the ssl parts :
Generate a new certificate on your puppetmaster: puppet cert --generate
Copy the certificates and key from the foreman gui to the smart proxy in /etc/foreman-proxy:
/var/lib/puppet/ssl/certs/ca.pem
/var/lib/puppet/ssl/certs/proxy-FQDN.pem
/var/lib/puppet/ssl/private_keys/proxy-FQDN.pem
So you have a puppet server on your proxy, but not on the Foreman server? What did you use for SSL certificates when creating the Foreman server?
This matters because we need all the communication between Foreman and the proxy to use certs from a common CA. By default that’s done using the CA from the Puppet server on the Foreman host to generate certs fro everything else, but you don’t have one (which also means the step about copying from the Foreman host to the proxy doesn’t work). Understanding what certs/CA the web UI is necessary to fix this.
thank you for your feedback.
I think I generated the certificates from my puppet master and then copying it over to the foreman server (with the CA). But clearly this is not working.
In this setup the CA is located on foreman host, hence new puppet client certificate will be generated on foreman side right ? I guess I should configure my puppet master to be aware of this ?
my foreman server has a proxy (default setup) with the following services :
Logs
Puppet
Puppet CA
TFTP
My puppet master has :
Logs
Puppet
Can I disable puppet function on foreman proxy ? because I’m afraid of mixing configuration here.
It doesn’t matter where the CA actually lives - it only matters that all the certs are generated from it, so they can all validate each other.
If there’s definitely no puppetserver there, then yes, I’d recommend that - but check carefully as a new puppetserver co-located with Foreman is the default install. If you haven’t explicitly disabled it, you may still have one (and want to shut it down). If that’s the case, it might also explain the SSL issues, since you’ll have certs from two different CAs in play.
I would expect your Puppetserver proxy to also have the Puppet CA feature, since it has the CA, but if you configured it by hand then it’s probably just been missed, and you can enable that feature in the proxy config files.
Check through that and confirm there was never a puppetserver on the Foreman box, as that seems the most likely cause. If not, we can go through the cert generation process, and make sure everything is where it should be.