Sorry, I messed up I can’t edit my post so here is the full message :
I am playing with foreman and I try to setup the following :
one foreman server with only GUI
one smart proxy which is my puppet server,
my OS i Debian 9.
I setup my foreman gui with the following options :
[✓] Configure foreman
[✓] Configure foreman_cli
The smart proxy is setup with debian package
When I’m on the webui, I try to add the proxy but I got an error :
can’t communicate with proxy : ERF12-2530 [ProxyAPI::ProxyException]: can’t detect capabilites :
([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=unknown state: tlsv1 alert unknown ca) pour le proxy https://puppetserver.domain.net:8443/features
I followed the documentation as follow for the ssl parts :
Generate a new certificate on your puppetmaster: puppet cert --generate
Copy the certificates and key from the foreman gui to the smart proxy in /etc/foreman-proxy:
So you have a puppet server on your proxy, but not on the Foreman server? What did you use for SSL certificates when creating the Foreman server?
This matters because we need all the communication between Foreman and the proxy to use certs from a common CA. By default that’s done using the CA from the Puppet server on the Foreman host to generate certs fro everything else, but you don’t have one (which also means the step about copying from the Foreman host to the proxy doesn’t work). Understanding what certs/CA the web UI is necessary to fix this.
It doesn’t matter where the CA actually lives - it only matters that all the certs are generated from it, so they can all validate each other.
If there’s definitely no puppetserver there, then yes, I’d recommend that - but check carefully as a new puppetserver co-located with Foreman is the default install. If you haven’t explicitly disabled it, you may still have one (and want to shut it down). If that’s the case, it might also explain the SSL issues, since you’ll have certs from two different CAs in play.
I would expect your Puppetserver proxy to also have the Puppet CA feature, since it has the CA, but if you configured it by hand then it’s probably just been missed, and you can enable that feature in the proxy config files.
Check through that and confirm there was never a puppetserver on the Foreman box, as that seems the most likely cause. If not, we can go through the cert generation process, and make sure everything is where it should be.