I had some odd issues that I believe I have now fixed. This was when I was upgrading Puppet from 7 to 8 on Oracle Linux 9 while upgrading Foreman from 3.11 to 3.12.
SSL validation became a bit of an issue. Puppet agents were receiving “Error 500 no valid config available”. Puppet server log was complaining about CA certs not being trusted.
# Previous Steps I used to installed from the Foreman Manual
foreman-installer \
--foreman-server-ssl-cert /etc/pki/tls/cert.pem \
--foreman-server-ssl-key /etc/pki/tls/privat.key \
--foreman-server-ssl-chain /etc/pki/tls/cert.bundle.pem
# Copy Cert Bundle to Puppet ca to Ensure Sign Certs are known/trusted to Puppet
cat /etc/pki/tls/cert.bundle.pem >> /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
These rough steps generally worked in the past, SSL validated as expected and config pushed out. However something changed in the newer version of Puppet 8 and and the steps to allow Puppet to trust certs no longer worked. A vanilla installed instance of Foreman/Puppet worked fine, but as soon as custom signed SSL certs were configured, everything stopped working.
The Fix
After trial and error and finding the following Doc, I managed to get the system working again:
Rather than use the cert bundle that incorporated the signed cert and ca trust chain, the following configuration separates the signed cert from the chain and they configured to respective options.
- Update the following file paths in:
/etc/httpd/conf.d/05-foreman-ssl.conf
SSLCertificateFile " /etc/pki/tls/cert.pem"
SSLCertificateKeyFile " /etc/pki/tls/private.key"
SSLCertificateChainFile " /etc/pki/tls/chain.pem"
- Make sure
foreman_ssl_cais not defined in:/etc/foreman-proxy/settings.yml - Add chain cert to
ssl_ca, do not changessl_certorssl_keyin file:/etc/puppetlabs/puppet/foreman.yaml
Hope this helps someone who suffering with this issue.