Problem:
I am using externally signed certificates on my foreman server and proxies. I have already updated the certs on my proxies before and using my instructions I have wrote down the last time, I have tried to do it again, but it doesn’t replace the certificate on the proxy port 9090 of my proxy server.
I have received the new certificate (which also requires a new ca-bundle, if that matters) and checked it on the main foreman server:
[root@foreman certs]# katello-certs-check -t foreman-proxy -c foreman-puppet.cer -k foreman-puppet.key -b ca-bundle.crt
then ran the command as suggested:
[root@foreman certs]# foreman-proxy-certs-generate --foreman-proxy-fqdn "foreman-puppet.example.com" \
> --certs-tar "~/foreman-puppet.example.com-certs.tar" \
> --server-cert "/root/certs/foreman-puppet.cer" \
> --server-key "/root/certs/foreman-puppet.key" \
> --server-ca-cert "/root/certs/ca-bundle.crt" \
> --certs-update-server
Then copied /root/foreman-puppet.example.com-certs.tar to the proxy server “foreman-puppet”. On the proxy server I run
[root@foreman-puppet ~]# foreman-maintain service stop
[root@foreman-puppet ~]# foreman-installer --certs-tar-file /root/foreman-puppet.dkrz.de-certs.tar --certs-update-all
That runs without errors. However, it doesn’t seem to replace the certs anymore as it did before (with some older katello version a year ago). In particular, on port 9090 it still shows the old certificate.
A year ago the same procedure worked…
I have checked the content of the tar and the content of /root/ssl-build on the proxy server. It contains the new certificate and chain. The configured file in the foreman-proxy settings is /etc/foreman-proxy/ssl_cert.pem and it contains the old certificate.
What do I have to do to get the foreman-installer on the proxy server update the certificates?
Expected outcome:
foreman-installer reconfiguring the proxy for the new cert and chain.
Foreman and Proxy versions:
Foreman 3.1.2, Katello 4.3.1
Distribution and version:
CentOS 7.9