O.K. Yes it does work. In a way…
I have run the installer with --enable-foreman-proxy-content. But I don’t really like it as it installs and enables the whole pulpcore content management which I don’t need and want on that server. There doesn’t seem to be an option to disable or prevent pulpcore installation with foreman-proxy-content enabled.
It doesn’t really makes sense to me to expect a full content proxy to update the certificate for puppet. And there is no simple foreman-installer scenario to install a proxy without content (see Foreman-installer scenario for foreman-proxy installation
Worse: now the main server cannot connect to the proxy with the new certificates (using a different ca) anymore. Although katello-certs-check was happy, the main server doesn’t accept the new certificate:
2022-05-04 19:02:49 [ERROR ] [configure] Error making PUT request to https://foreman.example.com/api/v2/smart_proxies/6/refresh: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)) for proxy https://foreman-puppet.example.com:9090/v2/features Please check the proxy is configured and running on the host.
2022-05-04 19:02:49 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foreman-puppet.example.com]/features: change from ["Logs", "Puppet"] to ["Logs", "Pulpcore", "Puppet"] failed: Error making PUT request to https://foreman.example.com/api/v2/smart_proxies/6/refresh: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)) for proxy https://foreman-puppet.example.com:9090/v2/features Please check the proxy is configured and running on the host.
2022-05-04 19:02:49 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foreman-puppet.example.com]: Failed to call refresh: Error making PUT request to https://foreman.example.com/api/v2/smart_proxies/6/refresh: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)) for proxy https://foreman-puppet.example.com:9090/v2/features Please check the proxy is configured and running on the host.
2022-05-04 19:02:49 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foreman-puppet.example.com]: Error making PUT request to https://foreman.example.com/api/v2/smart_proxies/6/refresh: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)) for proxy https://foreman-puppet.example.com:9090/v2/features Please check the proxy is configured and running on the host.
So I do I tell the main server which ca chains to accept to connect to the proxies? Currently, my main server and the two proxies all used the ca with the same ca chain. We have to move to a different ca and the puppet proxy is the first to move because the old certificate is expiring. Thus, for the transition period I need to tell the main server to accept both ca chains to be able to connect to the proxies with the new or old certificates.
And possibly, I need to do the same on the proxy to be able to connect to the main server?