One of our requirement is to replace all certs with the custom certificate which includes server certificates, client certificates and Puppet CA with our own CA. We started the process by replacing the certificates already installed instance, this works well for server certificates but failed when we also replaced puppet CA with our own CA. Second attempt was to do that during the initial installation itself, again we used multiple options which disable using puppet CA and uses our own CA and other server certificates, and it failed we are able to troubleshoot and move forward one step at a time and at this time we decided also to reach out community for help because as per our research not many online forums talks about this process.
What we are really looking for is to understand the requirements/installer options that we have to do to complete this setup.
We are currently running everything on the same instance I.e. foreman, proxies, puppet master etc and will continue to run on same instance.
We are using Vault as a certificate provider including server, CA, and intermediate CA.
As an end result we wanted to replace all the certificates including puppet CA, server certificates with our custom vault supplied certificates or by custom certificates in general.
In case if any additional information is required I am happy to provide the same.
This is a difficult topic but I read it very often as an requirement. Best solution I have seen so far was by changing the Puppet CA to be a Sub-CA and then letting run everything in the normal fashion. But this will probably not work for you.
@tbrisker: Reading this requirement more and more often here and being questioned by costumers (and not only for Foreman, but also Katello), may I kindly ask if it is possible to put this on the list for future improvements? (I am not sure if you are the best one to address this. If not please tell me and I will try my luck at the product managers I know) Thanks in advance!
Hi Dirk, thanks for the reply. Based on your comments it seems like it is not something that we can accomplish without trouble and chances of success are very low.
Is it possible to get some brief explanation on why it is difficult at this point of time because my management is looking for reason to make decision if we should solve this problem now or later. It would also be great if you can direct me to some helpful link which can help to solidify my understanding on this specific topic.
The problem is here mainly caused by having one CA infrastructure for multiple use cases. Most only want to change the one facing the Web user, but it is for internal use required that Smart Proxies and Foreman use the same CA. Then you have the Puppet infrastructure which requires also all having the same CA. And if you add Katello another CA infrastructure is required for subscription management. To make it less complicated Foreman uses by default the Puppet CA infrastructure for everything and Katello the one provided by Candlepin.
Pre-generating certificates for the Foreman/Katello infrastructure is possible and works, but requires a good knowledge and is not very easy. But then if you provision systems Puppet wants to create a certificate (and also subscription-manager if using Katello) which must be from the same CA, so pre-generating is not really possible (or at least very hard to solve).
Most of this I know from learning it the hard way, so no good link available. There is an old guide which as far as I know is no longer working but still explains the basic problem at Foreman :: Replacing Foreman's web SSL certificate.. With more components like dynflow/tasks or Katello added it gets even more complicated.
One thing that may come in handy is Puppet 6’s support for being an intermediate CA. https://puppet.com/docs/puppetserver/6.5/intermediate_ca.html describes how to set this up. The installer doesn’t have support for this currently but you can run the installer, wipe all certificates, import the CA and rerun the installer. Note this requires Puppet 6 agents as well.
It would be great if users could contribute their deployments. The what and how are obviously important, but the why is often also a great thing to learn.
I have been looking at solutions for a more generalized CA setup to unify both Foreman and Katello. Vault has shown up on my radar but it would be nice to hear user experiences. If it works well, it would be great to integrate this into the installer.
Thank you team for the reply, really appreciated the efforts. I have updated the team regarding the same, if we make the decision to move forward with the suggestion we will definitely share with the community.