Using Custom SSL Certificate for Foreman

it took me a while to get things working using my own certs. foreman, for some odd reason, was more difficult than katello. my intent was just to change the web-ui to use my custom cert - it worked fine in katello…hence there’s fewer options/params provided. w/ foreman install…i basically had to substitute anything generating a cert ( puppet-ca / smart-proxy / foreman-ui / etc ) w/ the custom certs before it all worked.

i’d like to share w/ you the shell script[s] I used to get everything running. for simplicity’s sake (on my end) I created separate scripts to install the 2 variations.

Details are as follows:

 
please review and provide feedback.
should you try/adopt - modify all refs of esystems/ecloud to match the name you’d like.

if you have questions, i’ll try my best to respond and help
 
 

install-foreman-server.sh

#!/bin/bash

###############################################################################################
                        # PRE-CONFIGURATIONS 
###############################################################################################
mkdir -p /etc/esystems
cp -r /root/katello-installer/certs /etc/esystems
chmod 755 /etc/esystems
chmod 771 /etc/esystems/certs
chmod 644 /etc/esystems/certs/*
# 52 will eventually become the uid for puppet.puppet
chown -R 52.52 /etc/esystems/certs 

setenforce 0

systemctl disable firewalld
systemctl stop firewalld

dnf -y install \
https://yum.theforeman.org/releases/3.11/el9/x86_64/foreman-release.rpm \
https://yum.puppet.com/puppet7-release-el-9.noarch.rpm

dnf -y install foreman-installer

###############################################################################################
                        # FOREMAN
###############################################################################################
foreman-installer \
--enable-foreman \
--enable-foreman-cli \
--enable-foreman-cli-puppet \
--enable-foreman-cli-remote-execution \
--enable-foreman-cli-ssh \
--enable-foreman-plugin-puppet \
--enable-foreman-plugin-remote-execution \
--enable-foreman-proxy-plugin-remote-execution-script \
--foreman-initial-admin-password password \
--foreman-initial-organization ecloud.net \
--foreman-proxy-dhcp-interface 'enp0s3' \
--foreman-proxy-dns-interface 'enp0s3' \
--foreman-proxy-puppet true \
--foreman-proxy-puppetca true \
--enable-puppet \
--puppet-server true \
--puppet-autosign-entries='*.ecloud.net' \
--puppet-autosign-entries='*.esystems.net' \
--puppet-autosign-mode='0664' \
--foreman-client-ssl-ca /etc/esystems/certs/ESYSTEMS-CA.crt \
--foreman-client-ssl-cert /etc/esystems/certs/katello.ecloud.net.crt \
--foreman-client-ssl-key /etc/esystems/certs/ESYSTEMS-PRIVATE-KEY.pem \
--foreman-cli-ssl-ca-file /etc/esystems/certs/ESYSTEMS-CA.crt \
--foreman-plugin-puppetdb-ssl-ca-file /etc/esystems/certs/ESYSTEMS-CA.crt \
--foreman-plugin-puppetdb-ssl-certificate /etc/esystems/certs/katello.ecloud.net.crt \
--foreman-plugin-puppetdb-ssl-private-key /etc/esystems/certs/ESYSTEMS-PRIVATE-KEY.pem \
--foreman-proxy-foreman-ssl-cert /etc/esystems/certs/katello.ecloud.net.crt \
--foreman-proxy-foreman-ssl-key /etc/esystems/certs/ESYSTEMS-PRIVATE-KEY.pem \
--foreman-proxy-plugin-remote-execution-script-install-key true \
--foreman-proxy-puppetca-certificate /etc/esystems/certs/ESYSTEMS-CA.crt \
--foreman-proxy-puppet-ssl-ca /etc/esystems/certs/ESYSTEMS-CA.crt \
--foreman-proxy-puppet-ssl-cert /etc/esystems/certs/katello.ecloud.net.crt \
--foreman-proxy-puppet-ssl-key /etc/esystems/certs/ESYSTEMS-PRIVATE-KEY.pem \
--foreman-proxy-ssl-ca /etc/esystems/certs/ESYSTEMS-CA.crt \
--foreman-proxy-ssl-cert /etc/esystems/certs/katello.ecloud.net.crt \
--foreman-proxy-ssldir /etc/esystems/certs \
--foreman-proxy-ssl-key /etc/esystems/certs/ESYSTEMS-PRIVATE-KEY.pem \
--foreman-server-ssl-ca /etc/esystems/certs/ESYSTEMS-CA.crt \
--foreman-server-ssl-cert /etc/esystems/certs/katello.ecloud.net.crt \
--foreman-server-ssl-chain /etc/esystems/certs/ESYSTEMS-CA.crt \
--foreman-server-ssl-crl /etc/esystems/certs/ESYSTEMS-CA.crl \
--foreman-server-ssl-key /etc/esystems/certs/ESYSTEMS-PRIVATE-KEY.pem \
--foreman-websockets-ssl-cert /etc/esystems/certs/katello.ecloud.net.crt \
--foreman-websockets-ssl-key /etc/esystems/certs/ESYSTEMS-PRIVATE-KEY.pem \
--puppet-ca-crl-filepath /etc/esystems/certs/ESYSTEMS-CA.crl \
--puppet-server-ca true \
--puppet-server-foreman-ssl-ca /etc/esystems/certs/ESYSTEMS-CA.crt \
--puppet-server-foreman-ssl-cert /etc/esystems/certs/katello.ecloud.net.crt \
--puppet-server-foreman-ssl-key /etc/esystems/certs/ESYSTEMS-PRIVATE-KEY.pem \
--puppet-server-ssl-chain-filepath /etc/esystems/certs/ESYSTEMS-CA.crt \
--puppet-runinterval 300 # 1800 for 30mins

# force puppet boot after foreman
sed -i '/^After=/ s/$/ foreman-proxy.service foreman.service/' /usr/lib/systemd/system/puppet.service
systemctl daemon-reload

# keep foreman clean of old client reports
echo "foreman-rake reports:expire days=1 status=0" > /etc/cron.daily/foremanReportCleaner
chmod +x /etc/cron.daily/foremanReportCleaner

install-katello-server

#!/bin/bash

###############################################################################################
                        # PRE-CONFIGURATIONS 
###############################################################################################
mkdir -p /etc/esystems
cp -r /root/katello-installer/certs /etc/esystems

setenforce 0

systemctl disable firewalld
systemctl stop firewalld

dnf -y install \
https://yum.theforeman.org/releases/3.11/el9/x86_64/foreman-release.rpm \
https://yum.theforeman.org/katello/4.13/katello/el9/x86_64/katello-repos-latest.rpm \
https://yum.puppet.com/puppet7-release-el-9.noarch.rpm

dnf -y install foreman-installer-katello



###############################################################################################
                        # FOREMAN
###############################################################################################
foreman-installer --tuning development --scenario katello \
--enable-foreman \
--enable-foreman-cli-puppet \
--enable-foreman-cli-remote-execution \
--enable-foreman-cli-ssh \
--enable-foreman-plugin-puppet \
--enable-foreman-plugin-remote-execution \
--enable-foreman-proxy-plugin-remote-execution-script \
--foreman-initial-admin-password password \
--foreman-initial-organization ecloud.net \
--foreman-proxy-dhcp-interface 'enp0s3' \
--foreman-proxy-dns-interface 'enp0s3' \
--foreman-proxy-plugin-remote-execution-script-install-key true \
--foreman-proxy-puppet true \
--foreman-proxy-puppetca true \
--enable-puppet \
--puppet-server true \
--puppet-autosign-entries='*.ecloud.net' \
--puppet-autosign-entries='*.esystems.net' \
--puppet-autosign-mode='0664' \
--certs-server-cert "/etc/esystems/certs/katello.ecloud.net.crt" \
--certs-server-key "/etc/esystems/certs/ESYSTEMS-PRIVATE-KEY.pem" \
--certs-server-ca-cert "/etc/esystems/certs/ESYSTEMS-CA.crt" \
--puppet-runinterval 300 # 1800 for 30mins


# change the foreman-proxy cert to use ESYSTEMS
foreman-proxy-certs-generate --foreman-proxy-fqdn katello.ecloud.net \
--certs-tar  "~/$FOREMAN_PROXY-certs.tar" \
--server-cert "/etc/esystems/certs/katello.ecloud.net.crt" \
--server-key "/etc/esystems/certs/ESYSTEMS-PRIVATE-KEY.pem" \
--server-ca-cert "/etc/esystems/certs/ESYSTEMS-CA.crt" \
--certs-update-server


# fix puppet-agent cert issue
cat ~/katello-installer/foreman.yaml > /etc/puppetlabs/puppet/foreman.yaml


# force puppet boot after foreman
sed -i '/^After=/ s/$/ foreman-proxy.service foreman.service/' /usr/lib/systemd/system/puppet.service
systemctl daemon-reload


# keep foreman clean of old client reports
echo "foreman-rake reports:expire days=1 status=0" > /etc/cron.daily/foremanReportCleaner
chmod +x /etc/cron.daily/foremanReportCleaner



# fix puppet not found in foreman-webUI
if [ ! -f /usr/bin/puppet ]; then
  ln -s /opt/puppetlabs/bin/puppet /usr/bin/puppet
fi