Web interface SSL Cert

What would be considered the proper way to apply my SSL certificate to the
web interface of Foreman? Thanks!

Update the apache config:

SSLCertificateChainFile
SSLCertificateFile
SSLCertificateKeyFile

However ensure you leave SSLCACertificateFile untouched.

Also update the SSL CA settings in /etc/puppet/node.rb and the
foreman.rb report processor (e.g.
/usr/lib/ruby/1.8/puppet/reports/foreman.rb) to refer to your cert's CA.
Leave the cert/key settings alone.

··· On 14/11/13 20:04, gliverma@westga.edu wrote: > What would be considered the proper way to apply my SSL certificate to > the web interface of Foreman? Thanks!

–
Dominic Cleal
Red Hat Engineering

This is how I was able to get it setup. I believe everything is working.
Would still like to figure out how to specify everything via the installer.
This is on foreman 1.13.4

I hope this helps someone. I spent way too much time figuring this out. :frowning:

Thanks Dominic and Gene (for asking the question). I was struggling with
this for days. I kept changing too much, resulting in a trusted web page,
but broken puppet clients :slight_smile:

Here's a summary of the steps I followed based on the post above.
Everything appears to be working. (including the SSL request steps for my
own future reference)

  1. Create the SSL key and csr

sudo su -
mkdir /root/Incommon-cert
cd /root/Incommon-cert

openssl req -out $(hostname)-2048.csr -new -newkey rsa:2048 -nodes -keyout
$(hostname -f)-2048.key

  1. Copy the contents of the csr to the clipboard and use it to request
    an InCommon SSL certificate
  2. Once the cert is approved, download the following files to
    /root/Incommon-cert on the Puppet / Foreman server:
      • as X509 Certificate only, Base64 encoded
      • as X509 Intermediates/root only, Base64 encoded
  3. Copy the files to the appropriate directories
    cp puppet.tld.blah-2048.key /var/lib/puppet/ssl/private_keys/
    cp puppet.tld.blah-2048-incommon-cert.crt /var/lib/puppet/ssl/certs/
    cp puppet.tld.blah-2048-incommon-interm.crt /var/lib/puppet/ssl/certs/
  4. Set the appropriate permissions and SELinux configs for the key
    cd /var/lib/puppet/ssl/private_keys/
    chown puppet:puppet *.key
    chmod 640 *.key
    chcon -u system_u -r object_r -t puppet_var_lib_t *.key
  5. Set perms and SELinux for the certs
    cd /var/lib/puppet/ssl/certs/
    chown puppet:puppet *
    chcon -u system_u -r object_r -t puppet_var_lib_t *.crt
  6. Next edit the various config files
  • /etc/puppet/node.rb
    — /etc/puppet/node.rb.orig 2014-03-24 17:48:09.215000045 -0500
    +++ /etc/puppet/node.rb 2014-06-24 10:24:51.049282905 -0500
    @@ -8,7 +8,8 @@
    :facts => true, # true/false to upload facts
    :timeout => 10,
    # if CA is specified, remote Foreman host will be verified
    • :ssl_ca => "/var/lib/puppet/ssl/certs/ca.pem", # e.g.
      /var/lib/puppet/ssl/certs/ca.pem
    • #:ssl_ca => "/var/lib/puppet/ssl/certs/ca.pem", # e.g.
      /var/lib/puppet/ssl/certs/ca.pem
    • :ssl_ca =>
      "/var/lib/puppet/ssl/certs/puppet.tld.blah-2048-incommon-interm.crt",

    e.g. /var/lib/puppet/ssl/certs/ca.pem

    # ssl_cert and key are required if require_ssl_puppetmasters is 
    
    enabled in Foreman
    :ssl_cert => "/var/lib/puppet/ssl/certs/puppet.tld.blah.pem",
    # e.g. /var/lib/puppet/ssl/certs/FQDN.pem
    :ssl_key =>
    "/var/lib/puppet/ssl/private_keys/puppet.tld.blah.pem" # e.g.
    /var/lib/puppet/ssl/private_keys/FQDN.pem
    • /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb
      — /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb.orig 2014-03-24
      17:44:37.494000046 -0500
      +++ /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb 2014-06-24
      10:28:54.497406986 -0500
      @@ -5,7 +5,8 @@

    URL of your Foreman installation

    $foreman_url='https://puppet.tld.blah'

    if CA is specified, remote Foreman host will be verified

    -$foreman_ssl_ca = "/var/lib/puppet/ssl/certs/ca.pem"
    +#$foreman_ssl_ca = "/var/lib/puppet/ssl/certs/ca.pem"
    +$foreman_ssl_ca =
    "/var/lib/puppet/ssl/certs/puppet.tld.blah-2048-incommon-interm.crt"

    ssl_cert and key are required if require_ssl_puppetmasters is

    enabled in Foreman
    $foreman_ssl_cert = "/var/lib/puppet/ssl/certs/puppet.tld.blah.pem"
    $foreman_ssl_key =
    "/var/lib/puppet/ssl/private_keys/puppet.tld.blah.pem"
    • /etc/httpd/conf.d/05-foreman-ssl.conf
      — /etc/httpd/conf.d/05-foreman-ssl.conf.orig 2014-06-24
      10:30:59.917531640 -0500
      +++ /etc/httpd/conf.d/05-foreman-ssl.conf 2014-06-24
      10:32:36.318164714 -0500
      @@ -35,11 +35,18 @@

      SSL directives

      SSLEngine on

    • SSLCertificateFile
      /var/lib/puppet/ssl/certs/puppet.tld.blah.pem

    • SSLCertificateKeyFile
      /var/lib/puppet/ssl/private_keys/puppet.tld.blah.pem

    • SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem

    • SSLCertificateFile
      "/var/lib/puppet/ssl/certs/puppet.tld.blah-2048-incommon-cert.crt"
    • SSLCertificateKeyFile
      "/var/lib/puppet/ssl/private_keys/puppet.tld.blah-2048.key"
    • SSLCertificateChainFile
      "/var/lib/puppet/ssl/certs/incommon-ssl.ca-bundle"
      SSLCACertificatePath /etc/pki/tls/certs
      SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
··· + +# SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.tld.blah.pem +# SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.tld.blah.pem +# SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem +# SSLCACertificatePath /etc/pki/tls/certs +# SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem + SSLVerifyClient optional SSLVerifyDepth 3 SSLOptions +StdEnvVars 9. Restart the services (foreman-proxy restart probably isn't necessary but may as well) service httpd restart service foreman-proxy restart

On Friday, November 15, 2013 3:09:05 AM UTC-6, Dominic Cleal wrote:

On 14/11/13 20:04, gliv...@westga.edu <javascript:> wrote:

What would be considered the proper way to apply my SSL certificate to
the web interface of Foreman? Thanks!

Update the apache config:

SSLCertificateChainFile
SSLCertificateFile
SSLCertificateKeyFile

However ensure you leave SSLCACertificateFile untouched.

Also update the SSL CA settings in /etc/puppet/node.rb and the
foreman.rb report processor (e.g.
/usr/lib/ruby/1.8/puppet/reports/foreman.rb) to refer to your cert’s CA.
Leave the cert/key settings alone.

–
Dominic Cleal
Red Hat Engineering

I did eventually get this working.

https://theforeman.org/2015/11/foreman-ssl.html
https://alexshepherd.me/articles/changing-foremans-ssl-certificate
<Weiterleitungshinweis;

The specific problem I had all along was that I was supplied an
intermediate cert chain without the root CA (as mentioned by alex shepherd).
Concatenating their intermediate and the root CA into one pem and
referencing that in /etc/puppetlabs/puppet/foreman.yaml for :ssl_ca: fixed
the problem.

Installing via puppet:

foreman::ssl: true
puppet::server_foreman_ssl_ca: '/etc/pki/tls/certs/cachain_with_root.pem'
puppet::server_foreman_url: 'https://puppet.example.com'
foreman::server_ssl_key: '/etc/pki/tls/private/puppet.example.com.key'
foreman::server_ssl_cert: '/etc/pki/tls/certs/puppet.example.com.crt'
foreman::server_ssl_chain: '/etc/pki/tls/certs/cachain_with_root.pem'
foreman::servername: 'puppet.example.com'
foreman::foreman_url: 'https://puppet.example.com'
foreman::websockets_ssl_key: '/etc/pki/tls/private/puppet.example.key'
foreman::websockets_ssl_cert: '/etc/pki/tls/certs/puppet.example.crt'

or with foreman-installer options

foreman-installer --foreman-ssl
–puppet-server-foreman-ssl-ca '/etc/pki/tls/certs/cachain_with_root.pem'
–puppet-server-foreman-url 'https://puppet.example.com'
–foreman-server-ssl-key '/etc/pki/tls/private/puppet.example.com.key'
–foreman-server-ssl-cert '/etc/pki/tls/certs/puppet.example.com.crt'
–foreman-server-ssl-chain '/etc/pki/tls/certs/cachain_with_root.pem'
–foreman-servername 'puppet.example.com'
–foreman-foreman-url 'https://puppet.example.com'
–foreman-websockets-ssl-key '/etc/pki/tls/private/puppet.example.key'
–foreman-websockets-ssl-cert '/etc/pki/tls/certs/puppet.example.crt'

cheers

Matt

Since the layout has changed, and configs go into different .yaml files
instead of node.rb, someone can give some help on where to change all the
SSLCert references (foreman.yaml, settings.yaml, settings.yml,
puppet.yml,…).
Thanks in advance

··· On Tuesday, June 24, 2014 at 6:19:40 PM UTC+2, Mike Hanby wrote: > > Thanks Dominic and Gene (for asking the question). I was struggling with > this for days. I kept changing too much, resulting in a trusted web page, > but broken puppet clients :-) > > Here's a summary of the steps I followed based on the post above. > Everything appears to be working. (including the SSL request steps for my > own future reference) > > > 1. Create the SSL key and csr > > sudo su - > mkdir /root/Incommon-cert > cd /root/Incommon-cert > > openssl req -out $(hostname)-2048.csr -new -newkey rsa:2048 -nodes -keyout > $(hostname -f)-2048.key > > > > > > > > > > > 1. > 2. > 3. Copy the contents of the csr to the clipboard and use it to request > an InCommon SSL certificate > 4. Once the cert is approved, download the following files to > /root/Incommon-cert on the Puppet / Foreman server: > - * as X509 Certificate only, Base64 encoded > - * as X509 Intermediates/root only, Base64 encoded > 5. Copy the files to the appropriate directories > cp puppet.tld.blah-2048.key /var/lib/puppet/ssl/private_keys/ > cp puppet.tld.blah-2048-incommon-cert.crt /var/lib/puppet/ssl/certs/ > cp puppet.tld.blah-2048-incommon-interm.crt /var/lib/puppet/ssl/certs/ > 6. Set the appropriate permissions and SELinux configs for the key > cd /var/lib/puppet/ssl/private_keys/ > chown puppet:puppet *.key > chmod 640 *.key > chcon -u system_u -r object_r -t puppet_var_lib_t *.key > 7. Set perms and SELinux for the certs > cd /var/lib/puppet/ssl/certs/ > chown puppet:puppet * > chcon -u system_u -r object_r -t puppet_var_lib_t *.crt > 8. Next edit the various config files > - /etc/puppet/node.rb > --- /etc/puppet/node.rb.orig 2014-03-24 17:48:09.215000045 -0500 > +++ /etc/puppet/node.rb 2014-06-24 10:24:51.049282905 -0500 > @@ -8,7 +8,8 @@ > :facts => true, # true/false to upload facts > :timeout => 10, > # if CA is specified, remote Foreman host will be verified > - :ssl_ca => "/var/lib/puppet/ssl/certs/ca.pem", # e.g. > /var/lib/puppet/ssl/certs/ca.pem > + #:ssl_ca => "/var/lib/puppet/ssl/certs/ca.pem", # > e.g. /var/lib/puppet/ssl/certs/ca.pem > + :ssl_ca => > "/var/lib/puppet/ssl/certs/puppet.tld.blah-2048-incommon-interm.crt", > # e.g. /var/lib/puppet/ssl/certs/ca.pem > # ssl_cert and key are required if require_ssl_puppetmasters is > enabled in Foreman > :ssl_cert => > "/var/lib/puppet/ssl/certs/puppet.tld.blah.pem", # e.g. > /var/lib/puppet/ssl/certs/FQDN.pem > :ssl_key => > "/var/lib/puppet/ssl/private_keys/puppet.tld.blah.pem" # e.g. > /var/lib/puppet/ssl/private_keys/FQDN.pem > - /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb > --- /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb.orig 2014-03-24 > 17:44:37.494000046 -0500 > +++ /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb 2014-06-24 > 10:28:54.497406986 -0500 > @@ -5,7 +5,8 @@ > # URL of your Foreman installation > $foreman_url='https://puppet.tld.blah' > # if CA is specified, remote Foreman host will be verified > -$foreman_ssl_ca = "/var/lib/puppet/ssl/certs/ca.pem" > +#$foreman_ssl_ca = "/var/lib/puppet/ssl/certs/ca.pem" > +$foreman_ssl_ca = > "/var/lib/puppet/ssl/certs/puppet.tld.blah-2048-incommon-interm.crt" > # ssl_cert and key are required if require_ssl_puppetmasters is > enabled in Foreman > $foreman_ssl_cert = "/var/lib/puppet/ssl/certs/puppet.tld.blah.pem" > $foreman_ssl_key = > "/var/lib/puppet/ssl/private_keys/puppet.tld.blah.pem" > - /etc/httpd/conf.d/05-foreman-ssl.conf > --- /etc/httpd/conf.d/05-foreman-ssl.conf.orig 2014-06-24 > 10:30:59.917531640 -0500 > +++ /etc/httpd/conf.d/05-foreman-ssl.conf 2014-06-24 > 10:32:36.318164714 -0500 > @@ -35,11 +35,18 @@ > > ## SSL directives > SSLEngine on > - SSLCertificateFile > /var/lib/puppet/ssl/certs/puppet.tld.blah.pem > - SSLCertificateKeyFile > /var/lib/puppet/ssl/private_keys/puppet.tld.blah.pem > - SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem > + SSLCertificateFile > "/var/lib/puppet/ssl/certs/puppet.tld.blah-2048-incommon-cert.crt" > + SSLCertificateKeyFile > "/var/lib/puppet/ssl/private_keys/puppet.tld.blah-2048.key" > + SSLCertificateChainFile > "/var/lib/puppet/ssl/certs/incommon-ssl.ca-bundle" > SSLCACertificatePath /etc/pki/tls/certs > SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem > + > +# SSLCertificateFile > /var/lib/puppet/ssl/certs/puppet.tld.blah.pem > +# SSLCertificateKeyFile > /var/lib/puppet/ssl/private_keys/puppet.tld.blah.pem > +# SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem > +# SSLCACertificatePath /etc/pki/tls/certs > +# SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem > + > SSLVerifyClient optional > SSLVerifyDepth 3 > SSLOptions +StdEnvVars > 9. Restart the services (foreman-proxy restart probably isn't > necessary but may as well) > service httpd restart > service foreman-proxy restart > > On Friday, November 15, 2013 3:09:05 AM UTC-6, Dominic Cleal wrote: >> >> On 14/11/13 20:04, gliv...@westga.edu wrote: >> > What would be considered the proper way to apply my SSL certificate to >> > the web interface of Foreman? Thanks! >> >> Update the apache config: >> >> SSLCertificateChainFile >> SSLCertificateFile >> SSLCertificateKeyFile >> >> However ensure you leave SSLCACertificateFile untouched. >> >> Also update the SSL CA settings in /etc/puppet/node.rb and the >> foreman.rb report processor (e.g. >> /usr/lib/ruby/1.8/puppet/reports/foreman.rb) to refer to your cert's CA. >> Leave the cert/key settings alone. >> >> -- >> Dominic Cleal >> Red Hat Engineering >> >

Good question, has this been updated/documented anywhere on how to use a
public ssl cert for foreman interface and keep puppet certs for puppet
infra? with foreman 1.7/1.8x?

··· On Wednesday, June 17, 2015 at 2:30:54 AM UTC-5, Yorick P wrote: > > Since the layout has changed, and configs go into different .yaml files > instead of node.rb, someone can give some help on where to change all the > SSLCert references (foreman.yaml, settings.yaml, settings.yml, > puppet.yml,....). > Thanks in advance > > On Tuesday, June 24, 2014 at 6:19:40 PM UTC+2, Mike Hanby wrote: >> >> Thanks Dominic and Gene (for asking the question). I was struggling with >> this for days. I kept changing too much, resulting in a trusted web page, >> but broken puppet clients :-) >> >> Here's a summary of the steps I followed based on the post above. >> Everything appears to be working. (including the SSL request steps for my >> own future reference) >> >> >> 1. Create the SSL key and csr >> >> sudo su - >> mkdir /root/Incommon-cert >> cd /root/Incommon-cert >> >> openssl req -out $(hostname)-2048.csr -new -newkey rsa:2048 -nodes >> -keyout $(hostname -f)-2048.key >> >> >> >> >> >> >> >> >> >> >> 1. >> 2. >> 3. Copy the contents of the csr to the clipboard and use it to >> request an InCommon SSL certificate >> 4. Once the cert is approved, download the following files to >> /root/Incommon-cert on the Puppet / Foreman server: >> - * as X509 Certificate only, Base64 encoded >> - * as X509 Intermediates/root only, Base64 encoded >> 5. Copy the files to the appropriate directories >> cp puppet.tld.blah-2048.key /var/lib/puppet/ssl/private_keys/ >> cp puppet.tld.blah-2048-incommon-cert.crt /var/lib/puppet/ssl/certs/ >> cp puppet.tld.blah-2048-incommon-interm.crt /var/lib/puppet/ssl/certs/ >> 6. Set the appropriate permissions and SELinux configs for the key >> cd /var/lib/puppet/ssl/private_keys/ >> chown puppet:puppet *.key >> chmod 640 *.key >> chcon -u system_u -r object_r -t puppet_var_lib_t *.key >> 7. Set perms and SELinux for the certs >> cd /var/lib/puppet/ssl/certs/ >> chown puppet:puppet * >> chcon -u system_u -r object_r -t puppet_var_lib_t *.crt >> 8. Next edit the various config files >> - /etc/puppet/node.rb >> --- /etc/puppet/node.rb.orig 2014-03-24 17:48:09.215000045 -0500 >> +++ /etc/puppet/node.rb 2014-06-24 10:24:51.049282905 -0500 >> @@ -8,7 +8,8 @@ >> :facts => true, # true/false to upload facts >> :timeout => 10, >> # if CA is specified, remote Foreman host will be verified >> - :ssl_ca => "/var/lib/puppet/ssl/certs/ca.pem", # >> e.g. /var/lib/puppet/ssl/certs/ca.pem >> + #:ssl_ca => "/var/lib/puppet/ssl/certs/ca.pem", # >> e.g. /var/lib/puppet/ssl/certs/ca.pem >> + :ssl_ca => >> "/var/lib/puppet/ssl/certs/puppet.tld.blah-2048-incommon-interm.crt", >> # e.g. /var/lib/puppet/ssl/certs/ca.pem >> # ssl_cert and key are required if require_ssl_puppetmasters is >> enabled in Foreman >> :ssl_cert => >> "/var/lib/puppet/ssl/certs/puppet.tld.blah.pem", # e.g. >> /var/lib/puppet/ssl/certs/FQDN.pem >> :ssl_key => >> "/var/lib/puppet/ssl/private_keys/puppet.tld.blah.pem" # e.g. >> /var/lib/puppet/ssl/private_keys/FQDN.pem >> - /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb >> --- /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb.orig 2014-03-24 >> 17:44:37.494000046 -0500 >> +++ /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb 2014-06-24 >> 10:28:54.497406986 -0500 >> @@ -5,7 +5,8 @@ >> # URL of your Foreman installation >> $foreman_url='https://puppet.tld.blah' >> # if CA is specified, remote Foreman host will be verified >> -$foreman_ssl_ca = "/var/lib/puppet/ssl/certs/ca.pem" >> +#$foreman_ssl_ca = "/var/lib/puppet/ssl/certs/ca.pem" >> +$foreman_ssl_ca = >> "/var/lib/puppet/ssl/certs/puppet.tld.blah-2048-incommon-interm.crt" >> # ssl_cert and key are required if require_ssl_puppetmasters is >> enabled in Foreman >> $foreman_ssl_cert = >> "/var/lib/puppet/ssl/certs/puppet.tld.blah.pem" >> $foreman_ssl_key = >> "/var/lib/puppet/ssl/private_keys/puppet.tld.blah.pem" >> - /etc/httpd/conf.d/05-foreman-ssl.conf >> --- /etc/httpd/conf.d/05-foreman-ssl.conf.orig 2014-06-24 >> 10:30:59.917531640 -0500 >> +++ /etc/httpd/conf.d/05-foreman-ssl.conf 2014-06-24 >> 10:32:36.318164714 -0500 >> @@ -35,11 +35,18 @@ >> >> ## SSL directives >> SSLEngine on >> - SSLCertificateFile >> /var/lib/puppet/ssl/certs/puppet.tld.blah.pem >> - SSLCertificateKeyFile >> /var/lib/puppet/ssl/private_keys/puppet.tld.blah.pem >> - SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem >> + SSLCertificateFile >> "/var/lib/puppet/ssl/certs/puppet.tld.blah-2048-incommon-cert.crt" >> + SSLCertificateKeyFile >> "/var/lib/puppet/ssl/private_keys/puppet.tld.blah-2048.key" >> + SSLCertificateChainFile >> "/var/lib/puppet/ssl/certs/incommon-ssl.ca-bundle" >> SSLCACertificatePath /etc/pki/tls/certs >> SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem >> + >> +# SSLCertificateFile >> /var/lib/puppet/ssl/certs/puppet.tld.blah.pem >> +# SSLCertificateKeyFile >> /var/lib/puppet/ssl/private_keys/puppet.tld.blah.pem >> +# SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem >> +# SSLCACertificatePath /etc/pki/tls/certs >> +# SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem >> + >> SSLVerifyClient optional >> SSLVerifyDepth 3 >> SSLOptions +StdEnvVars >> 9. Restart the services (foreman-proxy restart probably isn't >> necessary but may as well) >> service httpd restart >> service foreman-proxy restart >> >> On Friday, November 15, 2013 3:09:05 AM UTC-6, Dominic Cleal wrote: >>> >>> On 14/11/13 20:04, gliv...@westga.edu wrote: >>> > What would be considered the proper way to apply my SSL certificate to >>> > the web interface of Foreman? Thanks! >>> >>> Update the apache config: >>> >>> SSLCertificateChainFile >>> SSLCertificateFile >>> SSLCertificateKeyFile >>> >>> However ensure you leave SSLCACertificateFile untouched. >>> >>> Also update the SSL CA settings in /etc/puppet/node.rb and the >>> foreman.rb report processor (e.g. >>> /usr/lib/ruby/1.8/puppet/reports/foreman.rb) to refer to your cert's CA. >>> Leave the cert/key settings alone. >>> >>> -- >>> Dominic Cleal >>> Red Hat Engineering >>> >>

I think the perfect place for documenting this is in the Scenarios section
of the theForeman manual (3.2.3 I believe). I too spent several days
sifting through other people's suggestions and finally running in
flatrack's instructions.

IF, and only if you wish to get NoVNC working, you'll also need to edit the
/etc/foreman/settings.yml file to change the websockets cert and key to
your trusted cert and key,

After some digging through the files, content from the
/usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb file seems to go in
/etc/foreman-proxy/settings.yml (:foreman_ssl_ca:, :foreman_ssl_cert:,
:foreman_ssl_key:).

The adaptions from /etc/puppet/node.rb seems present in
/etc/puppet/foreman.yaml.

Nevertheless, changing the SSLCA, SSLCert and SSLKey in these two files and
in the Apache config file, my problem stays: working https website with
signed cert from Terena, broken puppet nodes (not appearing in Foreman) :s

··· On Tuesday, June 30, 2015 at 4:03:13 PM UTC+2, Byron Miller wrote: > > Good question, has this been updated/documented anywhere on how to use a > public ssl cert for foreman interface and keep puppet certs for puppet > infra? with foreman 1.7/1.8x? > > On Wednesday, June 17, 2015 at 2:30:54 AM UTC-5, Yorick P wrote: >> >> Since the layout has changed, and configs go into different .yaml files >> instead of node.rb, someone can give some help on where to change all the >> SSLCert references (foreman.yaml, settings.yaml, settings.yml, >> puppet.yml,....). >> Thanks in advance >> >> On Tuesday, June 24, 2014 at 6:19:40 PM UTC+2, Mike Hanby wrote: >>> >>> Thanks Dominic and Gene (for asking the question). I was struggling with >>> this for days. I kept changing too much, resulting in a trusted web page, >>> but broken puppet clients :-) >>> >>> Here's a summary of the steps I followed based on the post above. >>> Everything appears to be working. (including the SSL request steps for my >>> own future reference) >>> >>> >>> 1. Create the SSL key and csr >>> >>> sudo su - >>> mkdir /root/Incommon-cert >>> cd /root/Incommon-cert >>> >>> openssl req -out $(hostname)-2048.csr -new -newkey rsa:2048 -nodes >>> -keyout $(hostname -f)-2048.key >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> 1. >>> 2. >>> 3. Copy the contents of the csr to the clipboard and use it to >>> request an InCommon SSL certificate >>> 4. Once the cert is approved, download the following files to >>> /root/Incommon-cert on the Puppet / Foreman server: >>> - * as X509 Certificate only, Base64 encoded >>> - * as X509 Intermediates/root only, Base64 encoded >>> 5. Copy the files to the appropriate directories >>> cp puppet.tld.blah-2048.key /var/lib/puppet/ssl/private_keys/ >>> cp puppet.tld.blah-2048-incommon-cert.crt /var/lib/puppet/ssl/certs/ >>> cp puppet.tld.blah-2048-incommon-interm.crt >>> /var/lib/puppet/ssl/certs/ >>> 6. Set the appropriate permissions and SELinux configs for the key >>> cd /var/lib/puppet/ssl/private_keys/ >>> chown puppet:puppet *.key >>> chmod 640 *.key >>> chcon -u system_u -r object_r -t puppet_var_lib_t *.key >>> 7. Set perms and SELinux for the certs >>> cd /var/lib/puppet/ssl/certs/ >>> chown puppet:puppet * >>> chcon -u system_u -r object_r -t puppet_var_lib_t *.crt >>> 8. Next edit the various config files >>> - /etc/puppet/node.rb >>> --- /etc/puppet/node.rb.orig 2014-03-24 17:48:09.215000045 -0500 >>> +++ /etc/puppet/node.rb 2014-06-24 10:24:51.049282905 -0500 >>> @@ -8,7 +8,8 @@ >>> :facts => true, # true/false to upload facts >>> :timeout => 10, >>> # if CA is specified, remote Foreman host will be verified >>> - :ssl_ca => "/var/lib/puppet/ssl/certs/ca.pem", # >>> e.g. /var/lib/puppet/ssl/certs/ca.pem >>> + #:ssl_ca => "/var/lib/puppet/ssl/certs/ca.pem", # >>> e.g. /var/lib/puppet/ssl/certs/ca.pem >>> + :ssl_ca => >>> "/var/lib/puppet/ssl/certs/puppet.tld.blah-2048-incommon-interm.crt", >>> # e.g. /var/lib/puppet/ssl/certs/ca.pem >>> # ssl_cert and key are required if require_ssl_puppetmasters >>> is enabled in Foreman >>> :ssl_cert => >>> "/var/lib/puppet/ssl/certs/puppet.tld.blah.pem", # e.g. >>> /var/lib/puppet/ssl/certs/FQDN.pem >>> :ssl_key => >>> "/var/lib/puppet/ssl/private_keys/puppet.tld.blah.pem" # e.g. >>> /var/lib/puppet/ssl/private_keys/FQDN.pem >>> - /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb >>> --- /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb.orig 2014-03-24 >>> 17:44:37.494000046 -0500 >>> +++ /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb 2014-06-24 >>> 10:28:54.497406986 -0500 >>> @@ -5,7 +5,8 @@ >>> # URL of your Foreman installation >>> $foreman_url='https://puppet.tld.blah' >>> # if CA is specified, remote Foreman host will be verified >>> -$foreman_ssl_ca = "/var/lib/puppet/ssl/certs/ca.pem" >>> +#$foreman_ssl_ca = "/var/lib/puppet/ssl/certs/ca.pem" >>> +$foreman_ssl_ca = >>> "/var/lib/puppet/ssl/certs/puppet.tld.blah-2048-incommon-interm.crt" >>> # ssl_cert and key are required if require_ssl_puppetmasters is >>> enabled in Foreman >>> $foreman_ssl_cert = >>> "/var/lib/puppet/ssl/certs/puppet.tld.blah.pem" >>> $foreman_ssl_key = >>> "/var/lib/puppet/ssl/private_keys/puppet.tld.blah.pem" >>> - /etc/httpd/conf.d/05-foreman-ssl.conf >>> --- /etc/httpd/conf.d/05-foreman-ssl.conf.orig 2014-06-24 >>> 10:30:59.917531640 -0500 >>> +++ /etc/httpd/conf.d/05-foreman-ssl.conf 2014-06-24 >>> 10:32:36.318164714 -0500 >>> @@ -35,11 +35,18 @@ >>> >>> ## SSL directives >>> SSLEngine on >>> - SSLCertificateFile >>> /var/lib/puppet/ssl/certs/puppet.tld.blah.pem >>> - SSLCertificateKeyFile >>> /var/lib/puppet/ssl/private_keys/puppet.tld.blah.pem >>> - SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem >>> + SSLCertificateFile >>> "/var/lib/puppet/ssl/certs/puppet.tld.blah-2048-incommon-cert.crt" >>> + SSLCertificateKeyFile >>> "/var/lib/puppet/ssl/private_keys/puppet.tld.blah-2048.key" >>> + SSLCertificateChainFile >>> "/var/lib/puppet/ssl/certs/incommon-ssl.ca-bundle" >>> SSLCACertificatePath /etc/pki/tls/certs >>> SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem >>> + >>> +# SSLCertificateFile >>> /var/lib/puppet/ssl/certs/puppet.tld.blah.pem >>> +# SSLCertificateKeyFile >>> /var/lib/puppet/ssl/private_keys/puppet.tld.blah.pem >>> +# SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem >>> +# SSLCACertificatePath /etc/pki/tls/certs >>> +# SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem >>> + >>> SSLVerifyClient optional >>> SSLVerifyDepth 3 >>> SSLOptions +StdEnvVars >>> 9. Restart the services (foreman-proxy restart probably isn't >>> necessary but may as well) >>> service httpd restart >>> service foreman-proxy restart >>> >>> On Friday, November 15, 2013 3:09:05 AM UTC-6, Dominic Cleal wrote: >>>> >>>> On 14/11/13 20:04, gliv...@westga.edu wrote: >>>> > What would be considered the proper way to apply my SSL certificate >>>> to >>>> > the web interface of Foreman? Thanks! >>>> >>>> Update the apache config: >>>> >>>> SSLCertificateChainFile >>>> SSLCertificateFile >>>> SSLCertificateKeyFile >>>> >>>> However ensure you leave SSLCACertificateFile untouched. >>>> >>>> Also update the SSL CA settings in /etc/puppet/node.rb and the >>>> foreman.rb report processor (e.g. >>>> /usr/lib/ruby/1.8/puppet/reports/foreman.rb) to refer to your cert's >>>> CA. >>>> Leave the cert/key settings alone. >>>> >>>> -- >>>> Dominic Cleal >>>> Red Hat Engineering >>>> >>>

Hi all,

are there any updates on this? Anybody found a usable solution?

Doing some digging in "/etc/puppet/node.rb" I figured one could bypass the
problem by commenting the ":ssl_ca" option in "/etc/puppet/foreman.yaml" as
the .rb would then not try to verify server-side SSL.

However this comes with two issues:

  1. Security? I'm not "smart" enough to figure out the concrete
    implications, but since The Foreman configures httpd to make
    "SSLVerifyClient" optional, it may be tolerable, may it not?
  2. Report uploading still breaks, but I have yet to find out why - node.rb
    deactivates verifying and
    "/usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb" seems to be
    designed to honor this, still "/var/log/messages" fails due to "SSL_connect
    returned=1 errno=0 state=SSLv3 read server certificate B: certificate
    verify failed"

All in all pretty strange behaviour… in case I'm interpreting mod_ssl
options correctly The Foreman ( better: the Apache providiing access to The
Foreman ) presents "SSLCACertificateFile
"/var/lib/puppet/ssl/certs/ca.pem"" to all clients for verification -
leaving "ssl_ca" in "/etc/puppet/foreman.yaml" untouched should work, but
it does not. Am I misinterpreting this option? (
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile )

gunzl1ng3r

··· Am Donnerstag, 9. Juli 2015 00:17:41 UTC+2 schrieb Yorick P: > > After some digging through the files, content from the > /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb file seems to go in > /etc/foreman-proxy/settings.yml (:foreman_ssl_ca:, :foreman_ssl_cert:, > :foreman_ssl_key:). > > The adaptions from /etc/puppet/node.rb seems present in > /etc/puppet/foreman.yaml. > > Nevertheless, changing the SSLCA, SSLCert and SSLKey in these two files > and in the Apache config file, my problem stays: working https website with > signed cert from Terena, broken puppet nodes (not appearing in Foreman) :s > > On Tuesday, June 30, 2015 at 4:03:13 PM UTC+2, Byron Miller wrote: >> >> Good question, has this been updated/documented anywhere on how to use a >> public ssl cert for foreman interface and keep puppet certs for puppet >> infra? with foreman 1.7/1.8x? >> >> On Wednesday, June 17, 2015 at 2:30:54 AM UTC-5, Yorick P wrote: >>> >>> Since the layout has changed, and configs go into different .yaml files >>> instead of node.rb, someone can give some help on where to change all the >>> SSLCert references (foreman.yaml, settings.yaml, settings.yml, >>> puppet.yml,....). >>> Thanks in advance >>> >>> On Tuesday, June 24, 2014 at 6:19:40 PM UTC+2, Mike Hanby wrote: >>>> >>>> Thanks Dominic and Gene (for asking the question). I was struggling >>>> with this for days. I kept changing too much, resulting in a trusted web >>>> page, but broken puppet clients :-) >>>> >>>> Here's a summary of the steps I followed based on the post above. >>>> Everything appears to be working. (including the SSL request steps for my >>>> own future reference) >>>> >>>> >>>> 1. Create the SSL key and csr >>>> >>>> sudo su - >>>> mkdir /root/Incommon-cert >>>> cd /root/Incommon-cert >>>> >>>> openssl req -out $(hostname)-2048.csr -new -newkey rsa:2048 -nodes >>>> -keyout $(hostname -f)-2048.key >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> 1. >>>> 2. >>>> 3. Copy the contents of the csr to the clipboard and use it to >>>> request an InCommon SSL certificate >>>> 4. Once the cert is approved, download the following files to >>>> /root/Incommon-cert on the Puppet / Foreman server: >>>> - * as X509 Certificate only, Base64 encoded >>>> - * as X509 Intermediates/root only, Base64 encoded >>>> 5. Copy the files to the appropriate directories >>>> cp puppet.tld.blah-2048.key /var/lib/puppet/ssl/private_keys/ >>>> cp puppet.tld.blah-2048-incommon-cert.crt /var/lib/puppet/ssl/certs/ >>>> cp puppet.tld.blah-2048-incommon-interm.crt >>>> /var/lib/puppet/ssl/certs/ >>>> 6. Set the appropriate permissions and SELinux configs for the key >>>> cd /var/lib/puppet/ssl/private_keys/ >>>> chown puppet:puppet *.key >>>> chmod 640 *.key >>>> chcon -u system_u -r object_r -t puppet_var_lib_t *.key >>>> 7. Set perms and SELinux for the certs >>>> cd /var/lib/puppet/ssl/certs/ >>>> chown puppet:puppet * >>>> chcon -u system_u -r object_r -t puppet_var_lib_t *.crt >>>> 8. Next edit the various config files >>>> - /etc/puppet/node.rb >>>> --- /etc/puppet/node.rb.orig 2014-03-24 17:48:09.215000045 -0500 >>>> +++ /etc/puppet/node.rb 2014-06-24 10:24:51.049282905 -0500 >>>> @@ -8,7 +8,8 @@ >>>> :facts => true, # true/false to upload facts >>>> :timeout => 10, >>>> # if CA is specified, remote Foreman host will be verified >>>> - :ssl_ca => "/var/lib/puppet/ssl/certs/ca.pem", # >>>> e.g. /var/lib/puppet/ssl/certs/ca.pem >>>> + #:ssl_ca => "/var/lib/puppet/ssl/certs/ca.pem", # >>>> e.g. /var/lib/puppet/ssl/certs/ca.pem >>>> + :ssl_ca => >>>> "/var/lib/puppet/ssl/certs/puppet.tld.blah-2048-incommon-interm.crt", >>>> # e.g. /var/lib/puppet/ssl/certs/ca.pem >>>> # ssl_cert and key are required if require_ssl_puppetmasters >>>> is enabled in Foreman >>>> :ssl_cert => >>>> "/var/lib/puppet/ssl/certs/puppet.tld.blah.pem", # e.g. >>>> /var/lib/puppet/ssl/certs/FQDN.pem >>>> :ssl_key => >>>> "/var/lib/puppet/ssl/private_keys/puppet.tld.blah.pem" # e.g. >>>> /var/lib/puppet/ssl/private_keys/FQDN.pem >>>> - /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb >>>> --- /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb.orig 2014-03-24 >>>> 17:44:37.494000046 -0500 >>>> +++ /usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb 2014-06-24 >>>> 10:28:54.497406986 -0500 >>>> @@ -5,7 +5,8 @@ >>>> # URL of your Foreman installation >>>> $foreman_url='https://puppet.tld.blah' >>>> # if CA is specified, remote Foreman host will be verified >>>> -$foreman_ssl_ca = "/var/lib/puppet/ssl/certs/ca.pem" >>>> +#$foreman_ssl_ca = "/var/lib/puppet/ssl/certs/ca.pem" >>>> +$foreman_ssl_ca = >>>> "/var/lib/puppet/ssl/certs/puppet.tld.blah-2048-incommon-interm.crt" >>>> # ssl_cert and key are required if require_ssl_puppetmasters is >>>> enabled in Foreman >>>> $foreman_ssl_cert = >>>> "/var/lib/puppet/ssl/certs/puppet.tld.blah.pem" >>>> $foreman_ssl_key = >>>> "/var/lib/puppet/ssl/private_keys/puppet.tld.blah.pem" >>>> - /etc/httpd/conf.d/05-foreman-ssl.conf >>>> --- /etc/httpd/conf.d/05-foreman-ssl.conf.orig 2014-06-24 >>>> 10:30:59.917531640 -0500 >>>> +++ /etc/httpd/conf.d/05-foreman-ssl.conf 2014-06-24 >>>> 10:32:36.318164714 -0500 >>>> @@ -35,11 +35,18 @@ >>>> >>>> ## SSL directives >>>> SSLEngine on >>>> - SSLCertificateFile >>>> /var/lib/puppet/ssl/certs/puppet.tld.blah.pem >>>> - SSLCertificateKeyFile >>>> /var/lib/puppet/ssl/private_keys/puppet.tld.blah.pem >>>> - SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem >>>> + SSLCertificateFile >>>> "/var/lib/puppet/ssl/certs/puppet.tld.blah-2048-incommon-cert.crt" >>>> + SSLCertificateKeyFile >>>> "/var/lib/puppet/ssl/private_keys/puppet.tld.blah-2048.key" >>>> + SSLCertificateChainFile >>>> "/var/lib/puppet/ssl/certs/incommon-ssl.ca-bundle" >>>> SSLCACertificatePath /etc/pki/tls/certs >>>> SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem >>>> + >>>> +# SSLCertificateFile >>>> /var/lib/puppet/ssl/certs/puppet.tld.blah.pem >>>> +# SSLCertificateKeyFile >>>> /var/lib/puppet/ssl/private_keys/puppet.tld.blah.pem >>>> +# SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem >>>> +# SSLCACertificatePath /etc/pki/tls/certs >>>> +# SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem >>>> + >>>> SSLVerifyClient optional >>>> SSLVerifyDepth 3 >>>> SSLOptions +StdEnvVars >>>> 9. Restart the services (foreman-proxy restart probably isn't >>>> necessary but may as well) >>>> service httpd restart >>>> service foreman-proxy restart >>>> >>>> On Friday, November 15, 2013 3:09:05 AM UTC-6, Dominic Cleal wrote: >>>>> >>>>> On 14/11/13 20:04, gliv...@westga.edu wrote: >>>>> > What would be considered the proper way to apply my SSL certificate >>>>> to >>>>> > the web interface of Foreman? Thanks! >>>>> >>>>> Update the apache config: >>>>> >>>>> SSLCertificateChainFile >>>>> SSLCertificateFile >>>>> SSLCertificateKeyFile >>>>> >>>>> However ensure you leave SSLCACertificateFile untouched. >>>>> >>>>> Also update the SSL CA settings in /etc/puppet/node.rb and the >>>>> foreman.rb report processor (e.g. >>>>> /usr/lib/ruby/1.8/puppet/reports/foreman.rb) to refer to your cert's >>>>> CA. >>>>> Leave the cert/key settings alone. >>>>> >>>>> -- >>>>> Dominic Cleal >>>>> Red Hat Engineering >>>>> >>>>

This is driving me nuts, I've gone with gunzl1ng3r's work around for the
time being. For me at least report uploading works though on Foreman 1.10.

I'm building foreman up as a replacement for our ageing puppet-dashboard so
it's not in production yet but i'd like to turn the CA check back on before
going live.

Has anyone found a way of getting this working, or if not is there a bug
report with Foreman?

cheers

Matt

Hello

Maybe this could help Foreman :: Replacing Foreman's web SSL certificate.

··· -- Marek

On Wednesday 17 of February 2016 21:36:56 Matt Cahill wrote:

This is driving me nuts, I’ve gone with gunzl1ng3r’s work around for the
time being. For me at least report uploading works though on Foreman 1.10.

I’m building foreman up as a replacement for our ageing puppet-dashboard so
it’s not in production yet but i’d like to turn the CA check back on before
going live.

Has anyone found a way of getting this working, or if not is there a bug
report with Foreman?

cheers

Matt

Hi Marek,

Thanks for that, it's definitely what I'm looking to do but unfortunately
node.rb still fails after following those instructions. I think I'll open a
ticket and see what happens.

cheers

Matt

I know this is an older and revived thread, but was anyone able to get this
working?
We are using puppetca signed certs, but would like our web browser to be
from our internal AD ca so all our windows machines trust it.
We have followed articles at
https://theforeman.org/2015/11/foreman-ssl.html
https://alexshepherd.me/articles/changing-foremans-ssl-certificate

as well as this post.

We make the changes but once completed we get an error unable to node,
communication is dead in the water to the foreman server but our web gui
works great.

Any help is greatly appreciated. THank you

··· On Wednesday, March 16, 2016 at 10:42:06 PM UTC-5, Matt Cahill wrote:

Hi Marek,

Thanks for that, it’s definitely what I’m looking to do but unfortunately
node.rb still fails after following those instructions. I think I’ll open a
ticket and see what happens.

cheers

Matt

Our solution for this problem is simply to create a new ca.pem file, which
is just a concat of our (internal AD ca) + (puppet ca). We deploy this new
"foreman-web-ca" on both the foreman servers and puppetmasters, then
reference it in foreman's httpd.conf and the puppetmaster's
/etc/puppetlabs/puppet/foreman.yaml :ssl_ca parameter.

··· On Friday, December 2, 2016 at 8:27:53 AM UTC-5, Jason McMahan wrote: > > I know this is an older and revived thread, but was anyone able to get > this working? > We are using puppetca signed certs, but would like our web browser to be > from our internal AD ca so all our windows machines trust it. > We have followed articles at > https://theforeman.org/2015/11/foreman-ssl.html > https://alexshepherd.me/articles/changing-foremans-ssl-certificate > > https://flakrat.blogspot.com/2014/06/replace-foreman-self-signed-certificate.html > as well as this post. > > We make the changes but once completed we get an error unable to node, > communication is dead in the water to the foreman server but our web gui > works great. > > Any help is greatly appreciated. THank you > > > On Wednesday, March 16, 2016 at 10:42:06 PM UTC-5, Matt Cahill wrote: > >> Hi Marek, >> >> Thanks for that, it's definitely what I'm looking to do but unfortunately >> node.rb still fails after following those instructions. I think I'll open a >> ticket and see what happens. >> >> cheers >> >> Matt >> >

Hi Michael,
I'm facing a similar problem, *probably *after adding our internal AD CA to:
/etc/pki/ca-trust/source/
anchors/
and run:
update-ca-trust
(to use LDAPS as authentication source for Web GUI).

Now, from the Capsule server, command:
/etc/puppet/node.rb myclient.mydomain.com
doesn't work anymore:
Error retrieving node myclient.mydomain.com: Net::HTTPPreconditionFailed
(with obvious consequencies on all clients)

I'm not sure if the real cause is that. Any help?

Hi David,

for us it's just simply a plain text PEM encoded certificate file like so:

-----BEGIN CERTIFICATE-----
encoded...
...cert...
...data
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
encoded...
...cert...
...data
-----END CERTIFICATE-----

I just did the following

cat intermediate.pem > foreman_ssl_ca.pem
cat digicert_root_ca.crt > foreman_ssl_ca.pem

cheers

Matt

···

On 14 December 2017 at 07:39, David Childs <david@thetemplateblog.com> wrote:

Hi Matt

Concatenating their intermediate and the root CA into one pem and

referencing that in /etc/puppetlabs/puppet/foreman.yaml for :ssl_ca: fixed
the problem.

Can you explain how you did this? It should be obvious, but I'm not having
any luck making it work.

On Tuesday, July 11, 2017 at 6:27:16 AM UTC-4, Matt Cahill wrote:

I did eventually get this working.

Foreman :: Replacing Foreman's web SSL certificate.
https://alexshepherd.me/articles/changing-foremans-ssl-certificate
<https://www.google.com/url?q=https%3A%2F%2Falexshepherd.me%2Farticles%2Fchanging-foremans-ssl-certificate&sa=D&sntz=1&usg=AFQjCNF-HApeEJhueDE1sOtYBG2JkVVV2A>

The specific problem I had all along was that I was supplied an
intermediate cert chain without the root CA (as mentioned by alex shepherd).
Concatenating their intermediate and the root CA into one pem and
referencing that in /etc/puppetlabs/puppet/foreman.yaml for :ssl_ca:
fixed the problem.

Installing via puppet:

foreman::ssl: true
puppet::server_foreman_ssl_ca: '/etc/pki/tls/certs/cachain_with_root.pem'
puppet::server_foreman_url: 'https://puppet.example.com'
foreman::server_ssl_key: '/etc/pki/tls/private/puppet.example.com.key'
foreman::server_ssl_cert: '/etc/pki/tls/certs/puppet.example.com.crt'
foreman::server_ssl_chain: '/etc/pki/tls/certs/cachain_with_root.pem'
foreman::servername: 'puppet.example.com'
foreman::foreman_url: 'https://puppet.example.com'
foreman::websockets_ssl_key: '/etc/pki/tls/private/puppet.example.key'
foreman::websockets_ssl_cert: '/etc/pki/tls/certs/puppet.example.crt'

or with foreman-installer options

foreman-installer --foreman-ssl \
--puppet-server-foreman-ssl-ca '/etc/pki/tls/certs/cachain_with_root.pem'
\
--puppet-server-foreman-url 'https://puppet.example.com' \
--foreman-server-ssl-key '/etc/pki/tls/private/puppet.example.com.key' \
--foreman-server-ssl-cert '/etc/pki/tls/certs/puppet.example.com.crt' \
--foreman-server-ssl-chain '/etc/pki/tls/certs/cachain_with_root.pem' \
--foreman-servername 'puppet.example.com' \
--foreman-foreman-url 'https://puppet.example.com' \
--foreman-websockets-ssl-key '/etc/pki/tls/private/puppet.example.key' \
--foreman-websockets-ssl-cert '/etc/pki/tls/certs/puppet.example.crt'

cheers

Matt

--
You received this message because you are subscribed to a topic in the
Google Groups "Foreman users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/
topic/foreman-users/MMug-F4hNHg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

correction

cat intermediate.pem > foreman_ssl_ca.pem
cat digicert_root_ca.crt >> foreman_ssl_ca.pem

···

On 14 December 2017 at 17:22, Matt Cahill <cahillenator@gmail.com> wrote:

Hi David,

for us it's just simply a plain text PEM encoded certificate file like so:

-----BEGIN CERTIFICATE-----
encoded...
...cert...
...data
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
encoded...
...cert...
...data
-----END CERTIFICATE-----

I just did the following

cat intermediate.pem > foreman_ssl_ca.pem
cat digicert_root_ca.crt > foreman_ssl_ca.pem

cheers

Matt

On 14 December 2017 at 07:39, David Childs <david@thetemplateblog.com> > wrote:

Hi Matt

Concatenating their intermediate and the root CA into one pem and

referencing that in /etc/puppetlabs/puppet/foreman.yaml for :ssl_ca: fixed
the problem.

Can you explain how you did this? It should be obvious, but I'm not
having any luck making it work.

On Tuesday, July 11, 2017 at 6:27:16 AM UTC-4, Matt Cahill wrote:

I did eventually get this working.

Foreman :: Replacing Foreman's web SSL certificate.
https://alexshepherd.me/articles/changing-foremans-ssl-certificate
<https://www.google.com/url?q=https%3A%2F%2Falexshepherd.me%2Farticles%2Fchanging-foremans-ssl-certificate&sa=D&sntz=1&usg=AFQjCNF-HApeEJhueDE1sOtYBG2JkVVV2A>

The specific problem I had all along was that I was supplied an
intermediate cert chain without the root CA (as mentioned by alex shepherd).
Concatenating their intermediate and the root CA into one pem and
referencing that in /etc/puppetlabs/puppet/foreman.yaml for :ssl_ca:
fixed the problem.

Installing via puppet:

foreman::ssl: true
puppet::server_foreman_ssl_ca: '/etc/pki/tls/certs/cachain_wi
th_root.pem'
puppet::server_foreman_url: 'https://puppet.example.com'
foreman::server_ssl_key: '/etc/pki/tls/private/puppet.example.com.key'
foreman::server_ssl_cert: '/etc/pki/tls/certs/puppet.example.com.crt'
foreman::server_ssl_chain: '/etc/pki/tls/certs/cachain_with_root.pem'
foreman::servername: 'puppet.example.com'
foreman::foreman_url: 'https://puppet.example.com'
foreman::websockets_ssl_key: '/etc/pki/tls/private/puppet.example.key'
foreman::websockets_ssl_cert: '/etc/pki/tls/certs/puppet.example.crt'

or with foreman-installer options

foreman-installer --foreman-ssl \
--puppet-server-foreman-ssl-ca '/etc/pki/tls/certs/cachain_wi
th_root.pem' \
--puppet-server-foreman-url 'https://puppet.example.com' \
--foreman-server-ssl-key '/etc/pki/tls/private/puppet.example.com.key' \
--foreman-server-ssl-cert '/etc/pki/tls/certs/puppet.example.com.crt' \
--foreman-server-ssl-chain '/etc/pki/tls/certs/cachain_with_root.pem' \
--foreman-servername 'puppet.example.com' \
--foreman-foreman-url 'https://puppet.example.com' \
--foreman-websockets-ssl-key '/etc/pki/tls/private/puppet.example.key' \
--foreman-websockets-ssl-cert '/etc/pki/tls/certs/puppet.example.crt'

cheers

Matt

--
You received this message because you are subscribed to a topic in the
Google Groups "Foreman users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/to
pic/foreman-users/MMug-F4hNHg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Hi,
I’m trying to change only user interface certificate with a trusted one. I followed this guide linked in a comment in this thread:


This article is very interesting because it’s exactly what i want achieve “…The following steps will replace The Foreman’s SSL certificate for the user web interface, but will leave the Puppet CA and SSL certs in place for Puppet related work.”

Probably this steps are related to an older version of foreman, indeed i cannot find “ssl_ca” under node.rb.

I’ve already replaced certificate, chain and private key but my puppet now is marked as “out of sync”.

Anyone has working configuration?

1 Like

I have concated our digicert CA with the puppet ca as instructed in this thread. Foreman web is correctly SSL’d. The puppet smart proxy is picked up correctly in the web UI. The only problem that I have is with node.rb. I get the following error:

./node.rb:379: warning: constant ::TimeoutError is deprecated
SSL_connect returned=1 errno=0 state=error: certificate verify failed

If I comment out ssl_ca in the foreman.yaml on the puppet server, node.rb works correctly.

Any ideas what might be wrong with my configuration.

Config File Examples:

Foreman Server - settings.yaml

:ssl_certificate:    'foreman.pub.pem'
:ssl_private_key:    'foreman.priv.pem'
:ssl_ca_file:        'combined_ca.pem'
:unattended:         true
:puppetconfdir:      '/etc/puppet/puppet.conf'
:login:              true
:require_ssl:        false
:domain:             'localhost'
:fqdn:               'localhost'
:websockets_encrypt: on
:websockets_ssl_key: 'web.key'
:websockets_ssl_cert: 'web.pem'
:trusted_puppetmaster_hosts: []

Foreman Server - apache.conf

<VirtualHost *:443>
...
SSLEngine on
SSLCertificateFile      "web.pem"
SSLCertificateFile      "web.key"
SSLCertificateChainFile "combined_ca.pem"   

Puppet Server - foreman.yaml

:ssl_ca:   "combined_ca.pem"
:ssl_cert: "puppet-server.pem"
:ssl_key:  "puppet-server.key"

Puppet Server - foreman_proxy.yml

:ssl_ca_file:     "combined_ca.pem"
:ssl_certificate: "puppet-server.pem"
:ssl_private_key: "puppet-server.key"