I don’t have the puppet CA in ours just the two parts of the digicert CA chain
the DigiCert SHA2 Secure Server CA and the DigiCert Global Root CA
https://global-root-ca.chain-demos.digicert.com/info/index.html
Ours is a wildcard cert though so you may need to add the puppet CA one as well potentially if you have a specific SN cert, either way you definitely need two digicert CA certificates if your foreman frontend is signed by a digicert cert.
So just tried to provision a vm. It hangs at the build stage. There is an error about signing for puppetca.
Failed to cancel pending build for REDACTED with the following errors:
Delete PuppetCA autosign entry for REDACTED task failed with the following error:
ERF12-4681 [ProxyAPI::ProxyException]:
Unable to delete PuppetCA autosign for REDACTED ([RestClient::NotAcceptable]:
406 Not Acceptable) for proxy PUPPET-SERVER:8443/puppet/caI am trying to setup the Apache web page so that it has the padlock in the browser. Some of this seems pretty dated. I am seeing lots of different questions about this. I haven’t really seen something that I would consider great documentation on the subject. I am pretty new to the certificate process. I created the csr and I have my trusted pem cert file. The file I have has 4 blocks of
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
I think the file I need to modify is: /etc/httpd/conf.d/05-foreman-ssl.conf
This block:
## SSL directives
SSLEngine on
SSLCertificateFile "/etc/puppetlabs/puppet/ssl/certs/fqdn.pem"
SSLCertificateKeyFile "/etc/puppetlabs/puppet/ssl/private_keys/fqdn.pem"
SSLCertificateChainFile "/etc/puppetlabs/puppet/ssl/certs/ca.pem"
SSLVerifyClient optional
SSLCACertificateFile "/etc/puppetlabs/puppet/ssl/certs/ca.pem"
SSLCARevocationFile "/etc/puppetlabs/puppet/ssl/crl.pem"
SSLVerifyDepth 3
SSLCARevocationCheck "chain"
SSLOptions +StdEnvVars +ExportCertData
I am thinking I need to take different block and save them and change some of the entries and restart the httpd service.
Can someone help me understand what I need to do as far as breaking up the pem file and what entries I need to modify?
I am running Foreman 1.16.1 on RHEL 7 and it is just a single standalone server and I am not really using puppet.
Is there some documentation that I should be looking at that I may have missed?
Thanks in advance for any help!
No need to break the certificate file up, Apache will read the right parts by itself. Just change these 3 to all point at your new certificate and restart httpd
SSLCertificateFile “/etc/puppetlabs/puppet/ssl/certs/fqdn.pem”
SSLCertificateKeyFile “/etc/puppetlabs/puppet/ssl/private_keys/fqdn.pem”
SSLCertificateChainFile “/etc/puppetlabs/puppet/ssl/certs/ca.pem”
That error looks like it’s trying to delete an autosign entry that doesn’t exist via the api (or some malformed request) after the provisioning was cancelled. I think that’s a red herring.
Thanks for you help!
I tried:
SSLCertificateFile “/etc/puppetlabs/puppet/ssl/certs/example_Foreman.pem”
SSLCertificateKeyFile “/etc/puppetlabs/puppet/ssl/certs/example_Foreman.pem”
SSLCertificateChainFile “/etc/puppetlabs/puppet/ssl/certs/example_Foreman.pem”
httpd won’t start now, it I put the file /etc/httpd/conf.d/05-foreman-ssl.conf back it works.
It doesn’t like my files. The log file /var/log/httpd/foreman-ssl_error_ssl.log
[Wed Apr 18 16:59:11.627412 2018] [ssl:error] [pid 62325] AH02203: Init: Private key not found
[Wed Apr 18 16:59:11.627437 2018] [ssl:error] [pid 62325] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Apr 18 16:59:11.627448 2018] [ssl:error] [pid 62325] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Wed Apr 18 16:59:11.627454 2018] [ssl:error] [pid 62325] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Apr 18 16:59:11.627460 2018] [ssl:error] [pid 62325] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
[Wed Apr 18 16:59:11.627467 2018] [ssl:error] [pid 62325] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Wed Apr 18 16:59:11.627472 2018] [ssl:error] [pid 62325] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Apr 18 16:59:11.627478 2018] [ssl:error] [pid 62325] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)I am using Foreman 1.17 and unable to set the certificate based on the instructions outlined in:
The Web SSL changes correctly however, we can’t list products and we can not also get any client to be able connect to the server afterwards either.
Is there an updated instructions for Foreman 1.17
Ladies/Gentlemen
I was finally able to find a way to install a custom SSL certificate on my web server. It has to be done ALL Manually.
cp /etc/pki/katello/my-custom-cert.crt /etc/pki/katello/certs/katello-apache.crt
cp /etc/pki/katello/my-ca-bundle.crt /etc/pki/katello/certs/katello-server-ca.crt
cp /etc/pki/katello/my-private.key /etc/pki/katello/private/katello-apache.key
cp /etc/pki/katello/my-ca-bundle.crt /etc/pki/ca-trust/source/anchors/katello_server-host-cert.crt
update-ca-trust && update-ca-trust extract
katello-service restart
cp my-server.com:/etc/pki/katello/certs/katello-server-ca.crt /etc/rhsm/ca/katello-server-ca.pem
Please note that if you re-run katello-installer on the server you would need to repeat the above manual changes.
You would have to update the clients if you ever re-register or update the CA cert via the following command:
rpm -Uvh http://my-server.com/pub/katello-ca-consumer-latest.noarch.rpm
I hope it helps out