Wildcard certificate supported?

Hi,
I changed the SSL certificate from the foreman UI to a letsencrypt wildcard certificate. All work fine except the upload of the puppet reports.
Are wildcard certificates support at all ?

Best regards
Martin

The problem is not the wildcard, it is the trust and client certificates for authentication which is required by many things in the Foreman infrastructure. As Foreman does not differentiate between user and systems connecting, so I do not recommend to change the certificate to make users happy.

It changes based on if you use Foreman or Katello. Foreman uses by default the certificates from Puppet so you could replace the Puppet CA, Katello uses Candlepin which makes replacing them even harder.

The upload of the reports happens via Puppet’s reporthandler functionality where you would have to also change the certificate.

So there is no (easy) possibility to change only the certificate of the foreman UI to an official one and using internal the puppet certificates (eg. for smart proxy) ?

There is an ongoing discussion on redesigning the way certificates are being handled, your input there would be very valuable.

Hi yes, we use a digicert wildcard certificate for the UI and puppet certs for authentication. It is not hard to set up. How do you configure/deploy foreman?

Hi,

I installed foreman on centos with the rpm packages and then run foreman-installer. I tried to change the certificates also manually as described here:

https://theforeman.org/2015/11/foreman-ssl.html

but with no luck.

Perhaps you can post or send me your files with the referring ssl parameters:
/etc/httpd/conf.d/05-foreman-ssl.conf
/etc/foreman/settings.yaml
/etc/foreman-proxy/settings.yml
/etc/puppetlabs/puppet/foreman.yaml

Kind regards

Which options did you set exactly?

I have recently installed a new katello/foreman server which uses an official certificate. During installation I have set it like this:

foreman-installer --scenario katello \
   --certs-server-ca-cert=/etc/pki/tls/certs/ca-bundle-g2.crt \
   --certs-server-cert=/etc/pki/tls/certs/foreman.crt \
   --certs-server-key=/etc/pki/tls/private/foreman.key ...

ca-bundle-g2.crt contains the chain CAs for our PKI. Little later I had to replace the certificate because it is expiring and used the --certs-update-server option to update the server certificate. --certs-update-server-ca may be necessary if you want to change the CA certificate(s) as well.

I did not change any settings or conf manually. Only used foreman-installer.

Hope this helps.

We install and manage all settings using the foreman provided puppet modules (on ubuntu 18.04).
Also of note is the fact that our puppet servers are not foreman servers, we have 8 puppet servers and 6 foreman servers that all appear as one behind a load balancer.

The heira config is like so

foreman_proxy::foreman_ssl_ca: "/etc/ssl/certs/ca-certificates.crt"
foreman::server_ssl_cert: 'path_to_wildcard_cert'
foreman::server_ssl_chain: 'path_to_FULL_wildcard_cert_ca_trust_chain'
foreman::server_ssl_key: 'path_to_wildcard_private_key'
foreman::websockets_ssl_cert: 'path_to_wildcard_cert'
foreman::websockets_ssl_key: 'path_to_wildcard_private_key'
foreman::client_ssl_cert: '/etc/puppetlabs/puppet/ssl/certs/server_fqdn.pem'
foreman::client_ssl_key: '/etc/puppetlabs/puppet/ssl/private_keys/server_fqdn.pem'

By full trust chain I mean the root CA cert and any intermediates. The clients (in this case puppet node.rb and the foreman proxies) need to trust implicitly the certificate they are provided so foreman needs to provide the full chain on initial SSL negotiation. The trust chain for your cert provider should also be installed into the system PKI on all nodes if it is not there already.

The settings above translate to the settings in the files you requested looking like this:

Foreman Servers
/etc/apache2/sites-enabled/05-foreman-ssl.conf

  ## SSL directives
  SSLEngine on
  SSLCertificateFile      "path_to_wildcard_cert"
  SSLCertificateKeyFile   "path_to_wildcard_private_key"
  SSLCertificateChainFile "path_to_FULL_wildcard_cert_ca_trust_chain"
  SSLVerifyClient         optional
  SSLCACertificateFile    "/etc/puppetlabs/puppet/ssl/certs/ca.pem"
  SSLCARevocationFile     "/etc/puppetlabs/puppet/ssl/crl.pem"
  SSLVerifyDepth          3
  SSLCARevocationCheck    "chain"
  SSLOptions +StdEnvVars +ExportCertData

/etc/foreman/settings.yaml

:require_ssl: true
# Websockets
:websockets_encrypt: true
:websockets_ssl_key: path_to_wildcard_private_key
:websockets_ssl_cert: path_to_wildcard_cert
# SSL-settings
:ssl_certificate: /etc/puppetlabs/puppet/ssl/certs/server_fqdn.pem
:ssl_ca_file: /etc/puppetlabs/puppet/ssl/certs/ca.pem
:ssl_priv_key: /etc/puppetlabs/puppet/ssl/private_keys/server_fqdn.pem

/etc/foreman-proxy/settings.yml

:ssl_ca_file: /etc/puppetlabs/puppet/ssl/certs/ca.pem
:ssl_certificate: /etc/puppetlabs/puppet/ssl/certs/server_fqdn.pem
:ssl_private_key: /etc/puppetlabs/puppet/ssl/private_keys/server_fqdn.pem
:foreman_ssl_ca: /etc/ssl/certs/ca-certificates.crt

Puppet Servers
/etc/foreman-proxy/settings.yml

:ssl_ca_file: /etc/puppetlabs/puppet/ssl/certs/ca.pem
:ssl_certificate: /etc/puppetlabs/puppet/ssl/certs/server_fqdn.pem
:ssl_private_key: /etc/puppetlabs/puppet/ssl/private_keys/server_fqdn.pem
:foreman_ssl_ca: /etc/ssl/certs/ca-certificates.crt

/etc/puppetlabs/puppet/foreman.yaml

:ssl_ca: "/etc/ssl/certs/ca-certificates.crt"
:ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/server_fqdn.pem"
:ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/server_fqdn.pem"

anyway hope that helps.

cheers

Matt

I only use the installer options to change anything. If you can you could install a test server/vm with a new foreman-installer using the options and then check answers file and the settings to compare where the installer puts your let’s encrypt certificate and where the puppet ca certificates.

Otherwise, maybe you find an error message in the logs or someone else here can help you…

Hi Matt,
your information was very, very helpful :slight_smile: :
My entries for the ssl_ca in the foreman-proxy and foreman.yaml settings were wrong. After correcting them all works fine !
Thank you very much for helping.
Kind regards
Martin

1 Like