Windows DHCP setup

Anyone got updated steps to add a smart-proxy to a windows machine in order to use MS DHCP? Or a working setup?

Steps on the guide are a bit outdated, I’m stuck at the end where when trying to connect it tells me i have the invalid certificates, but paths and everything are different now so i am not sure where i’m messing up.

I did generate my certs with

puppet cert generate <new-smart-proxy-FQDN?

and copied what i think ar the correct ones.

Anyone done this setup recently?

Thanks in advance.

Hi @Karepi,

Would it be possible to:

  • share which foreman version and smart proxy version you are using, as well as plugins + versions?
  • Share the version of windows you are running this one
  • What have you tried so far (besides the creation of the puppet cert)?
  • Extract and paste the logs (might be interesting that you also skim these logs and point us towards bits that look strange)

I also deploy my smart proxies manually, including the generation of certificates, if I understand the problem a bit better I can share my steps for this (I’m not doing it straight of the bat as it might lead to a more confusing situation if that isn’t your exact problem)

Kind regards!

1 Like

Foreman is 2.1.3, on the windows side i got 2.1.4. Managed to make it work without HTTPS. So i am guessing i’m copying the incorrect certificates/keys, but not sure where i am messing up.

Documentation is a bit outdated so after running: puppet cert generate
It created files under:
/etc/puppetlabs/puppet/ssl/ca/signed
/etc/puppetlabs/puppet/ssl/certs
/etc/puppetlabs/puppet/ssl/private_keys
/etc/puppetlabs/puppet/ssl/public_keys

Install doc mentions i’ll need to copy over:
ssl_certificate
private_key
and ca file

which i did from
/etc/puppetlabs/puppet/ssl/certs
/etc/puppetlabs/puppet/ssl/private_keys
/etc/puppetlabs/puppet/ssl/ca/signed

all named after the smartproxyFQDN.

Is this the right way to go? Again HTTP seemed to work, but ideally would like to have it running with HTTPS.

Thanks.

@UXabre this keeps returning over and over again, we are in process of moving towards asciidoc documentation, feel free to contribute a chapter about this:

Thanks for your constant support of Windows-related questions :wink:

1 Like

Hi @Karepi,

I’ve actually done this via Ansible, and again, only on linux, nevertheless, the steps should be fairly clear to follow:

- name: 'Create local temp directory for syncing certs'
  local_action: command mktemp -d /tmp/foreman-ansible-XXXXXXX
  register: proxy_cert_mktemp
  changed_when: False
  become: no

- name: 'Create create puppet ssl path in tmp directory'
  local_action: file path="{{ proxy_cert_mktemp.stdout }}/{{ item }}" state=directory
  with_items:
    - ca
    - certs
    - private_keys

- name: 'Retrieve the proxy certificates (ca, crl, public and private cert) from the master'
  fetch:
    src: "/etc/puppetlabs/puppet/ssl/{{ item }}"
    dest: "{{ proxy_cert_mktemp.stdout }}/{{ item }}"
    flat: yes
    fail_on_missing: yes
    validate_checksum: yes
  with_items:
    - "certs/ca.pem"
    - "ca/ca_crt.pem"
    - "ca/ca_key.pem"
    - "crl.pem"
  delegate_to: "{{ foreman_ca_host }}"

- name: 'Generate the proxy server certificate'
  local_action:
    module: command {{ item }}
  with_items:
    - "openssl genrsa -out {{ proxy_cert_mktemp.stdout }}/private_keys/{{ ansible_fqdn }}.pem 2048"
    - "openssl req -new -subj '/CN={{ inventory_hostname }}' -key {{ proxy_cert_mktemp.stdout }}/private_keys/{{ ansible_fqdn }}.pem -out {{ proxy_cert_mktemp.stdout }}/{{ ansible_fqdn }}.csr"
    - "openssl x509 -req -in {{ proxy_cert_mktemp.stdout }}/{{ ansible_fqdn }}.csr -CA {{ proxy_cert_mktemp.stdout }}/ca/ca_crt.pem -CAkey {{ proxy_cert_mktemp.stdout }}/ca/ca_key.pem -CAcreateserial -out {{ proxy_cert_mktemp.stdout }}/certs/{{ ansible_fqdn }}.pem -days {{ foreman_cert_expiry }} -sha256"

- name: 'Ensure certificate directory exists'
  file:
    path: "/etc/puppetlabs/puppet/ssl/{{ item }}"
    state: directory
  with_items:
    - certs
    - private_keys

- name: 'Copy the certificates to proxy'
  copy:
    src: "{{ proxy_cert_mktemp.stdout }}/{{ item }}"
    dest: "/etc/puppetlabs/puppet/ssl/{{ item }}"
  with_items:
    - "certs/ca.pem"
    - "certs/{{ ansible_fqdn }}.pem"
    - "private_keys/{{ ansible_fqdn }}.pem"
    - "crl.pem"

I don’t take any responsibility for this script, there might probably be safer ways to do this and such, but at least i’m sure https works via this script :slight_smile:

If unclear, I’m willing to simplify this further in more…human readable format though, but I’m currently a bit in a hurry so this is, for now, the best I can provide :slight_smile:

1 Like

Thanks! I will give this a try!