On Monday, June 20, 2016 at 5:55:53 AM UTC-7, johny casanova wrote: > > thanks for the info. I just tried it and I still get the same error :( > > On Thursday, June 16, 2016 at 9:28:40 AM UTC-4, Sandro Roth wrote: >> >> I suggest changing this via foreman-installer. This ensures that updates >> won't break your configuration. >> >> foreman-installer -v \ >> --foreman-foreman-url=puppet.example.com \ >> --foreman-server-ssl-cert=/etc/pki/tls/certs/puppet.example.com.crt \ >> --foreman-server-ssl-key=/etc/pki/tls/private/puppet.example.com.key \ >> --foreman-server-ssl-chain /etc/pki/tls/example.com.root.pem >> >> Make sure to include all the intermediate certificates in the root chain. >> >> On Wednesday, June 15, 2016 at 11:30:46 PM UTC+2, johny casanova wrote: >>> >>> helo, >>> >>> I followed the guide in >>> https://www.theforeman.org/2015/11/foreman-ssl.html and changed the >>> certs in SSLCertificateFile "/etc/pki/tls/certs/puppet.example.com.crt" >>> SSLCertificateKeyFile "/etc/pki/tls/private/puppet.example.com.key" but, >>> after making this change another puppet host cant connect after running >>> puppet agent -t >>> >>> >>> I get this error: puppetpuppet agent unable to fetch my node definition >>> error 400 agent unable to fetch my node definition error 400 >>> >> I've implemented public-signed certs for Foreman days back and it worked. My foreman-installer options related to this topic are:
--foreman-server-ssl-key=/etc/pki/tls/private/public_wildcard.key --foreman-server-ssl-cert=/etc/pki/tls/certs/public_wildcard.crt --foreman-server-ssl-certs-dir=/etc/pki/tls/certs --foreman-server-ssl-chain=/etc/pki/tls/certs/ca_combo.crt \ --foreman-server-ssl-ca=/var/lib/puppet/ssl/certs/ca.pem --foreman-server-ssl-crl=/var/lib/puppet/ssl/crl.pem \ --foreman-websockets-encrypt=true --foreman-websockets-ssl-key=/etc/pki/tls/private/public_wildcard.key --foreman-websockets-ssl-cert=/etc/pki/tls/certs/public_wildcard.crt \ --puppet-server-foreman=true --puppet-server-foreman-ssl-ca=/etc/pki/tls/certs/ca_combo.crt --puppet-server-foreman-url=https://foreman.example.com \ To Create the ca_combo.crt file, cat all CAs into a file, from the intermediate CA (the one signed your HTTPS cert), one by one until root CA, say, if you domain cert is signed by intermediate CA ICA1, and ICA1 is signed by ICA2, ICA2 is signed by rootCA , then run the following command will be used to create the ca_combo.crt above: cat ICA1 ICA2 .... rootCA >ca_combo.crt to find the ICA1, ICA2, ..., rootCA, you can use firefox to see the CA chain and export them one by one, For me, I'm just check the ca-bundle on Linux box. :) The settings will show up in /etc/httpd/conf.d/05-foreman-ssl.conf, and /etc/puppet/foreman.yaml. The problem here seems like that the foreman.yaml doesn't have correct :ssl_ca: value. In fact, if you comment out :ssl_ca: from the file, or set an empty value, then it will work as well -- though you need to remember to make same manual change after foreman upgrade next time. Have fun. -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
