On a fresh install of foreman 1.12 RC 2, I run the following in order to install foreman and configure using my own certificates:
foreman-installer \ --foreman-server-ssl-key=/etc/ssl/private/my_public_cert_private_key.key \ --puppet-server-foreman=true \ --foreman-server-ssl-cert=/etc/ssl/certs/my_public_cert.crt \ --foreman-server-ssl-chain=/etc/ssl/certs/my_public_ca_chain.crt \ --foreman-server-ssl-certs-dir=/etc/ssl/certs \ --foreman-websockets-encrypt=true \ --foreman-websockets-ssl-key=/etc/ssl/private/my_public_cert_private_key.key \ --foreman-websockets-ssl-cert=/etc/ssl/certs/my_public_cert.crt \ --puppet-server-foreman=true \ --puppet-server-foreman-ssl-ca=/etc/ssl/certs/my_public_ca_chain.crt \ --puppet-server-foreman-url=https://foreman.mydomain.co.uk However the foreman-install fails with the following SSL errors: /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[puppet02a.mydomain.co.uk]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed in get request to: https://puppet02a.mydomain.co.uk/api/v2/smart_proxies?search=name=%22puppet02a.mydomain.co.uk%22 /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[puppet02a.mydomain.co.uk]: Failed to call refresh: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed in get request to: https://puppet02a.mydomain.co.uk/api/v2/smart_proxies?search=name=%22puppet02a.mydomain.co.uk%22 /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[puppet02a.mydomain.co.uk]: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed in get request to: https://puppet02a.mydomain.co.uk/api/v2/smart_proxies?search=name=%22puppet02a.mydomain.co.uk%22 Installing Done [100%] [.........................................................................................................................................................] Something went wrong! Check the log for ERROR-level output my_public_cert.crt has CN=foreman.mydomain.co.uk and SANS: foreman.mydomain.co.uk & puppet02a.mydomain.co.uk Any ideas what is wrong ? Is this a bug in 1.12 RC2 ? Thanks Adrian On Thursday, 23 June 2016 19:03:34 UTC+1, Thomas Cheng wrote: > > > > On Monday, June 20, 2016 at 5:55:53 AM UTC-7, johny casanova wrote: >> >> thanks for the info. I just tried it and I still get the same error :( >> >> On Thursday, June 16, 2016 at 9:28:40 AM UTC-4, Sandro Roth wrote: >>> >>> I suggest changing this via foreman-installer. This ensures that updates >>> won't break your configuration. >>> >>> foreman-installer -v \ >>> --foreman-foreman-url=puppet.example.com \ >>> --foreman-server-ssl-cert=/etc/pki/tls/certs/puppet.example.com.crt \ >>> --foreman-server-ssl-key=/etc/pki/tls/private/puppet.example.com.key \ >>> --foreman-server-ssl-chain /etc/pki/tls/example.com.root.pem >>> >>> Make sure to include all the intermediate certificates in the root chain. >>> >>> On Wednesday, June 15, 2016 at 11:30:46 PM UTC+2, johny casanova wrote: >>>> >>>> helo, >>>> >>>> I followed the guide in >>>> https://www.theforeman.org/2015/11/foreman-ssl.html and changed the >>>> certs in SSLCertificateFile "/etc/pki/tls/certs/puppet.example.com.crt" >>>> SSLCertificateKeyFile "/etc/pki/tls/private/puppet.example.com.key" >>>> but, after making this change another puppet host cant connect after >>>> running puppet agent -t >>>> >>>> >>>> I get this error: puppetpuppet agent unable to fetch my node >>>> definition error 400 agent unable to fetch my node definition error 400 >>>> >>> > I've implemented public-signed certs for Foreman days back and it worked. > My foreman-installer options related to this topic are: > > --foreman-server-ssl-key=/etc/pki/tls/private/public_wildcard.key > --foreman-server-ssl-cert=/etc/pki/tls/certs/public_wildcard.crt > --foreman-server-ssl-certs-dir=/etc/pki/tls/certs > --foreman-server-ssl-chain=/etc/pki/tls/certs/ca_combo.crt \ > --foreman-server-ssl-ca=/var/lib/puppet/ssl/certs/ca.pem > --foreman-server-ssl-crl=/var/lib/puppet/ssl/crl.pem \ > --foreman-websockets-encrypt=true > --foreman-websockets-ssl-key=/etc/pki/tls/private/public_wildcard.key > --foreman-websockets-ssl-cert=/etc/pki/tls/certs/public_wildcard.crt \ > --puppet-server-foreman=true > --puppet-server-foreman-ssl-ca=/etc/pki/tls/certs/ca_combo.crt > --puppet-server-foreman-url=https://foreman.example.com \ > > To Create the ca_combo.crt file, cat all CAs into a file, from the > intermediate CA (the one signed your HTTPS cert), one by one until root CA, > say, > > if you domain cert is signed by intermediate CA ICA1, and ICA1 is signed > by ICA2, ICA2 is signed by rootCA , then run the following command will be > used to create the ca_combo.crt above: > cat ICA1 ICA2 .... rootCA >ca_combo.crt > > to find the ICA1, ICA2, ..., rootCA, you can use firefox to see the CA > chain and export them one by one, For me, I'm just check the ca-bundle on > Linux box. :) > > The settings will show up in /etc/httpd/conf.d/05-foreman-ssl.conf, and > /etc/puppet/foreman.yaml. The problem here seems like that the foreman.yaml > doesn't have correct :ssl_ca: value. > > In fact, if you comment out :ssl_ca: from the file, or set an empty value, > then it will work as well -- though you need to remember to make same > manual change after foreman upgrade next time. > > Have fun. > > -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
