I have managed to resolve my issue: Added: --foreman-proxy-foreman-ssl-ca=/etc/ssl/certs/my_public_ca_chain.crt
and replaced --puppet-server-foreman-url=https://foreman.mydomain.co.uk with --foreman-foreman-url=https://foreman.mydomain.co.uk Adrian On Friday, 24 June 2016 13:08:43 UTC+1, Adrian Cunnelly wrote: > > On a fresh install of foreman 1.12 RC 2, I run the following in order to > install foreman and configure using my own certificates: > > foreman-installer \ > --foreman-server-ssl-key=/etc/ssl/private/my_public_cert_private_key.key \ > --puppet-server-foreman=true \ > --foreman-server-ssl-cert=/etc/ssl/certs/my_public_cert.crt \ > --foreman-server-ssl-chain=/etc/ssl/certs/my_public_ca_chain.crt \ > --foreman-server-ssl-certs-dir=/etc/ssl/certs \ > --foreman-websockets-encrypt=true \ > --foreman-websockets-ssl-key=/etc/ssl/private/my_public_cert_private_key.key > \ > --foreman-websockets-ssl-cert=/etc/ssl/certs/my_public_cert.crt \ > --puppet-server-foreman=true \ > --puppet-server-foreman-ssl-ca=/etc/ssl/certs/my_public_ca_chain.crt \ > --puppet-server-foreman-url=https://foreman.mydomain.co.uk > > However the foreman-install fails with the following SSL errors: > > /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[ > puppet02a.mydomain.co.uk]: Could not evaluate: Exception SSL_connect > returned=1 errno=0 state=error: certificate verify failed in get request > to: > https://puppet02a.mydomain.co.uk/api/v2/smart_proxies?search=name=%22puppet02a.mydomain.co.uk%22 > /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[ > puppet02a.mydomain.co.uk]: Failed to call refresh: Exception SSL_connect > returned=1 errno=0 state=error: certificate verify failed in get request > to: > https://puppet02a.mydomain.co.uk/api/v2/smart_proxies?search=name=%22puppet02a.mydomain.co.uk%22 > /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[ > puppet02a.mydomain.co.uk]: Exception SSL_connect returned=1 errno=0 > state=error: certificate verify failed in get request to: > https://puppet02a.mydomain.co.uk/api/v2/smart_proxies?search=name=%22puppet02a.mydomain.co.uk%22 > Installing Done > [100%] > [.........................................................................................................................................................] > Something went wrong! Check the log for ERROR-level output > > my_public_cert.crt has CN=foreman.mydomain.co.uk and SANS: > foreman.mydomain.co.uk & puppet02a.mydomain.co.uk > > Any ideas what is wrong ? Is this a bug in 1.12 RC2 ? > > Thanks > Adrian > > > On Thursday, 23 June 2016 19:03:34 UTC+1, Thomas Cheng wrote: >> >> >> >> On Monday, June 20, 2016 at 5:55:53 AM UTC-7, johny casanova wrote: >>> >>> thanks for the info. I just tried it and I still get the same error :( >>> >>> On Thursday, June 16, 2016 at 9:28:40 AM UTC-4, Sandro Roth wrote: >>>> >>>> I suggest changing this via foreman-installer. This ensures that >>>> updates won't break your configuration. >>>> >>>> foreman-installer -v \ >>>> --foreman-foreman-url=puppet.example.com \ >>>> --foreman-server-ssl-cert=/etc/pki/tls/certs/puppet.example.com.crt \ >>>> --foreman-server-ssl-key=/etc/pki/tls/private/puppet.example.com.key \ >>>> --foreman-server-ssl-chain /etc/pki/tls/example.com.root.pem >>>> >>>> Make sure to include all the intermediate certificates in the root >>>> chain. >>>> >>>> On Wednesday, June 15, 2016 at 11:30:46 PM UTC+2, johny casanova wrote: >>>>> >>>>> helo, >>>>> >>>>> I followed the guide in >>>>> https://www.theforeman.org/2015/11/foreman-ssl.html and changed the >>>>> certs in SSLCertificateFile >>>>> "/etc/pki/tls/certs/puppet.example.com.crt" >>>>> SSLCertificateKeyFile "/etc/pki/tls/private/puppet.example.com.key" >>>>> but, after making this change another puppet host cant connect after >>>>> running puppet agent -t >>>>> >>>>> >>>>> I get this error: puppetpuppet agent unable to fetch my node >>>>> definition error 400 agent unable to fetch my node definition error >>>>> 400 >>>>> >>>> >> I've implemented public-signed certs for Foreman days back and it worked. >> My foreman-installer options related to this topic are: >> >> --foreman-server-ssl-key=/etc/pki/tls/private/public_wildcard.key >> --foreman-server-ssl-cert=/etc/pki/tls/certs/public_wildcard.crt >> --foreman-server-ssl-certs-dir=/etc/pki/tls/certs >> --foreman-server-ssl-chain=/etc/pki/tls/certs/ca_combo.crt \ >> --foreman-server-ssl-ca=/var/lib/puppet/ssl/certs/ca.pem >> --foreman-server-ssl-crl=/var/lib/puppet/ssl/crl.pem \ >> --foreman-websockets-encrypt=true >> --foreman-websockets-ssl-key=/etc/pki/tls/private/public_wildcard.key >> --foreman-websockets-ssl-cert=/etc/pki/tls/certs/public_wildcard.crt \ >> --puppet-server-foreman=true >> --puppet-server-foreman-ssl-ca=/etc/pki/tls/certs/ca_combo.crt >> --puppet-server-foreman-url=https://foreman.example.com \ >> >> To Create the ca_combo.crt file, cat all CAs into a file, from the >> intermediate CA (the one signed your HTTPS cert), one by one until root CA, >> say, >> >> if you domain cert is signed by intermediate CA ICA1, and ICA1 is >> signed by ICA2, ICA2 is signed by rootCA , then run the following command >> will be used to create the ca_combo.crt above: >> cat ICA1 ICA2 .... rootCA >ca_combo.crt >> >> to find the ICA1, ICA2, ..., rootCA, you can use firefox to see the CA >> chain and export them one by one, For me, I'm just check the ca-bundle on >> Linux box. :) >> >> The settings will show up in /etc/httpd/conf.d/05-foreman-ssl.conf, and >> /etc/puppet/foreman.yaml. The problem here seems like that the foreman.yaml >> doesn't have correct :ssl_ca: value. >> >> In fact, if you comment out :ssl_ca: from the file, or set an empty >> value, then it will work as well -- though you need to remember to make >> same manual change after foreman upgrade next time. >> >> Have fun. >> >> -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
