I am trying to do a fresh setup of Foreman where the web interface is on a separate cert. For testing I am trying to set this up using a self signed certificate but it keeps failing with an error about not being able to verify it:
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foreman.localdomain ]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed in get request to: https: //enc.localdomain/api/v2/smart_proxies?search=name=%22foreman.localdomain%22 I thought the settings in this thread would help but have hit a wall and am hoping you can help. Here's what I am using for the setup on CentOS 7: foreman-installer -v \ --foreman-admin-password='password' \ --puppet-server-implementation='puppetserver' \ --puppet-server-jvm-max-heap-size='768m' --puppet-server-jvm-min-heap-size='768m' \ --enable-foreman-compute-vmware --enable-foreman-plugin-bootdisk \ --enable-foreman-plugin-default-hostgroup --enable-foreman-plugin-hooks \ --enable-foreman-plugin-setup --enable-foreman-plugin-tasks \ --enable-foreman-plugin-puppetdb \ --foreman-plugin-puppetdb-address='https://localhost:8081/pdb/cmd/v1' \ --foreman-plugin-puppetdb-dashboard-address='http://localhost:8080/pdb/dashboard' \ --foreman-proxy-realm=false \ --foreman-db-type='postgresql' --foreman-db-database='foreman' --foreman-db-host='pg1.localdomain' \ --foreman-db-manage=false --foreman-db-username='foremandbuser' --foreman-db-password='password' \ --foreman-passenger-interface='172.28.128.20' \ --foreman-server-ssl-ca='/etc/pki/tls/certs/rootCA.pem' \ --foreman-server-ssl-cert='/etc/pki/tls/certs/enc.localdomain.crt' \ --foreman-server-ssl-certs-dir='/etc/pki/tls/certs' \ --foreman-server-ssl-chain='/etc/pki/tls/certs/rootCA.pem' \ --foreman-server-ssl-crl='' \ --foreman-server-ssl-key='/etc/pki/tls/private/enc.localdomain.key' \ --foreman-proxy-foreman-ssl-ca='/etc/pki/tls/certs/rootCA.pem' \ --foreman-foreman-url='https://enc.localdomain' --foreman-proxy-foreman-base-url='https://enc.localdomain' Thanks, Gene On Friday, June 24, 2016 at 9:48:31 AM UTC-4, Adrian Cunnelly wrote: > > I have managed to resolve my issue: > > Added: --foreman-proxy-foreman-ssl-ca=/etc/ssl/certs/my_public_ca_chain.crt > > and replaced --puppet-server-foreman-url=https://foreman.mydomain.co.uk > with --foreman-foreman-url=https://foreman.mydomain.co.uk > > Adrian > > On Friday, 24 June 2016 13:08:43 UTC+1, Adrian Cunnelly wrote: >> >> On a fresh install of foreman 1.12 RC 2, I run the following in order to >> install foreman and configure using my own certificates: >> >> foreman-installer \ >> --foreman-server-ssl-key=/etc/ssl/private/my_public_cert_private_key.key \ >> --puppet-server-foreman=true \ >> --foreman-server-ssl-cert=/etc/ssl/certs/my_public_cert.crt \ >> --foreman-server-ssl-chain=/etc/ssl/certs/my_public_ca_chain.crt \ >> --foreman-server-ssl-certs-dir=/etc/ssl/certs \ >> --foreman-websockets-encrypt=true \ >> --foreman-websockets-ssl-key=/etc/ssl/private/my_public_cert_private_key.key >> \ >> --foreman-websockets-ssl-cert=/etc/ssl/certs/my_public_cert.crt \ >> --puppet-server-foreman=true \ >> --puppet-server-foreman-ssl-ca=/etc/ssl/certs/my_public_ca_chain.crt \ >> --puppet-server-foreman-url=https://foreman.mydomain.co.uk >> >> However the foreman-install fails with the following SSL errors: >> >> /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[ >> puppet02a.mydomain.co.uk]: Could not evaluate: Exception SSL_connect >> returned=1 errno=0 state=error: certificate verify failed in get request >> to: >> https://puppet02a.mydomain.co.uk/api/v2/smart_proxies?search=name=%22puppet02a.mydomain.co.uk%22 >> /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[ >> puppet02a.mydomain.co.uk]: Failed to call refresh: Exception SSL_connect >> returned=1 errno=0 state=error: certificate verify failed in get request >> to: >> https://puppet02a.mydomain.co.uk/api/v2/smart_proxies?search=name=%22puppet02a.mydomain.co.uk%22 >> /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[ >> puppet02a.mydomain.co.uk]: Exception SSL_connect returned=1 errno=0 >> state=error: certificate verify failed in get request to: >> https://puppet02a.mydomain.co.uk/api/v2/smart_proxies?search=name=%22puppet02a.mydomain.co.uk%22 >> Installing Done >> [100%] >> [.........................................................................................................................................................] >> Something went wrong! Check the log for ERROR-level output >> >> my_public_cert.crt has CN=foreman.mydomain.co.uk and SANS: >> foreman.mydomain.co.uk & puppet02a.mydomain.co.uk >> >> Any ideas what is wrong ? Is this a bug in 1.12 RC2 ? >> >> Thanks >> Adrian >> >> >> On Thursday, 23 June 2016 19:03:34 UTC+1, Thomas Cheng wrote: >>> >>> >>> >>> On Monday, June 20, 2016 at 5:55:53 AM UTC-7, johny casanova wrote: >>>> >>>> thanks for the info. I just tried it and I still get the same error :( >>>> >>>> On Thursday, June 16, 2016 at 9:28:40 AM UTC-4, Sandro Roth wrote: >>>>> >>>>> I suggest changing this via foreman-installer. This ensures that >>>>> updates won't break your configuration. >>>>> >>>>> foreman-installer -v \ >>>>> --foreman-foreman-url=puppet.example.com \ >>>>> --foreman-server-ssl-cert=/etc/pki/tls/certs/puppet.example.com.crt \ >>>>> --foreman-server-ssl-key=/etc/pki/tls/private/puppet.example.com.key \ >>>>> --foreman-server-ssl-chain /etc/pki/tls/example.com.root.pem >>>>> >>>>> Make sure to include all the intermediate certificates in the root >>>>> chain. >>>>> >>>>> On Wednesday, June 15, 2016 at 11:30:46 PM UTC+2, johny casanova wrote: >>>>>> >>>>>> helo, >>>>>> >>>>>> I followed the guide in >>>>>> https://www.theforeman.org/2015/11/foreman-ssl.html and changed the >>>>>> certs in SSLCertificateFile >>>>>> "/etc/pki/tls/certs/puppet.example.com.crt" >>>>>> SSLCertificateKeyFile "/etc/pki/tls/private/puppet.example.com.key" >>>>>> but, after making this change another puppet host cant connect after >>>>>> running puppet agent -t >>>>>> >>>>>> >>>>>> I get this error: puppetpuppet agent unable to fetch my node >>>>>> definition error 400 agent unable to fetch my node definition error >>>>>> 400 >>>>>> >>>>> >>> I've implemented public-signed certs for Foreman days back and it >>> worked. My foreman-installer options related to this topic are: >>> >>> --foreman-server-ssl-key=/etc/pki/tls/private/public_wildcard.key >>> --foreman-server-ssl-cert=/etc/pki/tls/certs/public_wildcard.crt >>> --foreman-server-ssl-certs-dir=/etc/pki/tls/certs >>> --foreman-server-ssl-chain=/etc/pki/tls/certs/ca_combo.crt \ >>> --foreman-server-ssl-ca=/var/lib/puppet/ssl/certs/ca.pem >>> --foreman-server-ssl-crl=/var/lib/puppet/ssl/crl.pem \ >>> --foreman-websockets-encrypt=true >>> --foreman-websockets-ssl-key=/etc/pki/tls/private/public_wildcard.key >>> --foreman-websockets-ssl-cert=/etc/pki/tls/certs/public_wildcard.crt \ >>> --puppet-server-foreman=true >>> --puppet-server-foreman-ssl-ca=/etc/pki/tls/certs/ca_combo.crt >>> --puppet-server-foreman-url=https://foreman.example.com \ >>> >>> To Create the ca_combo.crt file, cat all CAs into a file, from the >>> intermediate CA (the one signed your HTTPS cert), one by one until root CA, >>> say, >>> >>> if you domain cert is signed by intermediate CA ICA1, and ICA1 is >>> signed by ICA2, ICA2 is signed by rootCA , then run the following command >>> will be used to create the ca_combo.crt above: >>> cat ICA1 ICA2 .... rootCA >ca_combo.crt >>> >>> to find the ICA1, ICA2, ..., rootCA, you can use firefox to see the CA >>> chain and export them one by one, For me, I'm just check the ca-bundle on >>> Linux box. :) >>> >>> The settings will show up in /etc/httpd/conf.d/05-foreman-ssl.conf, and >>> /etc/puppet/foreman.yaml. The problem here seems like that the foreman.yaml >>> doesn't have correct :ssl_ca: value. >>> >>> In fact, if you comment out :ssl_ca: from the file, or set an empty >>> value, then it will work as well -- though you need to remember to make >>> same manual change after foreman upgrade next time. >>> >>> Have fun. >>> >>> -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
