Thanks Eric for your answer. My DHCP is running on a Debian server so I can't do a fresh installation.
Indeed, if I follow the Smart Proxy instruction on the foreman doc it doesn't work because the certificate for my DHCP Smart Proxy server is generated by puppet. Finally, I found a solution to add a smart-proxy with foreman-installer --scenario katello installation: foreman-proxy-certs-generate --foreman-proxy-fqdn dhcp.example.com --certs-tar "~/dhcp.example.com-certs.tar" tar -xvf dhcp.example.com-certs.tar yum install ssl-build/dhcp.example.com/dhcp.example.com-foreman-proxy-1.0-1.noarch.rpm copy /etc/pki/katello-certs-tools/certs/dhcp.example.com-foreman-proxy.crt, /etc/pki/katello-certs-tools/certs/dhcp.example.com-foreman-proxy.key and /etc/foreman/proxy_ca.pem Next step, find a way to do it with a certificate signed with our internal CA. Le samedi 3 juin 2017 18:11:06 UTC+2, Eric Helms a écrit : > > Katello does not use the puppet certificates for a majority of > configuration which means that if you follow the Smart Proxy instructions > you pointed to you'll likely end up with a smart proxy that cannot > communicate back to the server. > > Was your DHCP smart proxy an existing smart proxy or a fresh install? I > would recommend looking at how to install a smart proxy when you have a > Katello install: > > https://theforeman.org/plugins/katello/3.4/installation/smart_proxy.html > > This by default configures the smart proxy with content for syncing > content to an external location or datacenter. If you are not wanting to > use this and thus want a lighter weight smart proxy with your Katello > install you can disable Pulp setup and configuration. > > Eric > > On May 29, 2017 5:35 AM, "Vincenzo Z" <[email protected] <javascript:>> > wrote: > >> update when I use the foreman-installer without Katello I can add my DHCP >> proxy without problems: >> >> foreman-installer --scenario foreman --foreman-admin-password test >> >> >> >> Le mercredi 24 mai 2017 15:12:11 UTC+2, Vincenzo Z a écrit : >>> >>> Hello, >>> >>> >>> I'm trying to install katello/foreman with a DHCP smart-proxy located on >>> another server. >>> >>> My first attempt was to use a certificate signed by our internal CA with >>> this command: >>> foreman-installer --scenario katello --foreman-admin-password test >>> --certs-server-cert "/root/katello_certs/katello2.example.com.crt" >>> --certs-server-cert-req "/root/katello_certs/katello2.example.com.csr" >>> --certs-server-key "/root/katello_certs/katello2.example.com.key" >>> --certs-server-ca-cert "/root/katello_certs/cacert.pem" >>> >>> Installation was successful and I was able to connect to my foreman web >>> interface without SSL warnings. >>> >>> >>> Next step was to setup the connection between my foreman and my DHCP >>> smart-proxy: >>> >>> So I followed the steps documented here >>> https://theforeman.org/manuals/1.15/index.html#4.3SmartProxies >>> >>> generate my cert on my foreman server: >>> >>> puppet cert generate dhcp.example.com >>> >>> copy cert, ca and key to the /etc/foreman-proxy/ssl directory on my DHCP >>> smart-proxy >>> >>> edit my setting.yml config file like this: >>> >>> --- >>> :settings_directory: "/etc/foreman-proxy/settings.d" >>> :daemon: true >>> :daemon_pid: /var/run/foreman-proxy/foreman-proxy.pid >>> :bind_host: '*' >>> :https_port: 8443 >>> :ssl_certificate: /etc/foreman-proxy/ssl/dhcp.example.com.pem >>> :ssl_ca_file: /etc/foreman-proxy/ssl/ca.pem >>> :ssl_private_key: /etc/foreman-proxy/ssl/dhcp.example.com.key >>> :trusted_hosts: >>> - katello2.example.com >>> :log_file: /var/log/foreman-proxy/proxy.log >>> :log_level: DEBUG >>> >>> open firewall ports >>> >>> When I try to connect from my foreman web interface with this URL >>> https://dhcp.example.com:8443 >>> >>> I get this error message in the log file of my DHCP smart-proxy: >>> >>> "OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=unknown >>> state: tlsv1 alert unknown ca" >>> >>> >>> It's a CA issue maybe because I'm playing with internal CA so I tried >>> with the self-signed certificates generated with the foreman/katello >>> installation: >>> >>> foreman-installer --scenario katello --foreman-admin-password "test" >>> >>> Same error. >>> >>> >>> I think I miss something in the smart-proxy setup and I don't play with >>> the right certificates. >>> >>> I probably don't use the same CA to sign my foreman certificate and my >>> DHCP smart-proxy certificate. >>> >>> Can somebody put me in the good direction to solve this problem? >>> >>> >>> Best regards, >>> >>> >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Foreman users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> Visit this group at https://groups.google.com/group/foreman-users. >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
