Hi David, for us it's just simply a plain text PEM encoded certificate file like so:
-----BEGIN CERTIFICATE----- encoded... ...cert... ...data -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- encoded... ...cert... ...data -----END CERTIFICATE----- I just did the following cat intermediate.pem > foreman_ssl_ca.pem cat digicert_root_ca.crt > foreman_ssl_ca.pem cheers Matt On 14 December 2017 at 07:39, David Childs <[email protected]> wrote: > Hi Matt > > Concatenating their intermediate and the root CA into one pem and >> referencing that in /etc/puppetlabs/puppet/foreman.yaml for :ssl_ca: fixed >> the problem. >> > > Can you explain how you did this? It should be obvious, but I'm not having > any luck making it work. > > > > On Tuesday, July 11, 2017 at 6:27:16 AM UTC-4, Matt Cahill wrote: >> >> I did eventually get this working. >> >> https://theforeman.org/2015/11/foreman-ssl.html >> https://alexshepherd.me/articles/changing-foremans-ssl-certificate >> <https://www.google.com/url?q=https%3A%2F%2Falexshepherd.me%2Farticles%2Fchanging-foremans-ssl-certificate&sa=D&sntz=1&usg=AFQjCNF-HApeEJhueDE1sOtYBG2JkVVV2A> >> >> The specific problem I had all along was that I was supplied an >> intermediate cert chain without the root CA (as mentioned by alex shepherd). >> Concatenating their intermediate and the root CA into one pem and >> referencing that in /etc/puppetlabs/puppet/foreman.yaml for :ssl_ca: >> fixed the problem. >> >> Installing via puppet: >> >> foreman::ssl: true >> puppet::server_foreman_ssl_ca: '/etc/pki/tls/certs/cachain_with_root.pem' >> puppet::server_foreman_url: 'https://puppet.example.com' >> foreman::server_ssl_key: '/etc/pki/tls/private/puppet.example.com.key' >> foreman::server_ssl_cert: '/etc/pki/tls/certs/puppet.example.com.crt' >> foreman::server_ssl_chain: '/etc/pki/tls/certs/cachain_with_root.pem' >> foreman::servername: 'puppet.example.com' >> foreman::foreman_url: 'https://puppet.example.com' >> foreman::websockets_ssl_key: '/etc/pki/tls/private/puppet.example.key' >> foreman::websockets_ssl_cert: '/etc/pki/tls/certs/puppet.example.crt' >> >> or with foreman-installer options >> >> foreman-installer --foreman-ssl \ >> --puppet-server-foreman-ssl-ca '/etc/pki/tls/certs/cachain_with_root.pem' >> \ >> --puppet-server-foreman-url 'https://puppet.example.com' \ >> --foreman-server-ssl-key '/etc/pki/tls/private/puppet.example.com.key' \ >> --foreman-server-ssl-cert '/etc/pki/tls/certs/puppet.example.com.crt' \ >> --foreman-server-ssl-chain '/etc/pki/tls/certs/cachain_with_root.pem' \ >> --foreman-servername 'puppet.example.com' \ >> --foreman-foreman-url 'https://puppet.example.com' \ >> --foreman-websockets-ssl-key '/etc/pki/tls/private/puppet.example.key' \ >> --foreman-websockets-ssl-cert '/etc/pki/tls/certs/puppet.example.crt' >> >> cheers >> >> Matt >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "Foreman users" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/foreman-users/MMug-F4hNHg/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
