Feature #19747
open
Proper support for non-self-signed webserver certificates.
Description
With help from these two articles
https://alexshepherd.me/articles/changing-foremans-ssl-certificate
https://theforeman.org/2015/11/foreman-ssl.html
And the comment from Andreas Wegmann on the last page:
After diving into the source code for node.rb I found that the function initialize_http() checks, if there is ":ssl_ca" set in the /etc/puppet/foreman.yaml. If this parameter is not set, it does not try to verify the https connection to foreman. So removing or commenting this line fixed the problem.
I managed to get the foreman webinterface working with an official certificate, and puppet working as well. But the current solution feels very hackisch.
I would really like to see official certificates properly supported from within the installer and I'd like to read about it in the documentation.
Updated by Thomas Sanders almost 7 years ago
Using the following doesn't work either.
foreman-installer \
--foreman-server-ssl-cert=/etc/httpd/certs/host.example.com.crt \
--foreman-server-ssl-key=/etc/httpd/certs/host.example.com.key \
--foreman-server-ssl-chain=/etc/httpd/certs/host.example.com.ca-bundle \
--foreman-proxy-puppet-ssl-ca=/etc/httpd/certs/host.example.com.ca-bundle
Could some official documentation be made on the "blessed" method here.
Updated by Thomas Sanders almost 7 years ago
Thomas Sanders wrote:
Using the following doesn't work either.
foreman-installer \
--foreman-server-ssl-cert=/etc/httpd/certs/host.example.com.crt \
--foreman-server-ssl-key=/etc/httpd/certs/host.example.com.key \
--foreman-server-ssl-chain=/etc/httpd/certs/host.example.com.ca-bundle \
--foreman-proxy-puppet-ssl-ca=/etc/httpd/certs/host.example.com.ca-bundleCould some official documentation be made on the "blessed" method here.
What is the proper option to set /etc/puppetlabs/puppet/foreman.yaml :ssl_ca: "/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem" to UNDEF
Updated by Han Boetes almost 7 years ago
I wouldn't want to set :ssl_ca: to undefined at all. IMHO this could be better solved by having an additional parameter, one for the puppet_ca and one for the webserver_ca
Updated by Daniel Lobato Garcia almost 7 years ago
- translation missing: en.field_release changed from 248 to 266
Updated by Dominic Cleal almost 7 years ago
- translation missing: en.field_release deleted (
266)