SSL » History » Version 5
Corey Osman, 11/11/2011 06:42 PM
| 1 | 1 | Ohad Levy | h1. SSL setup |
|---|---|---|---|
| 2 | |||
| 3 | The smart proxy can work in SSL mode, where both sides verify and trust each other. |
||
| 4 | |||
| 5 | h2. Configure SSL certificates |
||
| 6 | |||
| 7 | This request will only be accepted if the SSL certificates match. Therefore the client's private key grants access to proxy's funtionality, so protect it. |
||
| 8 | |||
| 9 | As this tool is meant to interoperate with a puppet installation I suggest that you use the Certificate Authority provided by a puppet server as your CA. |
||
| 10 | |||
| 11 | # Login to your puppetmaster, which has a Certificate Authority |
||
| 12 | # Use the puppet tools to create a new certificate |
||
| 13 | <pre><code> |
||
| 14 | puppetca --generate <proxy-FQDN> |
||
| 15 | </pre></code> |
||
| 16 | # Copy the certificate keys to your Windows host |
||
| 17 | <pre><code> |
||
| 18 | scp puppetmaster:/var/lib/puppet/ssl/ca/signed/<proxy-FQDN>.pem signed.pem |
||
| 19 | scp puppetmaster:/var/lib/puppet/ssl/private_keys/<proxy-FQDN>.pem private.pem |
||
| 20 | </pre></code> |
||
| 21 | # Copy the ssl/certs/ca.pem from any puppet client to the smart-proxy\config directory. This ensures that the proxy trusts the same CA as a puppet client. |
||
| 22 | 2 | Corey Osman | |
| 23 | h2. Troubleshooting |
||
| 24 | |||
| 25 | <pre> |
||
| 26 | Unable to save |
||
| 27 | Unable to communicate with the proxy: No such file or directory - /.puppet/var/ssl/certs/foremanserver.domainname.corp.pem |
||
| 28 | Please check the proxy is configured and running on the host before saving. |
||
| 29 | </pre> |
||
| 30 | 3 | Corey Osman | |
| 31 | Workaround |
||
| 32 | 5 | Corey Osman | # mkdir /.puppet |
| 33 | # ln -s /var/lib/puppet/ /.puppet/var |
||
| 34 | 4 | Corey Osman | # add foreman, foreman-proxy to puppet group |
| 35 | # chmod -R 640 /var/lib/puppet/ssl/private_keys |
||
| 36 | # chgrp -R puppet /var/lib/puppet/ssl/private_keys |
||
| 37 | # |