OK, I am one step farther... The solution to the original problem is to add the puppet ca to the list of trusted cas of the foreman node. On Ubuntu: # ln -s /var/lib/puppet/ssl/ca/ca_crt.pem /usr/local/share/ca-certificates/puppet-ca.pem # update-ca-certificates
My next question: How to I get foreman to provide a client certificate to the docker daemon? Currently, when testing the connection I get this message on foreman: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert bad certificate (OpenSSL::SSL::SSLError) And this one on the docker node: TLS handshake error from 1.2.3.4:44818: tls: client didn't provide a certificate One more thing: It is a bad idea to re-use the puppet ca for docker administration because every puppet node has a signed certificate from this ca. So after getting this to work, the next step will be to set up a dedicated ca. Cheers, Jörg Am Sonntag, 14. August 2016 08:50:47 UTC+2 schrieb Jörg: > > Hi, > > I am facing the same situation. Did you find a solution to the problem? > > > otherwise... bump... > > > Cheers, Jörg > > Am Mittwoch, 1. Juli 2015 20:08:52 UTC+2 schrieb Peter Berghold: >> >> I've got Docker running on one of my Puppet managed hosts and I'm trying >> to connect Foreman to it. I noticed in the Docker documentation they >> suggest using a self signed SSL cert which I rejected since I'm sure >> Foreman would complain about not being able to validate the CA. >> >> So, I got "clever" and decided to reuse the Puppet cert and CA files >> thusly: >> >> DOCKER_OPTS="--tlsverify --tlscacert=/var/lib/puppet/ssl/certs/ca.pem >> --tlscert=/var/lib/puppet/ssl/certs/mcadprod3.mca.sharkrivertech.com.pem >> --tlskey=/var/lib/puppet/ssl/private_keys/mcadprod3.mca.sharkrivertech.com.pem >> >> -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock -d" >> >> I then tried to connect to the host and got this as an error: >> >> Error connecting with the compute resource: *Unable to verify >> certificate, please set `Excon.defaults[:ssl_ca_path] = path_to_certs`, >> `ENV['SSL_CERT_DIR'] = path_to_certs`, `Excon.defaults[:ssl_ca_file] = >> path_to_file`, `ENV['SSL_CERT_FILE'] = path_to_file`, >> `Excon.defaults[:ssl_verify_callback] = callback` (see >> OpenSSL::SSL::SSLContext#verify_callback), or >> `Excon.defaults[:ssl_verify_peer] = false` (less secure).* >> >> *So my questions are:* >> *1) who is complaining here? Docker or Foreman and where do those values >> get set?* >> >> *2) Why wouldn't using the Puppet certs work?* >> >> *anybody got an idea about this?* >> > -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
