I know there's some SElinux magic, but if you have disabled SELinux you can try a command line like this to install a new web certificate, key, and chain (intermediate certificates) and keep the puppet part working...
foreman-installer \ --foreman-server-ssl-key=/etc/pki/tls/private/foreman.example.com.key \ --puppet-server-foreman=true \ --foreman-server-ssl-cert=/etc/pki/tls/certs/foreman.example.com.crt \ --foreman-server-ssl-chain=/etc/pki/tls/certs/cachain.crt \ --foreman-server-ssl-certs-dir=/etc/pki/tls/certs \ --foreman-websockets-encrypt=true \ --foreman-websockets-ssl-key=/etc/pki/tls/private/foreman.example.com.key \ --foreman-websockets-ssl-cert=/etc/pki/tls/certs/foreman.example.com.crt \ --puppet-server-foreman=true \ --puppet-server-foreman-ssl-ca=/etc/pki/tls/certs/cachain.crt \ --foreman-proxy-foreman-ssl-ca=/etc/pki/tls/certs/cachain.crt \ --foreman-foreman-url=https://foreman.example.com -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscr...@googlegroups.com. To post to this group, send email to foreman-users@googlegroups.com. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.