On 15/10/16 00:33, Jack Watroba wrote: > I've been trying to setup a foreman installation with a separate > puppetmaster/puppetca host. I've installed a full foreman installation > on one server, and then followed the instructions from the "Setting up > Foreman with external Puppet masters" section of the documentation, > including generating ssl certs on the original server and copying them > over to the new proxy server. If I follow those directions, I can setup > an external puppetmaster that works fine, but if I want to also make > that into a puppetca server by setting: 'puppet-server-ca=true' and > 'foreman-proxy-puppetca=true', then I run into ssl errors when > attempting to import classes from the puppet proxy/ca server, or even > just running 'puppet agent -t' on the puppetmaster/ca proxy server. > > The error in the proxy.log on the proxy server is: > "[2016-10-14T22:11:25.305337 #3733] ERROR -- : Failed to list puppet > environments: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read > finished A" > > Are there additional steps that I need to take in regards to the ssl > certificates in order to make this work?
Ensure you separate the two sets of SSL certificates (and CAs) and have the correct settings pointing to the correct set of certs. It sounds like they may be muddled. /etc/foreman-proxy/settings.d/puppet_proxy_puppet_api.yml must reference the certificates used to access the local Puppet master, while /etc/foreman-proxy/settings.yml must instead reference the certs used by your Foreman installation to communicate with the smart proxy. -- Dominic Cleal domi...@cleal.org -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.