On 15/10/16 00:33, Jack Watroba wrote:
> I've been trying to setup a foreman installation with a separate
> puppetmaster/puppetca host. I've installed a full foreman installation
> on one server, and then followed the instructions from the "Setting up
> Foreman with external Puppet masters" section of the documentation,
> including generating ssl certs on the original server and copying them
> over to the new proxy server. If I follow those directions, I can setup
> an external puppetmaster that works fine, but if I want to also make
> that into a puppetca server by setting: 'puppet-server-ca=true' and
> 'foreman-proxy-puppetca=true', then I run into ssl errors when
> attempting to import classes from the puppet proxy/ca server, or even
> just running 'puppet agent -t' on the puppetmaster/ca proxy server.
> The error in the proxy.log on the proxy server is:
> "[2016-10-14T22:11:25.305337 #3733] ERROR -- : Failed to list puppet
> environments: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read
> finished A"
> Are there additional steps that I need to take in regards to the ssl
> certificates in order to make this work? 

Ensure you separate the two sets of SSL certificates (and CAs) and have
the correct settings pointing to the correct set of certs. It sounds
like they may be muddled.

/etc/foreman-proxy/settings.d/puppet_proxy_puppet_api.yml must reference
the certificates used to access the local Puppet master, while
/etc/foreman-proxy/settings.yml must instead reference the certs used by
your Foreman installation to communicate with the smart proxy.

Dominic Cleal

You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Reply via email to