Thanks for the info. I was able to setup the new puppetmaster/ca/tftp proxy by doing this:
1. I generated the first set of certs for the proxy server on the full installation foreman server with the command 'puppet cert generate new-proxy-server.example.com' 2. Ran a puppetmaster/ca/tftp install on the new proxy server: foreman-installer \ --no-enable-foreman \ --no-enable-foreman-cli \ --no-enable-foreman-plugin-bootdisk \ --no-enable-foreman-plugin-setup \ --enable-puppet \ --puppet-server-ca=true \ --puppet-server-foreman-url=https://foreman-server.example.com \ --enable-foreman-proxy \ --foreman-proxy-puppetca=true \ --foreman-proxy-tftp=true \ --foreman-proxy-foreman-base-url=https://foreman-server.example.com \ --foreman-proxy-trusted-hosts=foreman-server.example.com \ --foreman-proxy-oauth-consumer-key=****** \ --foreman-proxy-oauth-consumer-secret=***** **This will fail because the generated certs have not been copied over yet** 3. Created a new ssl certs directory @ /etc/puppetlabs/puppet/ssl/proxy on the proxy server 4. Copied the generated certs from step 1 to /etc/puppetlabs/puppet/ssl/proxy/certs||private_keys respectively 5. Edited /etc/foreman-proxy/settings.yml and /etc/puppetlabs/puppet/foreman.yaml to point to the certs in the /etc/puppetlabs/puppet/ssl/proxy/ directory 6. Manually added the smart proxy from the Foreman UI I can now import classes from the new proxy and run puppet on the new proxy server without any errors. Thanks! On Monday, October 17, 2016 at 2:44:17 AM UTC-7, Matt wrote: > > I would not count on the installer here. > > If the packages are installed just do it manually, set your ca in your > puppet.conf and go from there, do a run, sign and done. > > The installer is too complex or fails here if you ask me. > > > Op maandag 17 oktober 2016 09:56:28 UTC+2 schreef Dominic Cleal: >> >> On 15/10/16 00:33, Jack Watroba wrote: >> > I've been trying to setup a foreman installation with a separate >> > puppetmaster/puppetca host. I've installed a full foreman installation >> > on one server, and then followed the instructions from the "Setting up >> > Foreman with external Puppet masters" section of the documentation, >> > including generating ssl certs on the original server and copying them >> > over to the new proxy server. If I follow those directions, I can setup >> > an external puppetmaster that works fine, but if I want to also make >> > that into a puppetca server by setting: 'puppet-server-ca=true' and >> > 'foreman-proxy-puppetca=true', then I run into ssl errors when >> > attempting to import classes from the puppet proxy/ca server, or even >> > just running 'puppet agent -t' on the puppetmaster/ca proxy server. >> > >> > The error in the proxy.log on the proxy server is: >> > "[2016-10-14T22:11:25.305337 #3733] ERROR -- : Failed to list puppet >> > environments: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read >> > finished A" >> > >> > Are there additional steps that I need to take in regards to the ssl >> > certificates in order to make this work? >> >> Ensure you separate the two sets of SSL certificates (and CAs) and have >> the correct settings pointing to the correct set of certs. It sounds >> like they may be muddled. >> >> /etc/foreman-proxy/settings.d/puppet_proxy_puppet_api.yml must reference >> the certificates used to access the local Puppet master, while >> /etc/foreman-proxy/settings.yml must instead reference the certs used by >> your Foreman installation to communicate with the smart proxy. >> >> -- >> Dominic Cleal >> [email protected] >> > -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
