Thanks for the info. I was able to setup the new puppetmaster/ca/tftp proxy 
by doing this:

1. I generated the first set of certs for the proxy server on the full 
installation foreman server with the command 'puppet cert generate'
2. Ran a puppetmaster/ca/tftp install on the new proxy server:

foreman-installer \
  --no-enable-foreman \
  --no-enable-foreman-cli \
  --no-enable-foreman-plugin-bootdisk \
  --no-enable-foreman-plugin-setup \
  --enable-puppet \
  --puppet-server-ca=true \
  --puppet-server-foreman-url= \
  --enable-foreman-proxy \
  --foreman-proxy-puppetca=true \
  --foreman-proxy-tftp=true \
  --foreman-proxy-foreman-base-url=  \  \
  --foreman-proxy-oauth-consumer-key=****** \

**This will fail because the generated certs have not been copied over 

3. Created a new ssl certs directory @ /etc/puppetlabs/puppet/ssl/proxy on 
the proxy server
4. Copied the generated certs from step 1 
to /etc/puppetlabs/puppet/ssl/proxy/certs||private_keys respectively
5. Edited /etc/foreman-proxy/settings.yml and 
/etc/puppetlabs/puppet/foreman.yaml to point to the certs in the 
/etc/puppetlabs/puppet/ssl/proxy/ directory
6. Manually added the smart proxy from the Foreman UI

I can now import classes from the new proxy and run puppet on the new proxy 
server without any errors. 


On Monday, October 17, 2016 at 2:44:17 AM UTC-7, Matt wrote:
> I would not count on the installer here.
> If the packages are installed just do it manually, set your ca in your 
> puppet.conf and go from there, do a run, sign and done.
> The installer is too complex or fails here if you ask me.
> Op maandag 17 oktober 2016 09:56:28 UTC+2 schreef Dominic Cleal:
>> On 15/10/16 00:33, Jack Watroba wrote: 
>> > I've been trying to setup a foreman installation with a separate 
>> > puppetmaster/puppetca host. I've installed a full foreman installation 
>> > on one server, and then followed the instructions from the "Setting up 
>> > Foreman with external Puppet masters" section of the documentation, 
>> > including generating ssl certs on the original server and copying them 
>> > over to the new proxy server. If I follow those directions, I can setup 
>> > an external puppetmaster that works fine, but if I want to also make 
>> > that into a puppetca server by setting: 'puppet-server-ca=true' and 
>> > 'foreman-proxy-puppetca=true', then I run into ssl errors when 
>> > attempting to import classes from the puppet proxy/ca server, or even 
>> > just running 'puppet agent -t' on the puppetmaster/ca proxy server. 
>> > 
>> > The error in the proxy.log on the proxy server is: 
>> > "[2016-10-14T22:11:25.305337 #3733] ERROR -- : Failed to list puppet 
>> > environments: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read 
>> > finished A" 
>> > 
>> > Are there additional steps that I need to take in regards to the ssl 
>> > certificates in order to make this work? 
>> Ensure you separate the two sets of SSL certificates (and CAs) and have 
>> the correct settings pointing to the correct set of certs. It sounds 
>> like they may be muddled. 
>> /etc/foreman-proxy/settings.d/puppet_proxy_puppet_api.yml must reference 
>> the certificates used to access the local Puppet master, while 
>> /etc/foreman-proxy/settings.yml must instead reference the certs used by 
>> your Foreman installation to communicate with the smart proxy. 
>> -- 
>> Dominic Cleal 

You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To post to this group, send email to
Visit this group at
For more options, visit

Reply via email to