Hi,
I'm working on moving from a standalone Foreman host to a clustered setup
similar to https://theforeman.org/2015/12/journey_to_high_availability.html
and with the help of the docs have got most things working with clustered
Postgres, Foreman hosts communicating with memached, Foreman machines
behind haproxy, common keys for database and cookies and so on.
Foreman-installer command used below for info.
I'm having trouble working out how to generate SSL certificates for the
Foreman servers to communicate with the proxies without running into "alert
unknown CA" and similar problems.
I've tried generating certs on the first foreman server for the other hosts
with
puppet cert generate [fqdn]
and pushing the ca.pem and the generated certs and private keys to the
other hosts.
I seem to be missing a step - the machine where the certs were generated
can talk to the locally install smart proxy but communication with the
smart proxy installed on the other hosts fails with unknown CA errors.
Testing with
openssl s_client
-connect $(hostname -f):443 \
-cert /var/lib/puppet/ssl/certs/$(hostname -f).pem \
-key /var/lib/puppet/ssl/private_keys/$(hostname -f).pem \
-CAfile /var/lib/puppet/ssl/certs/ca.pem
to try to get some more info tells gives "Verify return code: 19 (self
signed cert in certificate chain)" - but I see this on the machine which
can talk to its smart proxy too :(
Is the best way to generate the certs documented anywhere (whether with
puppet, certtool or openssl)?
Is it best practice to use the same cert for Apache for all of the machines
behind haproxy and to use separate keys for foreman-proxy and to specify
them with --foreman-client-ssl-* and --foreman-proxy-ssl-*?
Many thanks for any pointers,
Tim
** Current foreman-installer command
foreman-installer -v \
--enable-foreman \
--enable-foreman-cli \
--enable-foreman-proxy \
--foreman-proxy-trusted-hosts="foreman.example.com" \
--foreman-proxy-trusted-hosts="foreman-01.example.com" \
--foreman-proxy-trusted-hosts="foreman-02.example.com" \
--foreman-proxy-trusted-hosts="foreman-03.example.com" \
--foreman-proxy-trusted-hosts="foreman-04.example.com" \
--foreman-admin-password="foo" \
--foreman-oauth-consumer-key="foo" \
--foreman-oauth-consumer-secret="foo" \
--enable-foreman-plugin-bootdisk \
--enable-foreman-plugin-chef \
--enable-foreman-plugin-discovery \
--enable-foreman-plugin-hooks \
--enable-foreman-plugin-host-extra-validator \
--enable-foreman-plugin-memcache \
--foreman-plugin-memcache-hosts="memcached-01.example.com" \
--foreman-plugin-memcache-hosts="memcached-02.example.com" \
--foreman-plugin-memcache-hosts="memcached-03.example.com" \
--foreman-plugin-memcache-hosts="memcached-04.example.com" \
--enable-foreman-plugin-remote-execution \
--enable-foreman-plugin-salt \
--enable-foreman-plugin-setup \
--enable-foreman-plugin-tasks \
--enable-foreman-plugin-templates \
--enable-foreman-compute-openstack \
--enable-foreman-compute-vmware \
--foreman-db-database="foo" \
--foreman-db-host="foo" \
--foreman-db-manage="false" \
--foreman-db-password="foo" \
--foreman-db-port="4344" \
--foreman-db-type="postgresql" \
--foreman-db-username="foo"
--
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
