Tim, Are your smart-proxies clustered as well? If so are you putting the same certificate on each smart-proxy and referencing a url such as puppetserver.domain.com or puppetca.domain.com? Also how are you handling your SSL? Are you offloading at the load balancer or doing passthrough to the backend server?
-Chris IRC: discr33t On Tuesday, October 25, 2016 at 3:00:42 PM UTC-4, [email protected] wrote: > > Hi, > > I'm working on moving from a standalone Foreman host to a clustered setup > similar to > https://theforeman.org/2015/12/journey_to_high_availability.html and with > the help of the docs have got most things working with clustered Postgres, > Foreman hosts communicating with memached, Foreman machines behind haproxy, > common keys for database and cookies and so on. > > Foreman-installer command used below for info. > > I'm having trouble working out how to generate SSL certificates for the > Foreman servers to communicate with the proxies without running into "alert > unknown CA" and similar problems. > > I've tried generating certs on the first foreman server for the other > hosts with > puppet cert generate [fqdn] > and pushing the ca.pem and the generated certs and private keys to the > other hosts. > > I seem to be missing a step - the machine where the certs were generated > can talk to the locally install smart proxy but communication with the > smart proxy installed on the other hosts fails with unknown CA errors. > > Testing with > openssl s_client > > -connect $(hostname -f):443 \ > > -cert /var/lib/puppet/ssl/certs/$(hostname -f).pem \ > > -key /var/lib/puppet/ssl/private_keys/$(hostname -f).pem \ > > -CAfile /var/lib/puppet/ssl/certs/ca.pem > to try to get some more info tells gives "Verify return code: 19 (self > signed cert in certificate chain)" - but I see this on the machine which > can talk to its smart proxy too :( > > Is the best way to generate the certs documented anywhere (whether with > puppet, certtool or openssl)? > > Is it best practice to use the same cert for Apache for all of the > machines behind haproxy and to use separate keys for foreman-proxy and to > specify them with --foreman-client-ssl-* and --foreman-proxy-ssl-*? > > Many thanks for any pointers, > Tim > > ** Current foreman-installer command > > foreman-installer -v \ > > --enable-foreman \ > > --enable-foreman-cli \ > > --enable-foreman-proxy \ > > --foreman-proxy-trusted-hosts="foreman.example.com" \ > > --foreman-proxy-trusted-hosts="foreman-01.example.com" \ > > --foreman-proxy-trusted-hosts="foreman-02.example.com" \ > > --foreman-proxy-trusted-hosts="foreman-03.example.com" \ > > --foreman-proxy-trusted-hosts="foreman-04.example.com" \ > > --foreman-admin-password="foo" \ > > --foreman-oauth-consumer-key="foo" \ > > --foreman-oauth-consumer-secret="foo" \ > > --enable-foreman-plugin-bootdisk \ > > --enable-foreman-plugin-chef \ > > --enable-foreman-plugin-discovery \ > > --enable-foreman-plugin-hooks \ > > --enable-foreman-plugin-host-extra-validator \ > > --enable-foreman-plugin-memcache \ > > --foreman-plugin-memcache-hosts="memcached-01.example.com" \ > > --foreman-plugin-memcache-hosts="memcached-02.example.com" \ > > --foreman-plugin-memcache-hosts="memcached-03.example.com" \ > > --foreman-plugin-memcache-hosts="memcached-04.example.com" \ > > --enable-foreman-plugin-remote-execution \ > > --enable-foreman-plugin-salt \ > > --enable-foreman-plugin-setup \ > > --enable-foreman-plugin-tasks \ > > --enable-foreman-plugin-templates \ > > --enable-foreman-compute-openstack \ > > --enable-foreman-compute-vmware \ > > --foreman-db-database="foo" \ > > --foreman-db-host="foo" \ > > --foreman-db-manage="false" \ > > --foreman-db-password="foo" \ > > --foreman-db-port="4344" \ > > --foreman-db-type="postgresql" \ > > --foreman-db-username="foo" > -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
