Martin's blog is going to be far more in depth than something I can add here. I would suggest going through that. It deals with self-signed certs, so if you need something different, I can write something up for you that covers the differences.
The short version of what you need to do: * make sure ServerName is the same on all foreman servers in a cluster * make sure websocket ssl certs are the same on all foreman servers in a cluster * make sure they're talking to the same backend (DB) * make sure you set the same secret token (for auth purposes) * if you're using a proxy (i.e. ha proxy), you won't need dns_alt_names, but you can still use them. If you're using only a LB (i.e. F5 w/o proxying), then you want dns_alt_names. I realize my comments about smart proxy are incomplete. Using an externally signed cert, we ran in to issues where the smart proxy needed the same ssl_ca (/etc/puppet/foreman.yaml) and ssl_ca_file (/etc/foreman-proxy/settings.yaml) file as the "ssl_ca_file" on the Foreman server (in /etc/foreman/settings.yaml). This only happened with an external cert, not a self-signed one from the puppet CA. On Tuesday, November 29, 2016 at 10:10:25 AM UTC-5, Sai Krishna wrote: > > Hi Chris, >>> >> > grep -i servername /etc/httpd/conf.d/*foreman* > /etc/httpd/conf.d/05-foreman.conf: ServerName foremandv.example.com > grep: /etc/httpd/conf.d/05-foreman.d: Is a directory > /etc/httpd/conf.d/05-foreman-ssl.conf: ServerName foremandv.example.com > grep: /etc/httpd/conf.d/05-foreman-ssl.d: Is a directory > > roothost1 [~] # grep -i SSL /etc/httpd/conf.d/*foreman* > grep: /etc/httpd/conf.d/05-foreman.d: Is a directory > /etc/httpd/conf.d/05-foreman-ssl.conf: ErrorLog > "/var/log/httpd/foreman-ssl_error_ssl.log" > /etc/httpd/conf.d/05-foreman-ssl.conf: CustomLog > "/var/log/httpd/foreman-ssl_access_ssl.log" combined > /etc/httpd/conf.d/05-foreman-ssl.conf: ## SSL directives > /etc/httpd/conf.d/05-foreman-ssl.conf: SSLEngine on > /etc/httpd/conf.d/05-foreman-ssl.conf: SSLCertificateFile > "/etc/puppetlabs/puppet/ssl/certs/foremandv.example.com.pem" > /etc/httpd/conf.d/05-foreman-ssl.conf: SSLCertificateKeyFile > "/etc/puppetlabs/puppet/ssl/private_keys/foremandv.example.com.pem" > /etc/httpd/conf.d/05-foreman-ssl.conf: SSLCertificateChainFile > "/etc/puppetlabs/puppet/ssl/certs/ca.pem" > /etc/httpd/conf.d/05-foreman-ssl.conf: SSLCACertificateFile > "/etc/puppetlabs/puppet/ssl/certs/ca.pem" > /etc/httpd/conf.d/05-foreman-ssl.conf: SSLCARevocationFile > "/etc/puppetlabs/puppet/ssl/crl.pem" > /etc/httpd/conf.d/05-foreman-ssl.conf: SSLCARevocationCheck "chain" > /etc/httpd/conf.d/05-foreman-ssl.conf: SSLVerifyClient optional > /etc/httpd/conf.d/05-foreman-ssl.conf: SSLVerifyDepth 3 > /etc/httpd/conf.d/05-foreman-ssl.conf: SSLOptions +StdEnvVars > +ExportCertData > /etc/httpd/conf.d/05-foreman-ssl.conf: Include > /etc/httpd/conf.d/05-foreman-ssl.d/*.conf > /etc/httpd/conf.d/05-foreman-ssl.conf: IncludeOptional > /etc/httpd/conf.d/05-foreman-ssl.d/*.conf > grep: /etc/httpd/conf.d/05-foreman-ssl.d: Is a directory > > Yes it rhel 7, as you said these two looks correct. > > I don't have any foreman severs, am planning to build 2 foreman(WebUI/ENC) > servers (clustered) so that both foreman runs on generic ( > https://foremandv.example.com ) so that load will be distributed to both > servers and I have existing highly available puppet setup. I want to > integrate this foreman cluster with existing puppet set up. > > Can you please guide me about the smart proxy errors, how to configure wrt > to correct CA cert. > > Thank you very much !! > > -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
