Katello does not use the puppet certificates for a majority of configuration which means that if you follow the Smart Proxy instructions you pointed to you'll likely end up with a smart proxy that cannot communicate back to the server.
Was your DHCP smart proxy an existing smart proxy or a fresh install? I would recommend looking at how to install a smart proxy when you have a Katello install: https://theforeman.org/plugins/katello/3.4/installation/smart_proxy.html This by default configures the smart proxy with content for syncing content to an external location or datacenter. If you are not wanting to use this and thus want a lighter weight smart proxy with your Katello install you can disable Pulp setup and configuration. Eric On May 29, 2017 5:35 AM, "Vincenzo Z" <[email protected]> wrote: > update when I use the foreman-installer without Katello I can add my DHCP > proxy without problems: > > foreman-installer --scenario foreman --foreman-admin-password test > > > > Le mercredi 24 mai 2017 15:12:11 UTC+2, Vincenzo Z a écrit : >> >> Hello, >> >> >> I'm trying to install katello/foreman with a DHCP smart-proxy located on >> another server. >> >> My first attempt was to use a certificate signed by our internal CA with >> this command: >> foreman-installer --scenario katello --foreman-admin-password test >> --certs-server-cert "/root/katello_certs/katello2.example.com.crt" >> --certs-server-cert-req "/root/katello_certs/katello2.example.com.csr" >> --certs-server-key "/root/katello_certs/katello2.example.com.key" >> --certs-server-ca-cert "/root/katello_certs/cacert.pem" >> >> Installation was successful and I was able to connect to my foreman web >> interface without SSL warnings. >> >> >> Next step was to setup the connection between my foreman and my DHCP >> smart-proxy: >> >> So I followed the steps documented here https://theforeman.org/manuals >> /1.15/index.html#4.3SmartProxies >> >> generate my cert on my foreman server: >> >> puppet cert generate dhcp.example.com >> >> copy cert, ca and key to the /etc/foreman-proxy/ssl directory on my DHCP >> smart-proxy >> >> edit my setting.yml config file like this: >> >> --- >> :settings_directory: "/etc/foreman-proxy/settings.d" >> :daemon: true >> :daemon_pid: /var/run/foreman-proxy/foreman-proxy.pid >> :bind_host: '*' >> :https_port: 8443 >> :ssl_certificate: /etc/foreman-proxy/ssl/dhcp.example.com.pem >> :ssl_ca_file: /etc/foreman-proxy/ssl/ca.pem >> :ssl_private_key: /etc/foreman-proxy/ssl/dhcp.example.com.key >> :trusted_hosts: >> - katello2.example.com >> :log_file: /var/log/foreman-proxy/proxy.log >> :log_level: DEBUG >> >> open firewall ports >> >> When I try to connect from my foreman web interface with this URL >> https://dhcp.example.com:8443 >> >> I get this error message in the log file of my DHCP smart-proxy: >> >> "OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=unknown >> state: tlsv1 alert unknown ca" >> >> >> It's a CA issue maybe because I'm playing with internal CA so I tried >> with the self-signed certificates generated with the foreman/katello >> installation: >> >> foreman-installer --scenario katello --foreman-admin-password "test" >> >> Same error. >> >> >> I think I miss something in the smart-proxy setup and I don't play with >> the right certificates. >> >> I probably don't use the same CA to sign my foreman certificate and my >> DHCP smart-proxy certificate. >> >> Can somebody put me in the good direction to solve this problem? >> >> >> Best regards, >> >> >> >> -- > You received this message because you are subscribed to the Google Groups > "Foreman users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
