On Tue, Jun 06, 2017 at 02:16:10PM +0200, Marc Haber wrote: > Judging from searching for this error message, Foreman does not like the > certificate presented by the smart proxy. Dual-checking the Certificate > with openssl s_client -connect=my.new.hostname.example:8443 shows that > it actually returns the new self-signed cert.
Turned out that I did the dual-checking from my own workstation, which was cause for some confusion, see below. > My guess is that Foreman wants to see a certificate from the Puppet CA. > How do I generate one manually? I know about puppet cert list and puppet > cert sign, but I am at a loss about how to make my certificate request > show up in the list. Do I only need to dump the certificate request in a > certain directory (which one?) with a file name matching a certain > pattern (which one?), or do I also need to call a certain command (which > one?)? You just dump the certificate request, named full.qualified.host.name.pem, in /var/lib/puppet/ssl/ca/requests, and it'll automatically show up in puppet cert list, and can therefore be signed with puppet cert sign. The puppet CA only signs requests that don't have some of the extensions made by openssl in the default, but gives quite clear error messages, so tailoring the openssl.cnf to puppet's needs was rather easy. The signed certificate can then be picked up from /var/lib/puppet/ssl/ca/signed. After I put the new certificate on the new host, the error message changed. But that was PEBCAK. Admin tip of the day: If you rename a copy of a system by means of find /etc | xargs sed -i s/old/new/g, make sure to run the same replacement for the IP address as well, or you'll find your system talking to the old box instead of to itself. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
