subject:"\[foreman\-users\] Re\: foreman\/katello smart\-proxy setup"

Re: [foreman-users] Re: foreman/katello smart-proxy setup

2017-06-06 Thread Vincenzo Z

Thanks Eric for your answer.

My DHCP is running on a Debian server so I can't do a fresh installation.

Indeed, if I follow the Smart Proxy instruction on the foreman doc it 
doesn't work because the certificate for my DHCP Smart Proxy server is 
generated by puppet.

Finally, I found a solution to add a smart-proxy with foreman-installer 
--scenario katello installation:

foreman-proxy-certs-generate --foreman-proxy-fqdn dhcp.example.com 
--certs-tar "~/dhcp.example.com-certs.tar"

tar -xvf  dhcp.example.com-certs.tar

yum install 
ssl-build/dhcp.example.com/dhcp.example.com-foreman-proxy-1.0-1.noarch.rpm

copy /etc/pki/katello-certs-tools/certs/dhcp.example.com-foreman-proxy.crt, 
/etc/pki/katello-certs-tools/certs/dhcp.example.com-foreman-proxy.key and 
/etc/foreman/proxy_ca.pem


Next step, find a way to do it with a certificate signed with our internal 
CA.


Le samedi 3 juin 2017 18:11:06 UTC+2, Eric Helms a écrit :
>
> Katello does not use the puppet certificates for a majority of 
> configuration which means that if you follow the Smart Proxy instructions 
> you pointed to you'll likely end up with a smart proxy that cannot 
> communicate back to the server.
>
> Was your DHCP smart proxy an existing smart proxy or a fresh install? I 
> would recommend looking at how to install a smart proxy when you have a 
> Katello install:
>
> https://theforeman.org/plugins/katello/3.4/installation/smart_proxy.html
>
> This by default configures the smart proxy with content for syncing 
> content to an external location or datacenter. If you are not wanting to 
> use this and thus want a lighter weight smart proxy with your Katello 
> install you can disable Pulp setup and configuration.
>
> Eric
>
> On May 29, 2017 5:35 AM, "Vincenzo Z"  
> wrote:
>
>> update when I use the foreman-installer without Katello I can add my DHCP 
>> proxy without problems:
>>
>> foreman-installer --scenario foreman --foreman-admin-password test
>>
>>
>>
>> Le mercredi 24 mai 2017 15:12:11 UTC+2, Vincenzo Z a écrit :
>>>
>>> Hello,
>>>
>>>
>>> I'm trying to install katello/foreman with a DHCP smart-proxy located on 
>>> another server.
>>>
>>> My first attempt was to use a certificate signed by our internal CA with 
>>> this command:
>>> foreman-installer --scenario katello --foreman-admin-password test 
>>> --certs-server-cert "/root/katello_certs/katello2.example.com.crt" 
>>> --certs-server-cert-req "/root/katello_certs/katello2.example.com.csr" 
>>> --certs-server-key "/root/katello_certs/katello2.example.com.key" 
>>> --certs-server-ca-cert "/root/katello_certs/cacert.pem"
>>>
>>> Installation was successful and I was able to connect to my foreman web 
>>> interface without SSL warnings.
>>>
>>>
>>> Next step was to setup the connection between my foreman and my DHCP 
>>> smart-proxy:
>>>
>>> So I followed the steps documented here 
>>> https://theforeman.org/manuals/1.15/index.html#4.3SmartProxies
>>>
>>> generate my cert on my foreman server: 
>>>
>>> puppet cert generate dhcp.example.com
>>>
>>> copy cert, ca and key to the /etc/foreman-proxy/ssl directory on my DHCP 
>>> smart-proxy
>>>
>>> edit my setting.yml config file like this:
>>>
>>> ---
>>> :settings_directory: "/etc/foreman-proxy/settings.d"
>>> :daemon: true
>>> :daemon_pid: /var/run/foreman-proxy/foreman-proxy.pid
>>> :bind_host: '*'
>>> :https_port: 8443
>>> :ssl_certificate: /etc/foreman-proxy/ssl/dhcp.example.com.pem
>>> :ssl_ca_file: /etc/foreman-proxy/ssl/ca.pem
>>> :ssl_private_key: /etc/foreman-proxy/ssl/dhcp.example.com.key
>>> :trusted_hosts:
>>> - katello2.example.com
>>> :log_file: /var/log/foreman-proxy/proxy.log
>>> :log_level: DEBUG
>>>
>>> open firewall ports
>>>
>>> When I try to connect from my foreman web interface with this URL 
>>> https://dhcp.example.com:8443
>>>
>>> I get this error message in the log file of my DHCP smart-proxy:
>>>
>>> "OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=unknown 
>>> state: tlsv1 alert unknown ca" 
>>>
>>>
>>> It's a CA issue maybe because I'm playing with internal CA so I tried 
>>> with the self-signed certificates generated with the foreman/katello 
>>> installation:
>>>
>>> foreman-installer --scenario katello --foreman-admin-password "test" 
>>>
>>> Same error.
>>>
>>>
>>> I think I miss something in the smart-proxy setup  and I don't play with 
>>> the right certificates.
>>>
>>> I probably don't use the same CA to sign my foreman certificate and my 
>>> DHCP smart-proxy certificate.
>>>
>>> Can somebody put me in the good direction to solve this problem?
>>>
>>>
>>> Best regards,
>>>
>>>
>>>
>>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Foreman users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to foreman-user...@googlegroups.com .
>> To post to this group, send email to forema...@googlegroups.com 
>> .
>> Visit this group at https://groups.google.com/group/foreman-users.

Re: [foreman-users] Re: foreman/katello smart-proxy setup

2017-06-03 Thread Eric D Helms

Katello does not use the puppet certificates for a majority of
configuration which means that if you follow the Smart Proxy instructions
you pointed to you'll likely end up with a smart proxy that cannot
communicate back to the server.

Was your DHCP smart proxy an existing smart proxy or a fresh install? I
would recommend looking at how to install a smart proxy when you have a
Katello install:

https://theforeman.org/plugins/katello/3.4/installation/smart_proxy.html

This by default configures the smart proxy with content for syncing content
to an external location or datacenter. If you are not wanting to use this
and thus want a lighter weight smart proxy with your Katello install you
can disable Pulp setup and configuration.

Eric

On May 29, 2017 5:35 AM, "Vincenzo Z"  wrote:

> update when I use the foreman-installer without Katello I can add my DHCP
> proxy without problems:
>
> foreman-installer --scenario foreman --foreman-admin-password test
>
>
>
> Le mercredi 24 mai 2017 15:12:11 UTC+2, Vincenzo Z a écrit :
>>
>> Hello,
>>
>>
>> I'm trying to install katello/foreman with a DHCP smart-proxy located on
>> another server.
>>
>> My first attempt was to use a certificate signed by our internal CA with
>> this command:
>> foreman-installer --scenario katello --foreman-admin-password test
>> --certs-server-cert "/root/katello_certs/katello2.example.com.crt"
>> --certs-server-cert-req "/root/katello_certs/katello2.example.com.csr"
>> --certs-server-key "/root/katello_certs/katello2.example.com.key"
>> --certs-server-ca-cert "/root/katello_certs/cacert.pem"
>>
>> Installation was successful and I was able to connect to my foreman web
>> interface without SSL warnings.
>>
>>
>> Next step was to setup the connection between my foreman and my DHCP
>> smart-proxy:
>>
>> So I followed the steps documented here https://theforeman.org/manuals
>> /1.15/index.html#4.3SmartProxies
>>
>> generate my cert on my foreman server:
>>
>> puppet cert generate dhcp.example.com
>>
>> copy cert, ca and key to the /etc/foreman-proxy/ssl directory on my DHCP 
>> smart-proxy
>>
>> edit my setting.yml config file like this:
>>
>> ---
>> :settings_directory: "/etc/foreman-proxy/settings.d"
>> :daemon: true
>> :daemon_pid: /var/run/foreman-proxy/foreman-proxy.pid
>> :bind_host: '*'
>> :https_port: 8443
>> :ssl_certificate: /etc/foreman-proxy/ssl/dhcp.example.com.pem
>> :ssl_ca_file: /etc/foreman-proxy/ssl/ca.pem
>> :ssl_private_key: /etc/foreman-proxy/ssl/dhcp.example.com.key
>> :trusted_hosts:
>> - katello2.example.com
>> :log_file: /var/log/foreman-proxy/proxy.log
>> :log_level: DEBUG
>>
>> open firewall ports
>>
>> When I try to connect from my foreman web interface with this URL 
>> https://dhcp.example.com:8443
>>
>> I get this error message in the log file of my DHCP smart-proxy:
>>
>> "OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=unknown
>> state: tlsv1 alert unknown ca"
>>
>>
>> It's a CA issue maybe because I'm playing with internal CA so I tried
>> with the self-signed certificates generated with the foreman/katello
>> installation:
>>
>> foreman-installer --scenario katello --foreman-admin-password "test"
>>
>> Same error.
>>
>>
>> I think I miss something in the smart-proxy setup  and I don't play with
>> the right certificates.
>>
>> I probably don't use the same CA to sign my foreman certificate and my
>> DHCP smart-proxy certificate.
>>
>> Can somebody put me in the good direction to solve this problem?
>>
>>
>> Best regards,
>>
>>
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to foreman-users+unsubscr...@googlegroups.com.
> To post to this group, send email to foreman-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

[foreman-users] Re: foreman/katello smart-proxy setup

2017-05-29 Thread Vincenzo Z

update when I use the foreman-installer without Katello I can add my DHCP 
proxy without problems:

foreman-installer --scenario foreman --foreman-admin-password test



Le mercredi 24 mai 2017 15:12:11 UTC+2, Vincenzo Z a écrit :
>
> Hello,
>
>
> I'm trying to install katello/foreman with a DHCP smart-proxy located on 
> another server.
>
> My first attempt was to use a certificate signed by our internal CA with 
> this command:
> foreman-installer --scenario katello --foreman-admin-password test 
> --certs-server-cert "/root/katello_certs/katello2.example.com.crt" 
> --certs-server-cert-req "/root/katello_certs/katello2.example.com.csr" 
> --certs-server-key "/root/katello_certs/katello2.example.com.key" 
> --certs-server-ca-cert "/root/katello_certs/cacert.pem"
>
> Installation was successful and I was able to connect to my foreman web 
> interface without SSL warnings.
>
>
> Next step was to setup the connection between my foreman and my DHCP 
> smart-proxy:
>
> So I followed the steps documented here 
> https://theforeman.org/manuals/1.15/index.html#4.3SmartProxies
>
> generate my cert on my foreman server: 
>
> puppet cert generate dhcp.example.com
>
> copy cert, ca and key to the /etc/foreman-proxy/ssl directory on my DHCP 
> smart-proxy
>
> edit my setting.yml config file like this:
>
> ---
> :settings_directory: "/etc/foreman-proxy/settings.d"
> :daemon: true
> :daemon_pid: /var/run/foreman-proxy/foreman-proxy.pid
> :bind_host: '*'
> :https_port: 8443
> :ssl_certificate: /etc/foreman-proxy/ssl/dhcp.example.com.pem
> :ssl_ca_file: /etc/foreman-proxy/ssl/ca.pem
> :ssl_private_key: /etc/foreman-proxy/ssl/dhcp.example.com.key
> :trusted_hosts:
> - katello2.example.com
> :log_file: /var/log/foreman-proxy/proxy.log
> :log_level: DEBUG
>
> open firewall ports
>
> When I try to connect from my foreman web interface with this URL 
> https://dhcp.example.com:8443
>
> I get this error message in the log file of my DHCP smart-proxy:
>
> "OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=unknown 
> state: tlsv1 alert unknown ca" 
>
>
> It's a CA issue maybe because I'm playing with internal CA so I tried with 
> the self-signed certificates generated with the foreman/katello 
> installation:
>
> foreman-installer --scenario katello --foreman-admin-password "test" 
>
> Same error.
>
>
> I think I miss something in the smart-proxy setup  and I don't play with 
> the right certificates.
>
> I probably don't use the same CA to sign my foreman certificate and my 
> DHCP smart-proxy certificate.
>
> Can somebody put me in the good direction to solve this problem?
>
>
> Best regards,
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Re: foreman/katello smart-proxy setup

Re: [foreman-users] Re: foreman/katello smart-proxy setup

[foreman-users] Re: foreman/katello smart-proxy setup

3 matches

Site Navigation

Mail list logo

Footer information