Hello Pascal, Thanks for your answer, I've tried that too, this works great for replacing Katello/Foreman Web SSL certificate and also for the smart proxy but not for puppet. I wanted to disable the puppet ca and use the one provided by freeIPA. I've tried to replace the puppet certificate by hand as specified in the doc but I do still have SSL authentication problems.
Best regards, Arsène On Friday, May 19, 2017 at 10:38:14 PM UTC+2, pascalp wrote: > > Hello, > > when I installed Katello to use my FreeIPA CA I had to install in two > steps to get it to work (this was a couple versions ago). Here are my notes: > > sudo foreman-installer --scenario katello \ > --foreman-admin-username admin \ > --foreman-admin-password "<password>" \ > --foreman-initial-organization "<myorg>" \ > --foreman-initial-location "<location>" \ > --katello-cdn-ssl-version "TLSv1" \ > --foreman-http-keytab "/etc/http.keytab" \ > --foreman-ipa-authentication true \ > --foreman-pam-service "foreman" \ > --foreman-ipa-manage-sssd true \ > --foreman-proxy-realm true \ > --foreman-proxy-realm-keytab "/etc/foreman-proxy/freeipa.keytab" \ > --foreman-proxy-realm-principal "<user>@IPA.MYDOMAIN.COM" > > #not sure if the following three steps are really needed/why I did them > sudo cp /etc/pki/katello/certs/katello-default-ca.crt > /etc/pki/ca-trust/source/anchors/ > sudo update-ca-trust force-enable > sudo update-ca-trust extract > > sudo foreman-installer --scenario katello \ > --certs-server-cert "/etc/pki/tls/certs/katello01.ipa.mydomain.com.crt" \ > --certs-server-cert-req "/etc/pki/tls/misc/katello01.ipa.mydomain.com.csr" > \ > --certs-server-key "/etc/pki/tls/private/katello01.ipa.mydomain.com.key" \ > --certs-server-ca-cert "/etc/ipa/ca.crt" \ > --certs-update-server --certs-update-server-ca > > Hope this helps. > Kind regards > Pascal > > On Friday, May 19, 2017 at 12:01:56 PM UTC+2, Arsène Gschwind wrote: >> >> Hi, >> >> I'm trying to install the latest Katello using freeipa as external SSL CA. >> The certificates were generate using ipa-getcert and stored at >> /etc/pki/katelli-ipa. >> I've used the following installer options: >> >> foreman-installer --scenario katello \ >> --certs-server-cert='/etc/pki/katello-ipa/certs/katello.pem' \ >> --certs-server-cert-req='/etc/pki/katello-ipa/certs/katello.req' \ >> --certs-server-key='/etc/pki/katello-ipa/private/katello.key' \ >> --certs-server-ca-cert='/etc/pki/katello-ipa/certs/ca-certs.pem' \ >> --certs-update-server \ >> --certs-update-server-ca \ >> --certs-update-all \ >> --enable-foreman-plugin-ansible \ >> --enable-foreman-plugin-hooks \ >> --enable-foreman-plugin-remote-execution \ >> --enable-foreman-plugin-tasks \ >> --enable-foreman-proxy-plugin-ansible \ >> --enable-foreman-proxy-plugin-remote-execution-ssh \ >> --foreman-email-delivery-method='smtp' \ >> --foreman-email-smtp-address='localhost' \ >> --foreman-email-smtp-domain='<domain>' \ >> --foreman-ipa-authentication=true \ >> --foreman-proxy-dhcp=true \ >> --foreman-proxy-dhcp-gateway='xx.xx.xx.xx \ >> --foreman-proxy-dhcp-nameservers='xx.xx.xx.xx,yy.yy.yy.yy' \ >> --foreman-proxy-dhcp-option-domain='xxxxxx' \ >> --foreman-proxy-dhcp-search-domains='xxxxxx' \ >> --foreman-proxy-dhcp-subnets='yy.yy.yy.yy/255.255.255.0' \ >> --foreman-proxy-puppet-ssl-ca='/etc/pki/katello-ipa/certs/ca-certs.pem' \ >> --foreman-proxy-puppet-ssl-cert='/etc/pki/katello-ipa/certs/puppetmaster.pem' >> >> \ >> --foreman-proxy-puppet-ssl-key='/etc/pki/katello-ipa/private/puppetmaster.key' >> >> \ >> --foreman-proxy-puppetca=false \ >> --foreman-proxy-realm=true \ >> --foreman-proxy-realm-keytab='/etc/foreman-proxy/freeipa.keytab' \ >> --foreman-proxy-realm-principal='<user>@<REALM>' \ >> --foreman-proxy-realm-provider=freeipa \ >> --foreman-proxy-ssl=true \ >> --foreman-proxy-ssl-ca='/etc/pki/katello-ipa/certs/ca-certs.pem' \ >> --foreman-proxy-ssl-cert='/etc/pki/katello-ipa/certs/foreman-proxy.pem' \ >> --foreman-proxy-ssl-key='/etc/pki/katello-ipa/private/foreman-proxy.key' \ >> --foreman-proxy-tftp-listen-on=both \ >> --enable-foreman-plugin-discovery \ >> --foreman-proxy-freeipa-remove-dns >> >> and I get the following error >> Proxy <hostname-fqdn> cannot be registered: Unable to communicate with >> the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features >> ([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read >> server session ticket A: tlsv1 alert un...) for proxy >> https://<hostname-fqdn>:9090/features Please check the proxy is configured >> and running on the host. >> >> The foreman proxy is running: >> systemctl status foreman-proxy.service >> ● foreman-proxy.service - Foreman Proxy >> Loaded: loaded (/usr/lib/systemd/system/foreman-proxy.service; >> enabled; vendor preset: disabled) >> Active: active (running) since Fri 2017-05-19 11:53:44 CEST; 3min 14s >> ago >> Main PID: 11223 (ruby) >> CGroup: /system.slice/foreman-proxy.service >> └─11223 ruby /usr/share/foreman-proxy/bin/smart-proxy >> >> May 19 11:53:44 spfy-tfm systemd[1]: Starting Foreman Proxy... >> May 19 11:53:44 spfy-tfm systemd[1]: PID file >> /run/foreman-proxy/foreman-proxy.pid not readable (yet?) after start. >> May 19 11:53:44 spfy-tfm systemd[1]: Started Foreman Proxy. >> >> The external Root CA are distributed systemwide and also >> in /etc/pki/katello-ipa/certs/ca-certs.pem >> >> Any Idea what I did wrong or missing? >> >> Thanks for any help/hint >> Rgds, Arsène >> >> -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscr...@googlegroups.com. To post to this group, send email to foreman-users@googlegroups.com. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
