Trouble configuring ssl for web site

[Ariakenom]

I tried to configure the module with a particular SSLCertificateFile ($server_ssl_cert) and SSLCertificateKeyFile ($server_ssl_key) but not configure a SSLCertificateChainFile ($server_ssl_chain) or SSLCACertificateFile ($server_ssl_ca).

As far as I can tell puppet-foreman uses undef for its own defaulting so you cant get Apache's default behavior. So you have to have Apache configured with those two, which seems unfortunate.

[ekohl]

It's common to deploy with one public CA that signed the cert but a different for authentication. Foreman relies on SSL client certificates for Smart Proxy authentication and we chose not to support an insecure setup. That is the reasoning. Is there anything that we missed?

[Ariakenom]

I don't quite understand. Is the certificates used for the Apache web server the same as the ones used for the Smart Proxy?

[ekohl]

When the Smart Proxy connects to Foreman, it uses SSL client certificates. These are validated using a CA specified in SSLCACertificateFile. Since it's common to have a different CA for client certificates than the server certificate, SSLCertificateChainFile is used.

More concretely. Let's say foreman.example.com is signed by Let's Encrypt but the internal CA that created the certificate for the Smart Proxy is a PuppetCA. Then the PuppetCA would go into SSLCACertificateFile and Let's Encrypt in SSLCertificateChainFile.

I never assumed anyone would configure Apache globally this way and thus you need to configure the vhost correctly.

[Ariakenom]

Oh I don't intend to do anything strange. I just want to provide a signed cert on the web site. But I suppose I misunderstood how that is supposed to be configured in the puppet interface. I still don't understand how I should do that.

[neomilium]

@Ariakenom As well explained by @ekohl , just use your « signed cert for the web site » file as SSLCertificateChainFile parameter.

[Ariakenom]

Oh I see.

Trying that I get an ssl error in the browser and the browser shows the server_ssl_cert cert (signed by puppet CA) and not the server_ssl_chain cert (signed by the CA I want for web).

[ekohl]

So does that answer your question and can we close this?

[neomilium]

@Ariakenom AFAIU, your goal is to setup a Foreman instance which is exposed on Internet or internally with your own certs, for example Let's encrypt ones, to have trusted connection out-of-the box in your browser.
If its right, the title of this issue tell me you are doing it the wrong way : CA is required internally to authenticate clients (nodes that request data from Foreman, e.g. durng provisionning, and smart proxies to have a trusted connection with Foreman)

Set server_ssl_cert, server_ssl_chain and server_ssl_key to the corresponding material of your « signed cert for the web site » and let others params related to CA to default in order to use Puppet CA (ie. server_ssl_ca, server_ssl_crl for the clients authentication).

[Ariakenom]

Oh that does indeed work for other puppets. I didn't notice because I was testing the configuration by running puppet on the foreman server itself and that does not work.

I think the issue is that it uses the web cert as the client cert.

[neomilium]

@Ariakenom I think you should be more explicit on the found issue and rename the title of this issue according to your found.

[Ariakenom]

Sry. Of course.

Previously we had a foreman server with a ssl config like this.

server_ssl_key: <key used in puppet CA and the cert>
server_ssl_ca: <puppet CA>
server_ssl_chain: <puppet CA>
server_ssl_cert: <cert signed by puppet CA>

I'm trying to make the foreman web site serve a cert signed by corporate CA and tried this.

server_ssl_key: <key used in puppet CA and the new cert>
server_ssl_ca: <puppet CA>
server_ssl_chain: <intermediate corporate cert signed by corporate CA>
server_ssl_cert: <cert signed by intermediate corporate cert>

When I try to apply this with puppet agent -t on the foreman server I get the following error. I can run puppet on the other puppets and the web site serves the right cert (when I manually reload httpd since the puppet configuration fails halfway).

Error: /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foreman.corp.int]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed in get request to: https://foreman.corp.int/api/v2/smart_proxies?search=name=%22se03-foreman01.corp.int%22

Wrapped exception:

SSL_connect returned=1 errno=0 state=error: certificate verify failed

[neomilium]

Could you confirm that the server_ssl_key is the private key recognized by puppet CA and used to emit a CSR to your corporate CA?

[Ariakenom]

I was wrong, server_ssl_key is not the key for the CA. It is the key for the new corp cert and the old puppet cert.

[ekohl]

With that, can this issue be regarded as solved and closed?

[Ariakenom]

I don't know if that was relevant. It was not part of the previous description. Does the server_ssl_key have to match both?

(This description)

Set server_ssl_cert, server_ssl_chain and server_ssl_key to the corresponding material of your « signed cert for the web site » and let others params related to CA to default in order to use Puppet CA (ie. server_ssl_ca, server_ssl_crl for the clients authentication).