Created
February 10, 2017 19:34
-
-
Save willt/5e8e661532a03ea4da8754600fe2de88 to your computer and use it in GitHub Desktop.
Custom SSL Setup on foreman/katello
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I believe everything is working with a custom ssl certificate using the below config. | |
I did a normal install then changed the config files. I would still like to find out how to specify all | |
of this in the installer/answer files. | |
Wildcard cert purchased from comodo: star.example.com.crt, star.example.com.key | |
CA Bundle from comodo: ca-bundle-comodo.crt are | |
On foreman server: | |
/etc/httpd.conf/05-foreman-ssl.conf | |
SSLCertificateFile "/etc/pki/tls/certs/star.example.com.crt" | |
SSLCertificateChainFile "/etc/pki/tls/certs/ca-bundle-comodo.crt" | |
SSLCertificateKeyFile "/etc/pki/tls/private/star.example.com.key" | |
SSLCACertificateFile "/etc/pki/tls/cert.pem" | |
/etc/httpd.conf/03-crange.conf | |
# had to change servername to localhost to get the right ssl cert in the browser. otherwise the private one would still load | |
ServerName localhost | |
SSLCertificateFile "/etc/pki/katello/certs/katello-apache.crt" | |
SSLCertificateKeyFile "/etc/pki/katello/private/katello-apache.key" | |
SSLCertificateChainFile "/etc/pki/katello/certs/katello-default-ca.crt" | |
SSLCACertificatePath "/etc/pki/tls/certs" | |
SSLCACertificateFile "/etc/pki/tls/cert.pem" | |
/etc/puppetlabs/puppet/foreman.yaml | |
:ssl_ca: "/etc/pki/tls/cert.pem" | |
:ssl_cert: "/etc/pki/tls/certs/star.example.com.crt" | |
:ssl_key: "/etc/pki/tls/private/star.example.com.key" | |
/etc/foreman/settings.yaml | |
# webosckets should probably be changed to custom cert location to match apache | |
:websockets_ssl_key: /etc/pki/katello/private/katello-apache.key | |
:websockets_ssl_cert: /etc/pki/katello/certs/katello-apache.crt | |
:ssl_certificate: /etc/foreman/client_cert.pem | |
:ssl_ca_file: /etc/pki/tls/cert.pem | |
:ssl_priv_key: /etc/foreman/client_key.pem | |
# md5sum /etc/foreman/*.pem | |
9450a1d8dfd239efe3d31916f1eeec8d client_cert.pem | |
67231dd8eb9d737108383fa9ad444861 client_key.pem | |
bd85d8897c8fda210fc24ef915de709b proxy_ca.pem | |
/etc/foreman-proxy/settings.yml | |
:ssl_ca_file: /etc/pki/tls/cert.pem | |
:ssl_certificate: /etc/foreman-proxy/ssl_cert.pem | |
:ssl_private_key: /etc/foreman-proxy/ssl_key.pem | |
:foreman_ssl_ca: /etc/pki/tls/cert.pem | |
:foreman_ssl_cert: /etc/foreman-proxy/foreman_ssl_cert.pem | |
:foreman_ssl_key: /etc/foreman-proxy/foreman_ssl_key.pem | |
/etc/foreman-proxy | |
# md5sum *.pem | |
bd85d8897c8fda210fc24ef915de709b foreman_ssl_ca.pem | |
2bab97e02fbc49bef2f9a4968f2875f9 foreman_ssl_cert.pem | |
4e9cfb1eb259ed84596f8b1d46a7524b foreman_ssl_key.pem | |
bd85d8897c8fda210fc24ef915de709b ssl_ca.pem | |
6a161d72396f80dd149c3d09e3710cf5 ssl_cert.pem | |
eb308439eaf0a1df7daa4bb913721226 ssl_key.pem | |
/etc/qpid-dispatch/qdrouterd.conf | |
ssl-profile { | |
name: client | |
cert-db: /etc/pki/tls/cert.pem | |
cert-file: /etc/pki/katello/qpid_router_client.crt | |
key-file: /etc/pki/katello/qpid_router_client.key | |
} | |
ssl-profile { | |
name: server | |
cert-db: /etc/pki/tls/cert.pem | |
cert-file: /etc/pki/katello/qpid_router_server.crt | |
key-file: /etc/pki/katello/qpid_router_server.key | |
} | |
/etc/pulp/server.conf | |
[security] | |
cacert: /etc/pki/pulp/ca.crt | |
[messaging] | |
cacert: /etc/pki/tls/cert.pem | |
[tasks] | |
cacert: /etc/pki/katello/certs/katello-default-ca.crt | |
ca-bundle-comodo.crt is the bundle from the ssl provider | |
copied ca-bundle-comodo.crt to /etc/pki/ca-trust/source/anchors/ | |
update-ca-trust && update-ca-trust extract | |
# ls -la /etc/pki/ca-trust/source/anchors/ | |
-rw-r--r--. 1 root root 5626 Feb 9 11:15 ca-bundle-comodo.crt | |
-rw-r--r--. 1 root root 5373 Feb 8 14:39 katello-server-ca.pem | |
-rw-r--r--. 1 root root 5373 Feb 8 09:14 katello_server-host-cert.crt | |
# md5sum * | |
d6043ae416229f1641e083a1d586b6c7 ca-bundle-comodo.crt | |
bd85d8897c8fda210fc24ef915de709b katello-server-ca.pem | |
bd85d8897c8fda210fc24ef915de709b katello_server-host-cert.crt | |
For reference: | |
/etc/pki/katello | |
# md5sum *.crt *.key | |
ee44a087b3a2abaaffa5c602a22054c6 qpid_client_striped.crt | |
e8dc50547691dcb417c84fe29fb877ed qpid_router_client.crt | |
e7fb25a56203eb98815479f8868c4612 qpid_router_server.crt | |
3c54fae87115bfdd770ded28fab47b8a qpid_router_client.key | |
75431cf12d912e9fced488b90e45fc25 qpid_router_server.key | |
/etc/pki/katello/private | |
# md5sum * | |
4463248fbd716d103af59f05adfdc1d2 foreman.example.com-foreman-proxy-client-bundle.pem | |
6530f601cf20c23db30fe974ea648fc2 foreman.example.com-qpid-broker.key | |
49248873bbb45f6e65b529bb4de795a5 java-client.key | |
659e7b068ecf84f6a1aec700a38fa3f9 katello-apache.key | |
dfb58f098ac0fcab2ae2ec271ec03128 katello-default-ca.key | |
d3a0a04e42e2193e351e54a9550f3809 katello-default-ca.pwd | |
fbf25b330b954e933418a64864129bb5 pulp-client.key | |
/etc/pki/katello/certs | |
# md5sum * | |
df3f0f7a720520e3ba1d73f135a6d13d foreman.example.com-qpid-broker.crt | |
299f06f5c43538974ca45c25c9e2b63e java-client.crt | |
ea632d9176ac6f16a5bf67127bab773c katello-apache.crt | |
bd85d8897c8fda210fc24ef915de709b katello-default-ca.crt | |
88f32f5814f834570cda035e5cd59ae5 katello-default-ca-stripped.crt | |
bd85d8897c8fda210fc24ef915de709b katello-server-ca.crt | |
/etc/pki/katello-certs-tools/certs | |
# md5sum *.crt | |
ea632d9176ac6f16a5bf67127bab773c foreman.example.com-apache.crt | |
9450a1d8dfd239efe3d31916f1eeec8d foreman.example.com-foreman-client.crt | |
2bab97e02fbc49bef2f9a4968f2875f9 foreman.example.com-foreman-proxy-client.crt | |
6a161d72396f80dd149c3d09e3710cf5 foreman.example.com-foreman-proxy.crt | |
883ffc9d8caeef9547ef3da1f579daf4 foreman.example.com-puppet-client.crt | |
df3f0f7a720520e3ba1d73f135a6d13d foreman.example.com-qpid-broker.crt | |
67b0f50ae0b15b3237b838ae75515d39 foreman.example.com-qpid-client-cert.crt | |
e8dc50547691dcb417c84fe29fb877ed foreman.example.com-qpid-router-client.crt | |
e7fb25a56203eb98815479f8868c4612 foreman.example.com-qpid-router-server.crt | |
299f06f5c43538974ca45c25c9e2b63e java-client.crt | |
bd85d8897c8fda210fc24ef915de709b katello-default-ca.crt | |
bd85d8897c8fda210fc24ef915de709b katello-server-ca.crt | |
fd12d69cbd5f20121acbb4e706883146 pulp-client.crt | |
/etc/pki/katello-certs-tools/private | |
# md5sum * | |
659e7b068ecf84f6a1aec700a38fa3f9 foreman.example.com-apache.key | |
67231dd8eb9d737108383fa9ad444861 foreman.example.com-foreman-client.key | |
4e9cfb1eb259ed84596f8b1d46a7524b foreman.example.com-foreman-proxy-client.key | |
eb308439eaf0a1df7daa4bb913721226 foreman.example.com-foreman-proxy.key | |
edcce9176a46eafc00d8e488cdfb93ed foreman.example.com-puppet-client.key | |
6530f601cf20c23db30fe974ea648fc2 foreman.example.com-qpid-broker.key | |
51b17bcbc85b1c7ed2c3c4ff13bb94e2 foreman.example.com-qpid-client-cert.key | |
3c54fae87115bfdd770ded28fab47b8a foreman.example.com-qpid-router-client.key | |
75431cf12d912e9fced488b90e45fc25 foreman.example.com-qpid-router-server.key | |
49248873bbb45f6e65b529bb4de795a5 java-client.key | |
fbf25b330b954e933418a64864129bb5 pulp-client.key | |
on clients: | |
copy ca-bundle-comodo.crt to /etc/rhsm/ca/comodo-ca.pem | |
# Extension naming probably doesn't matter I just chose pem | |
Would be nice if this was just part of the consumer rpm |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment