Plugins » Katello

2) Create a documentation on how to create the required certificate files to connect a smart proxy without using the Puppet certificates. (I will add them here as soon as I have them).

1) Generate the certificates using the capsule-certs-generate

capsule-certs-generate --capsule-fqdn "mycapsule.example.com" --certs-tar "~/mycapsule.example.com-certs.tar" 

2) Use scp to get the following files to the Smart-Proxy: (from the formeman/katello instance)

export fqdn=mycapsule.example.com
scp /etc/foreman-proxy/ssl_ca.pem root@$fqdn:/etc/foreman-proxy/ssl/certs/ca.pem
scp /root/ssl-build/$fqdn/$fqdn-foreman-proxy.crt root@$fqdn:/etc/foreman-proxy/ssl/certs/$fqdn-foreman-proxy.crt
scp /root/ssl-build/$fqdn/$fqdn-foreman-proxy.key root@$fqdn:/etc/foreman-proxy/ssl/certs/$fqdn-foreman-proxy.key

3) Make sure the files (on the smart proxy) belong to the foreman-proxy user

chown foreman-proxy:foreman-proxy /etc/foreman-proxy/ssl/certs/ca.pem
chown foreman-proxy:foreman-proxy /etc/foreman-proxy/ssl/certs/mycapsule.example.com-foreman-proxy.crt
chown foreman-proxy:foreman-proxy /etc/foreman-proxy/ssl/certs/mycapsule.example.com-foreman-proxy.key

4) Add the following files to your foreman-proxy settings.yaml

# grep -e ^:ssl /etc/foreman-proxy/settings.yml 
:ssl_ca_file: /etc/foreman-proxy/ssl/certs/ca.pem
:ssl_certificate: /etc/foreman-proxy/ssl/certs/mycapsule.example.com-foreman-proxy.crt
:ssl_private_key: /etc/foreman-proxy/ssl/private_keys/mycapsule.example.com-foreman-proxy.key

5) Restart the service with service foreman-proxy restart

Now you should be able to access the service via https and the port you specified in /etc/foreman-proxy/settings.yml

Can somebody double check the solution if this is correct? (It works, but you can never be sure...)

Hi Eric,

thanks for the explanation.

I followed the instructions given in the Foreman manual:
http://theforeman.org/manuals/1.11/index.html#4.3.1SmartProxyInstallation
(Right now I'm not sure whether we use the packages or from source. Does that make a difference in this case?)

Installing a Smart Proxy and connecting/configuring it manually seems more secure to me if I want to connect services which are already existing (in our case an IPA infrastructure).
To be honest: I'm a little afraid the capsule installer might override existing settings. ;)

The Foreman instructions point you to the Puppet SSL configuration (http://theforeman.org/manuals/1.11/index.html#4.3.10SSL) which does not work in the Katello case.

In general I don't see a problem in using a separate CA, however it would be nice to have it pointed out in the manual somewhere. (e.g. as an alternative path here: http://www.katello.org/docs/3.0/installation/capsule.html)