Bug #8372
Make puppet ssl certificate+key that is used to authenticate against foreman available to the smart-proxy
Description
The smart-proxy-abrt (and possibly other plugins, like openscap) needs to send HTTP requests to Foreman, and for that it needs to be SSL-authenticated. However the cert+key in /etc/foreman-proxy/ssl_{cert,key}.pem cannot be used because it is designated as a server certificate and Apache rejects it when it is used for client authentication.
We can reuse the cert+key pair in /etc/puppet, however smart-proxy currently does not have the permissions to access the private key.
1) Can you copy /etc/puppet/{client_cert,client_key,ssl_ca.pem} to /etc/foreman-proxy with permissions so that smart-proxy can read them? (On my system /etc/puppet/ssl_ca.pem is the same as /etc/foreman-proxy/ssl_ca.pem so no need to have it twice if it's always the case)
2) Can you then assign the paths to the files to foreman_ssl_cert, foreman_ssl_key, and foreman_ssl_ca in /etc/foreman-proxy/settings.yml?
Related issues
Associated revisions
Refs #8372 - pass the correct paths to the foreman_ssl_certs
Refs #8372 - pass the correct paths to the foreman_ssl_certs
History
#1
Updated by Lukas Zapletal over 8 years ago
Updated by And are we sure Puppet is always present on the smart-proxy node? I don't like copying much. Maybe a new certificate issued by Foreman CA? Any other ideas?
For the part 2, this should be pretty straightforward and we can solve together with #7833.
#2
Updated by Lukas Zapletal over 8 years ago
- Related to Bug #7833: Deploy foreman_url setting for proxy configuration added
#3
Updated by Ivan Necas over 8 years ago
Updated by - Status changed from New to Assigned
- Assignee set to Ivan Necas
#4
Updated by Ivan Necas over 8 years ago
The certs in katello are handled by the puppet-certs, since the certs are managed by the puppet, no need to worry about copying too much. From this perspective, it's just about placing the certs to another place. I will solve both placing the certs and setting the config path.
#5
Updated by Eric Helms over 8 years ago
Updated by - Legacy Backlogs Release (now unused) set to 23
- Triaged changed from No to Yes
#6
Updated by Ivan Necas over 8 years ago
- Status changed from Assigned to Ready For Testing
Fixes that generate and deploy a cert for smart proxy to use to call to the foreman are here:
https://github.com/theforeman/puppet-foreman_proxy/pull/130
https://github.com/Katello/puppet-certs/issues/41
https://github.com/Katello/puppet-capsule/issues/26
#7
Updated by Martin Milata over 8 years ago
Updated by https://github.com/theforeman/puppet-foreman_proxy/pull/130
https://github.com/Katello/puppet-certs/issues/41
https://github.com/Katello/puppet-capsule/issues/26
I've tested the changes on single-host Katello installation and the ABRT plugin now works out-of-the-box (with the exception of #7833 which has to be done manually).
#8
Updated by Ivan Necas about 8 years ago
- Bugzilla link set to 1180051
#9
Updated by Eric Helms about 8 years ago
- Status changed from Ready For Testing to Closed
- Target version set to 66
Refs #8372 - generate client certificates to be used by the smart proxy