Project

General

Profile

Bug #8372

Make puppet ssl certificate+key that is used to authenticate against foreman available to the smart-proxy

Added by Martin Milata over 8 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Installer
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

The smart-proxy-abrt (and possibly other plugins, like openscap) needs to send HTTP requests to Foreman, and for that it needs to be SSL-authenticated. However the cert+key in /etc/foreman-proxy/ssl_{cert,key}.pem cannot be used because it is designated as a server certificate and Apache rejects it when it is used for client authentication.

We can reuse the cert+key pair in /etc/puppet, however smart-proxy currently does not have the permissions to access the private key.

1) Can you copy /etc/puppet/{client_cert,client_key,ssl_ca.pem} to /etc/foreman-proxy with permissions so that smart-proxy can read them? (On my system /etc/puppet/ssl_ca.pem is the same as /etc/foreman-proxy/ssl_ca.pem so no need to have it twice if it's always the case)

2) Can you then assign the paths to the files to foreman_ssl_cert, foreman_ssl_key, and foreman_ssl_ca in /etc/foreman-proxy/settings.yml?


Related issues

Related to Installer - Bug #7833: Deploy foreman_url setting for proxy configurationClosed2014-10-07

Associated revisions

Revision 5c8a7007 (diff)
Added by Ivan Necas over 8 years ago

Refs #8372 - generate client certificates to be used by the smart proxy

Revision b925a546 (diff)
Added by Ivan Necas over 8 years ago

Refs #8372 - pass the correct paths to the foreman_ssl_certs

Revision b925a546 (diff)
Added by Ivan Necas over 8 years ago

Refs #8372 - pass the correct paths to the foreman_ssl_certs

Revision ae87768b
Added by Ivan Necas about 8 years ago

Merge pull request #41 from iNecas/issue/8372

Refs #8372 - generate client certificates to be used by the smart proxy

Revision 20b02bb0
Added by Ivan Necas about 8 years ago

Merge pull request #26 from iNecas/issue/8372

Refs #8372 - pass the correct paths to the foreman_ssl_certs

Revision 20b02bb0
Added by Ivan Necas about 8 years ago

Merge pull request #26 from iNecas/issue/8372

Refs #8372 - pass the correct paths to the foreman_ssl_certs

History

#1 Updated by Lukas Zapletal over 8 years ago

And are we sure Puppet is always present on the smart-proxy node? I don't like copying much. Maybe a new certificate issued by Foreman CA? Any other ideas?

For the part 2, this should be pretty straightforward and we can solve together with #7833.

#2 Updated by Lukas Zapletal over 8 years ago

  • Related to Bug #7833: Deploy foreman_url setting for proxy configuration added

#3 Updated by Ivan Necas over 8 years ago

  • Status changed from New to Assigned
  • Assignee set to Ivan Necas

#4 Updated by Ivan Necas over 8 years ago

The certs in katello are handled by the puppet-certs, since the certs are managed by the puppet, no need to worry about copying too much. From this perspective, it's just about placing the certs to another place. I will solve both placing the certs and setting the config path.

#5 Updated by Eric Helms over 8 years ago

  • Legacy Backlogs Release (now unused) set to 23
  • Triaged changed from No to Yes

#6 Updated by Ivan Necas over 8 years ago

  • Status changed from Assigned to Ready For Testing

#7 Updated by Martin Milata over 8 years ago

https://github.com/theforeman/puppet-foreman_proxy/pull/130
https://github.com/Katello/puppet-certs/issues/41
https://github.com/Katello/puppet-capsule/issues/26

I've tested the changes on single-host Katello installation and the ABRT plugin now works out-of-the-box (with the exception of #7833 which has to be done manually).

#8 Updated by Ivan Necas about 8 years ago

  • Bugzilla link set to 1180051

#9 Updated by Eric Helms about 8 years ago

  • Status changed from Ready For Testing to Closed
  • Target version set to 66

Also available in: Atom PDF