Project

General

Profile

SSL » History » Version 9

Jacob McCann, 03/22/2012 03:38 PM

1 1 Ohad Levy
h1. SSL setup
2
3
The smart proxy can work in SSL mode, where both sides verify and trust each other.
4
5
h2. Configure SSL certificates
6
7
This request will only be accepted if the SSL certificates match. Therefore the client's private key grants access to proxy's funtionality, so protect it.
8
9
As this tool is meant to interoperate with a puppet installation I suggest that you use the Certificate Authority provided by a puppet server as your CA.
10
11
# Login to your puppetmaster, which has a Certificate Authority
12
# Use the puppet tools to create a new certificate
13
<pre><code>
14
  puppetca --generate <proxy-FQDN>
15
</pre></code>
16
# Copy the certificate keys to your Windows host
17
<pre><code>
18
    scp puppetmaster:/var/lib/puppet/ssl/ca/signed/<proxy-FQDN>.pem signed.pem
19
    scp puppetmaster:/var/lib/puppet/ssl/private_keys/<proxy-FQDN>.pem private.pem
20
</pre></code>
21
# Copy the ssl/certs/ca.pem from any puppet client to the smart-proxy\config directory. This ensures that the proxy trusts the same CA as a puppet client.
22 2 Corey Osman
23 7 Jacob McCann
*Example 2:*
24
The above instructions kind of confused me.  I think they are for when you are trying to use smart-proxy on a system that isn't normally managed by puppet but you want to use the puppet CA.
25
26
In my instance my smart-proxy was already managed by puppet, so certs already existed on the system.  My puppet certdir was /etc/puppet/ssl so I just had to edit the smart-proxy settings.yml (/etc/foreman-proxy/settings.yml on my system) to reference the paths:
27
28
SNIPPET of settings.yml:
29
<pre>
30
---
31
# SSL Setup
32
33
# if enabled, all communication would be verfied via SSL
34
# NOTE that both certificates need to be signed by the same CA in order for this to work
35
# see http://theforeman.org/projects/smart-proxy/wiki/SSL for more information
36
:ssl_certificate: /etc/puppet/ssl/certs/FQDN.pem
37
:ssl_ca_file: /etc/puppet/ssl/certs/ca.pem
38
:ssl_private_key: /etc/puppet/ssl/private_keys/FQDN.pem
39
# the hosts which the proxy accepts connections from
40
# commenting the following lines would mean every verified SSL connection allowed
41
:trusted_hosts:
42
- foreman.corp.com
43
#- foreman.dev.domain
44
</pre>
45
46 9 Jacob McCann
Of course if you have a smart-proxy module in puppet to manage your smart-proxies you can template it out like:
47 8 Jacob McCann
<pre>
48
:ssl_certificate: /etc/puppet/ssl/certs/<%25= @fqdn %25>.pem
49
:ssl_ca_file: /etc/puppet/ssl/certs/ca.pem
50
:ssl_private_key: /etc/puppet/ssl/private_keys/<%25= @fqdn %25>.pem
51
52
:trusted_hosts:
53
- <%25= foreman_server %25>
54
</pre>
55
56 2 Corey Osman
h2. Troubleshooting
57
58
<pre>
59
Unable to save
60
Unable to communicate with the proxy: No such file or directory - /.puppet/var/ssl/certs/foremanserver.domainname.corp.pem
61
Please check the proxy is configured and running on the host before saving.
62
</pre>
63 3 Corey Osman
64
Workaround
65 5 Corey Osman
# mkdir /.puppet
66
# ln -s /var/lib/puppet/ /.puppet/var
67 4 Corey Osman
# add foreman, foreman-proxy to puppet group
68
# chmod -R 640 /var/lib/puppet/ssl/private_keys
69
# chgrp -R puppet /var/lib/puppet/ssl/private_keys
70
# 
71 6 Jacob McCann
72
*Example 2:*
73
I also ran into this issue ... here is my breakdown of it.
74
75
This seems to stem from the foreman webserver needing access to it's certificate.  It looks for it down the webuser home directory for .puppet which somewhat is supposed to mimic the puppetdir.
76
77
So for my SLES system which:
78
* Webuser - wwwrun
79
* Webuser homedir - /var/lib/wwwrun
80
* Puppet dir - /etc/puppet
81
82
Looks in /var/lib/wwwrun/.puppet/ssl/certs
83
84
So I needed to:
85
<pre>
86
add wwwrun to puppet group
87
cd /var/lib/wwwrun
88
ln -s /etc/puppet .puppet
89
chgrp -R puppet /etc/puppet/ssl/private_keys
90
chmod 640 /etc/puppet/ssl/private_keys/*
91
</pre>