-
Notifications
You must be signed in to change notification settings - Fork 112
Refs #37601 - Refresh/deploy CA cert on hosts #3193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
b65004d
52cc5ed
bd2b01a
f5aba4f
cb907b4
d9e355c
2e6e896
3a7de44
686369d
af15683
6512492
4dd7a59
d51a1c5
c651686
a1015fb
06fb887
dbd3d23
34f6cb2
2ed16d1
b9eacad
9077418
2691633
0d642e7
8c97d53
8a8ba3c
3568f89
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| include::modules/con_refreshing-the-self-signed-ca-certificate-on-hosts.adoc[] | ||
|
|
||
| include::modules/proc_deploying-the-ca-certificate-on-a-host-by-using-script-rex.adoc[leveloffset=+1] | ||
|
|
||
| include::modules/proc_deploying-the-ca-certificate-on-a-host-by-using-ansible-rex.adoc[leveloffset=+1] | ||
|
|
||
| include::modules/proc_deploying-the-ca-certificate-on-a-host-manually.adoc[leveloffset=+1] |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| [id="refreshing-the-self-signed-ca-certificate-on-hosts"] | ||
| = Refreshing the self-signed CA certificate on hosts | ||
|
|
||
| When you change the CA certificate on your {ProjectServer}, you must refresh the CA certificate on your hosts. | ||
|
|
||
| Ensure that you use a temporary dual CA certificate file for uninterrupted operation. | ||
| For more information, see {AdministeringDocURL}planning-for-self-signed-ca-certificate-renewal[Planning for self-signed CA certificate renewal] in _{AdministeringDocTitle}_. | ||
|
|
||
| If you have already changed the CA certificate on {ProjectServer} without using the temporary dual CA certificate file, you must refresh the certificate on hosts manually because the scripted variant will not recognize {ProjectServer}. | ||
|
|
||
| [IMPORTANT] | ||
| ==== | ||
| You only must redeploy the CA certificate if you use a self-signed CA certificate. | ||
| ==== |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| [id="renewing-certificates"] | ||
| = Renewing certificates | ||
|
|
||
| You can renew the CA certificate on {ProjectServer} or the {customssl} certificate on {ProjectServer} as well as on {SmartProxyServer}. |
This file was deleted.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| [id="deploying-the-ca-certificate-on-a-host-by-using-ansible-rex"] | ||
| = Deploying the CA certificate on a host by using Ansible REX | ||
|
|
||
| You can use remote execution (REX) with the Ansible provider to deploy the CA certificate. | ||
|
Lennonka marked this conversation as resolved.
|
||
|
|
||
| include::snip_prerequisites-deploying-ca-cert-rex.adoc[] | ||
|
|
||
| .Procedure | ||
| . In the {ProjectWebUI}, navigate to *Monitor* > *Jobs*. | ||
| . Click *Run Job*. | ||
| . From the *Job category* list, select `Ansible Commands`. | ||
| . From the *Job template* list, select `Download and execute a script`. | ||
| . Click *Next*. | ||
| . Select hosts on which you want to execute the job. | ||
| . In the *url* field, enter the following URL: | ||
| + | ||
| [options="nowrap" subs="+quotes,verbatim,attributes"] | ||
| ---- | ||
| https://_{foreman-example-com}_/unattended/public/foreman_ca_refresh | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If you go this route, you must mention that for isolated hosts this must be retrieved via a Smart Proxy (AKA Capsule) because they may not be able to access Foreman. It would be better to implement a dedicated REX job template and that the user selects. Then the user doesn't need to input any fields and we can rely on REX to properly transfer the script. Even if the certificate expired (because SSH push mode doesn't need them) and when the host is isolated. The same goes for the Script REX procedure.
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Created a tracker to properly track it: https://projects.theforeman.org/issues/37773
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @ekohl with our dropping of API access in the reverse proxy, will isolated hosts have access to this endpoint? do we need to add this endpoint to our list of allowed endpoints?
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
We already have the templates module which proxies the unattended templates (also for kickstarts etc). I think the current API should cover it, but not 100% sure. This needs to be verified.
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @ekohl Almost. We are missing
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
| ---- | ||
| + | ||
| include::snip_replace-fqdn-projectserver.adoc[] | ||
| + | ||
| You can use HTTP when the CA certificate is expired. | ||
| . Optional: Click *Next* and configure advanced fields and scheduling as you require. | ||
| . Click *Run on selected hosts*. | ||
|
|
||
| include::snip_verification-ca-set-correctly.adoc[] | ||
|
|
||
| [role="_additional-resources"] | ||
| .Additional resources | ||
| * xref:executing-a-remote-job_managing-hosts[] | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| [id="deploying-the-ca-certificate-on-a-host-by-using-script-rex"] | ||
| = Deploying the CA certificate on a host by using Script REX | ||
|
|
||
| You can use remote execution (REX) with the Script provider to deploy the CA certificate. | ||
|
|
||
| include::snip_prerequisites-deploying-ca-cert-rex.adoc[] | ||
|
|
||
| .Procedure | ||
| . In the {ProjectWebUI}, navigate to *Monitor* > *Jobs*. | ||
| . Click *Run Job*. | ||
| . From the *Job category* list, select `Commands`. | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
| . From the *Job template* list, select `Download and run a script`. | ||
| . Click *Next*. | ||
| . Select hosts on which you want to execute the job. | ||
| . In the *url* field, enter the following URL: | ||
| + | ||
| [options="nowrap" subs="+quotes,verbatim,attributes"] | ||
| ---- | ||
| https://_{foreman-example-com}_/unattended/public/foreman_ca_refresh | ||
|
Lennonka marked this conversation as resolved.
|
||
| ---- | ||
| + | ||
| include::snip_replace-fqdn-projectserver.adoc[] | ||
| + | ||
| You can use HTTP when the CA certificate is expired. | ||
| . Optional: Click *Next* and configure advanced fields and scheduling as you require. | ||
| . Click *Run on selected hosts*. | ||
|
|
||
| include::snip_verification-ca-set-correctly.adoc[] | ||
|
|
||
| [role="_additional-resources"] | ||
| .Additional resources | ||
| * xref:executing-a-remote-job_managing-hosts[] | ||
|
Lennonka marked this conversation as resolved.
|
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| [id="deploying-the-ca-certificate-on-a-host-manually"] | ||
| = Deploying the CA certificate on a host manually | ||
|
Lennonka marked this conversation as resolved.
|
||
|
|
||
| You can deploy the CA certificate on the host manually by rendering a public provisioning template, which provides the CA certificate. | ||
|
|
||
| .Prerequisites | ||
| * You have root access on both your {ProjectServer} and your host. | ||
|
|
||
| .Procedure | ||
| . Download the certificate on your {ProjectServer}: | ||
| + | ||
| [options="nowrap" subs="+quotes,verbatim,attributes"] | ||
| ---- | ||
| # curl -o "{project-context}_ca_cert.crt" https://_{foreman-example-com}_/unattended/public/foreman_raw_ca | ||
| ---- | ||
| + | ||
| include::snip_replace-fqdn-projectserver.adoc[] | ||
| . Transfer the CA certificate to your host securely, for example by using `scp`. | ||
| . Login to your host by using SSH. | ||
| . Copy the certificate to the truststore: | ||
| ifdef::client-content-dnf[] | ||
| ifndef::satellite[] | ||
| * On {EL}: | ||
| endif::[] | ||
| + | ||
| [options="nowrap" subs="+quotes,verbatim,attributes"] | ||
| ---- | ||
| # cp {project-context}_ca_cert.crt /etc/pki/ca-trust/source/anchors | ||
|
Lennonka marked this conversation as resolved.
|
||
| ---- | ||
| endif::[] | ||
| ifdef::client-content-apt[] | ||
|
maximiliankolb marked this conversation as resolved.
|
||
| * On {DL}: | ||
| + | ||
| [options="nowrap" subs="+quotes,verbatim,attributes"] | ||
| ---- | ||
| # cp {project-context}_ca_cert.crt /usr/local/share/ca-certificates/ | ||
| ---- | ||
| endif::[] | ||
| . Update the truststore: | ||
| ifdef::client-content-dnf[] | ||
| ifndef::satellite[] | ||
| * On {EL}: | ||
| endif::[] | ||
|
Lennonka marked this conversation as resolved.
|
||
| + | ||
| [options="nowrap" subs="+quotes,verbatim,attributes"] | ||
| ---- | ||
| # update-ca-trust | ||
| ---- | ||
| endif::[] | ||
| ifdef::client-content-apt[] | ||
| * On {DL}: | ||
| + | ||
| [options="nowrap" subs="+quotes,verbatim,attributes"] | ||
| ---- | ||
| # update-ca-certificates | ||
| ---- | ||
| endif::[] | ||
|
|
||
| include::snip_verification-ca-set-correctly.adoc[] | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| [id="planning-for-self-signed-ca-certificate-renewal"] | ||
| = Planning for self-signed CA certificate renewal | ||
|
|
||
| If you need to update the Certification Authority (CA) certificate on your {ProjectServer}, add the new CA certificate and use a temporary dual CA certificate file to retain the HTTPS connections to your {ProjectServer} during the renewal. | ||
|
|
||
| .Procedure | ||
| . Add the new SSL certificate to the CA certificate file on {ProjectServer} and keep the old SSL certificate. | ||
| . Renew the certificates on {ProjectServer} and any {SmartProxyServers}. | ||
| . Deploy the dual CA certificate on hosts. | ||
| . Remove the old certificate from the CA certificates file on {ProjectServer}, so the CA certificate file contains only the new SSL certificate. | ||
| . Renew the certificates on {ProjectServer} and any {SmartProxyServers}. | ||
| . Deploy the new CA certificate on hosts. | ||
|
|
||
| [role="_additional-resources"] | ||
| .Additional resources | ||
| * {ManagingHostsDocURL}refreshing-the-self-signed-ca-certificate-on-hosts[Refreshing the self-signed CA certificate on hosts] in _{ManagingHostsDocTitle}_ |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| .Prerequisites | ||
| * The host is registered to {Project}. | ||
| * Remote execution is enabled on the host. | ||
| * The CA certificate has been changed on {ProjectServer}. | ||
| For more information, see {AdministeringDocURL}planning-for-self-signed-ca-certificate-renewal[Planning for self-signed CA certificate renewal] in _{AdministeringDocTitle}_. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| Replace _{foreman-example-com}_ with the FQDN of your {ProjectServer}. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| .Verification | ||
| * If the host can access {ProjectServer}, the following command succeeds on your host: | ||
| + | ||
| [options="nowrap" subs="+quotes,verbatim,attributes"] | ||
| ---- | ||
| $ curl --head https://_{foreman-example-com}_ | ||
| ---- | ||
| + | ||
| include::snip_replace-fqdn-projectserver.adoc[] | ||
| * If the host can access {SmartProxyServer}, the following command succeeds on your host: | ||
| + | ||
| [options="nowrap" subs="+quotes,verbatim,attributes"] | ||
| ---- | ||
| $ curl --head https://_{smartproxy-example-com}:{smartproxy_port}_/features | ||
| ---- | ||
| + | ||
| Replace _{smartproxy-example-com}_ with the FQDN of your {SmartProxyServer}. | ||
| ifndef::satellite[] | ||
| Replace the port number with the port number you use. | ||
| endif::[] |
Uh oh!
There was an error while loading. Please reload this page.