[HOWTO] Use free SSL-certificates (like Let's Encrypt) with Katello/Foreman on RL8

Hi,

installing Katello/Foreman on RL8 is really super-easy now.

I followed Installing Foreman 3.3 Server with Katello 4.5 Plugin on RHEL/CentOS for running on EL8 and it worked out of the box.

This is a short description on how to use acme.sh to install Let’s Encrypt or other free SSL-certificates on your management-server.

Install acme.sh certificates into Katello/foreman into EL8

1, Download and install acme.sh from GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol

# dnf install -y socat

Reload the shell or logout/login again to activate the acme.sh paths.

2, Issue certificate
# acme.sh --issue -d <FQDN> -w /var/lib/foreman/public/

3, Install the certificate to usable directories and set acme.sh to reload Apache after renewal

# acme.sh --install-cert -d <FQDN> \
	--cert-file /etc/pki/katello/certs/<FQDN>-cert.pem \
	--fullchain-file /etc/pki/katello/certs/<FQDN>-fullchain.pem \
	--key-file /etc/pki/katello/private/<FQDN>-key.pem \
	--reloadcmd "systemctl restart httpd"

4, Configure Katello to use the new certificates

# foreman-installer --scenario katello \
	--foreman-server-ssl-cert /etc/pki/katello/certs/<FQDN>-cert.pem \
	--foreman-server-ssl-chain /etc/pki/katello/certs/<FQDN>-fullchain.pem \
	--foreman-server-ssl-key /etc/pki/katello/private/<FQDN>-key.pem \
	--certs-update-server \
	--certs-update-server-ca

5, You have finished this task!!!

1 Like

I prefer to use the official certbot packages than use a third party script. The certbot + apache certbot plugin witll automatically edit the Apache configuration files as well as generate the certificate with one single command:

certbot --apache

Link: https://certbot.eff.org/

The wizard on that site will even provide you with the exact commands you need. Other alternatives are just generating a certificate and editing the Apache config files manually which is also straightforward enough.

And if you use Cloudflare like I do, then it’s even possible to generate wildcard certificates based on your Cloudflare DNS entries. I think there are other certbot plugins that also allow this.

1 Like

Absolutely, no problem, use whatever is convenient.

I use acme.sh as it is a self-contained bash-script without any funky python dependencies as I have some platforms where all those dependencies aren’t always available. :slight_smile:

I just thought it might be interesting to know how to integrate external certificates in Katello, the tool to generate the certificates is really secondary.

Regards,
Rickard

1 Like

Yeah, I use dehydrated (another pure shell implementation) to get my certs, using the DNS protocol, and then use ansible to push those certs to my websites, email servers, nntp servers, homeassistant, grafana, mqtt… I think I have something like 18 different endpoints using these certs, and not all of them are internet visible (hence using DNS).

1 Like

Yup the beauties of open source :slight_smile:

Hadn’t heard of that, will have to check it out, you made me curious :slight_smile:

+1 @ certbot

I’ve been using certbot + LetsEncrypt for a year now, things are reasonably ok.

I’ve had some annoying but minor permission issues to handle, but the overall process is reasonably clean and robust.

I think it’s worth emphasizing that a “real” (as opposed to self-signed) certificate is a necessity for pretty much anything visible on today’s web. It’s also a requirement for doing pretty much anything with auth0 or other authentication providers. I use React for my front-ends, nodejs for my middleware, and Neo4J (enterprise edition) for my database. It’s hard enough to get and keep all the https and secure connections working with real certificates – for me, it was impossible while I was attempting to use self-signed certs.

The web is chock full of “tutorials” and examples that start with self-signed certificates and lead trusting and vulnerable newcomers deep into a maze of twisty tiny passages that all look the same.

I’ve had great success by starting with LetsEncrypt and just following their straight-forward documentation.

1 Like

Hi,

I found out when testing this live that there are some more steps that need to be done.

So let’s continue from 5:

5, Update foreman-proxy

# foreman-proxy-certs-generate --foreman-proxy-fqdn <FQDN> \
	--certs-tar ~/<FQDN>-certs.tar \
	--server-cert /etc/pki/katello/certs/<FQDN>-cert.pem \
	--server-key /etc/pki/katello/private/<FQDN>-key.pem \
	--server-ca-cert /etc/pki/katello/certs/<FQDN>-fullchain.pem \
	--certs-update-server

6, Now for the tricky part, we need to replace the server_ca certificate in the consumer package.
Install the katello-ca-consumer-katello.bluapp.net-1.0-1.src.rpm with
# rpm -Uvh /var/www/html/pub/katello-ca-consumer-katello.bluapp.net-1.0-1.src.rpm

Download the server ca certificate from the server, in Firefox you can go to the server, check the certificate and there you have an option to download the server pem-file. Download it and copy the contents.

Edit the file: ~/rpmbuild/SOURCES/katello-rhsm-consumer and replace the the second certificate in the file, under the line:
read -r -d '' KATELLO_SERVER_CA_DATA << EOM || true

Change the directory to ~/rpmbuild/SOURCES/
Recompile the RPM with:
# rpmbuild -ba katello-ca-consumer-<FQDN>.spec --define 'name katello-ca-consumer-<FQDN>' --define 'release <RELEASE>'

Copy the generated srpm and rpm to /var/www/html/pub and update the soft-link katello-ca-consumer-latest.noarch.rpm to point to the new rpm-file.

7, Now it’s possible to download it to the newly installed host and use subscription-manager to register and dnf to access the repos.

Sorry for not being complete in the first post.

Rickard