Ok, Restart seems to fix this.
'/usr/bin/foreman-node vmg-utf-saltminion-101.to3.zone.loc'
Now it executes and return the values of the given host ( I think) from
foreman-server
If I reenable SSL für salt-api in
/etc/salt/master => rest_cherrypy
and in /etc/foreman-proxy/settings.d/salt.yml => api_uri
I get the following, if I try to import states
On Foreman Frontend Popup :
ERF12-4701 [ProxyAPI::ProxyException]: Unable to fetch Salt states list
([ProxyAPI::ProxyException]: ERF12-7301 [ProxyAPI::ProxyException]: Unable
to fetch Salt environments list ([RestCli…) for proxy
https://vmg-utf-saltmaster-100.to3.zone.loc:8443/salt/
And in the Log on the saltmaster ==> /var/log/foreman-proxy/proxy.log
E, [2016-02-23T15:42:21.422243 #5633] ERROR – : Failed to list
environments: SSL_read: wrong version number
Without SSL in these api settings, it works.
In my /var/log/foreman-proxy/salt-cron.log comes (on the
saltmaster/smartproxy)
Traceback (most recent call last):
File "/usr/sbin/upload-salt-reports", line 142, in <module>
upload(jobs_to_upload())
File "/usr/sbin/upload-salt-reports", line 117, in upload
json.dumps(job), headers)
File "/usr/lib/python2.7/httplib.py", line 1001, in request
self._send_request(method, url, body, headers)
File "/usr/lib/python2.7/httplib.py", line 1035, in _send_request
self.endheaders(body)
File "/usr/lib/python2.7/httplib.py", line 997, in endheaders
self._send_output(message_body)
File "/usr/lib/python2.7/httplib.py", line 850, in _send_output
self.send(msg)
File "/usr/lib/python2.7/httplib.py", line 812, in send
self.connect()
File "/usr/lib/python2.7/httplib.py", line 1212, in connect
server_hostname=server_hostname)
File "/usr/lib/python2.7/ssl.py", line 350, in wrap_socket
_context=self)
File "/usr/lib/python2.7/ssl.py", line 566, in init
self.do_handshake()
File "/usr/lib/python2.7/ssl.py", line 788, in do_handshake
self._sslobj.do_handshake()
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:581)
I've added some output in Line 105, so that I can see where the connections
goes.
Host vmg-utf-foreman-100.to3.zone.loc
Port 443
SSLK
/var/lib/puppet/ssl/private_keys/vmg-utf-saltmaster-100.to3.zone.loc.pem
SSLC /var/lib/puppet/ssl/certs/vmg-utf-saltmaster-100.to3.zone.loc.pem
Seems legit, the foreman-server should know this SSLKey/Cert, because the
were builded on that foreman-server
Ok, this comes on the minion, but at this point I haven't configured any
templates.
2016-02-23 15:37:35,793 [salt.template ][ERROR ][872] Template was
specified incorrectly: False
2016-02-23 15:37:35,794 [salt.state ][ERROR ][872] No contents
found in top file
···
Am Dienstag, 23. Februar 2016 15:26:05 UTC+1 schrieb stephen:
>
> On Tue, Feb 23, 2016 at 06:09:08AM -0800, Tom K. wrote:
> > Hi Stephen,
> >
> > u are right, of course... have changed the setup. MindBlind.. Sorry..
> >
> > Also change the
> > /etc/salt/foreman.yaml
> >
> > :proto: https
> > :host: vmg-utf-foreman-100.to3.zone.loc
> > :port: 443
> > :ssl_ca: /var/lib/puppet/ssl/certs/ca.pem
> > :ssl_key:
> > /var/lib/puppet/ssl/private_keys/vmg-utf-saltmaster-100.to3.zone.loc.pem
> > :ssl_cert:
> /var/lib/puppet/ssl/certs/vmg-utf-saltmaster-100.to3.zone.loc.pem
> > :timeout: 10
> > :salt: /usr/bin/salt
> > :upload_grains: true
> >
> >
> > Must change in /etc/salt/master conf
> >
> > rest_cherrypy:
> > port: 9191
> > host: 0.0.0.0
> >
> > *disable_ssl: true*
> > And in the /etc/foreman-proxy/settings.d/salt.yml the protocol
> >
> >
> > I got "Failed to list environments: SSL_read: wrong version number" in
> the
> > proxy.log. Found your hint @
> > https://gist.github.com/stbenjam/2aa8f31bc869231d5f18
> >
> > Registration of this SmartProxy works fine, also the state import (if
> some
> > exists).
>
> How does state importing work? You would get the same error as above,
> why'd you disable SSL? That was helping someone get around an SSL issue
> on a dev instance, in production I wouldn't disable SSL.
>
> > When I set this new smartproxy as saltmaster to my minion host and
> execute
> > a "run salt"
> >
> > 2016-02-23 14:50:55,943 [salt.loaded.int.module.cmdmod][ERROR ][14893]
> > Command '/usr/bin/foreman-node vmg-utf-saltmaster-100.to3.zone.loc'
> failed
> > with return code: 1
> > 2016-02-23 14:50:55,944 [salt.loaded.int.module.cmdmod][ERROR ][14893]
> > output: Couldn't retrieve ENC data: execution expired
> > 2016-02-23 14:50:55,945 [salt.loaded.int.pillar.puppet][CRITICAL][14893]
> > YAML data from /usr/bin/foreman-node failed to parse
>
> Is there some error in /var/log/foreman/production.log? What happens if
> you restart foreman-tasks and httpd services on the Foreman?
>
> >
> > Have update the Timeout for testing to 100, same result. I think this
> > informations are the reports from the minions? Because my 2 test minions
> > are out of reports.
> >
> >
> > I think, I hope, this will be my last "stone" :)
> >
> >
> > changed the image.. if someone needs my change
> >
> >
> >
> > Am Dienstag, 23. Februar 2016 14:45:22 UTC+1 schrieb stephen:
> > >
> > > On Tue, Feb 23, 2016 at 04:24:56AM -0800, Tom K. wrote:
> > > >
> > > >
> > > >
> > > >
> > > > Description of my SmartProxy/SaltMaster Setup:
> > > >
> > > > The values from foreman-proxy-foreman-ssl-ca/ssl-cert/ssl-key are
> taken
> > > > from foreman-webgui servers /etc/puppet/forman.yaml. The needed
> files
> > > are
> > > > transferred to the corresponding path on the SmartProxy/Saltmaster
> > > system
> > > > and exists. may be, if I compare with the documentation the
> > > > foreman-proxy-foreman-ssl-ca should point to
> > > > "/var/lib/puppet/ssl/certs/ca.pem" instead of the ca_crt.pem but the
> doc
> > > > also said "If you're already using Puppet in Foreman, consult
> > > > /etc/puppet/foreman.yaml", so that's my decision to take ca_crt.pem.
> > > > Because the forman-server runs & needed its puppet and should just
> act
> > > as
> > > > an CA.
> > >
> > > I've already answered you in the other thread, you can't do this. SSL
> > > certs belong to a host, and it sounds like you're copying the
> > > ***Foreman** server's certificates to the **Smart Proxy**. You need
> to
> > > generate certs for the Smart Proxy itself, either by making the smart
> > > proxy a puppet client or actually following the steps in the
> > > documentation you keep linking.
> > >
> > > You're also free to create your own certs outside of puppet and use
> them
> > > on the Foreman server, other Salt users with foreman have been
> > > successful with this.
> > >
> > > >
> > > > foreman-proxy-foreman-base-url contains the WebFrontend URL. That's
> in
> > > my
> > > > mind the "base url". Also taken it as host for
> > > foreman-proxy-trusted-hosts.
> > > >
> > > > On my Saltmaster I don't want to have a 2nd Foreman instance, and I
> > > don't
> > > > want to use puppet as far as possible. If it's possible! :-)
> > > > Servermanagement should be done with salt. Inspiration for the
> > > > --no-enable-foo-bar comes from
> > > >
> http://theforeman.org/manuals/1.10/index.html#3.2.3InstallationScenarios
> > > > e.g. "Smart proxy for DNS, DHCP etc."
> > > >
> > > > If i read & understand it correct, every single cert which I will
> need
> > > > during this setup (or later on when I increase my setup with more
> > > > SmartProxies) have to be generated on the ForemanFrontend instance
> where
> > > > the puppet CA exists.
> > > >
> http://theforeman.org/manuals/1.10/index.html#3.2.3InstallationScenarios
> > > > *"Other systems require certificates to be generated on the central
> > > Puppet
> > > > CA host, then distributed to them before running foreman-installer
> (else
> > > it
> > > > may generate a second CA). To prepare these, on the host acting as
> > > Puppet
> > > > CA, run:"*
> > >
> > > Did you run these commands? Why are you copying the Foreman certs to
> the
> > > Smart Proxy? Copy the certs you created.
> > >
> > > >
> > > > *saltuser* with given password exists.
> > > >
> > > > Some Configs from my salt master :
> > > >
> > > > ==> /etc/salt/master
> > > >
> > > > external_auth:
> > > > pam:
> > > > saltuser:
> > > > - '@runner'
> > > >
> > > > rest_cherrypy:
> > > > port: 9191
> > > > host: 0.0.0.0
> > > > # disable_ssl: true
> > > > ssl_key:
> > > >
> /var/lib/puppet/ssl/private_keys/vmg-utf-foreman-100.to3.zone.loc.pem
> > > > ssl_crt:
> > > /var/lib/puppet/ssl/certs/vmg-utf-foreman-100.to3.zone.loc.pem
> > > >
> > > >
> > > >
> > > > ext_pillar:
> > > > - puppet: /usr/bin/foreman-node
> > > >
> > > > master_tops:
> > > > ext_nodes: /usr/bin/foreman-node
> > > >
> > > > autosign_file: /etc/salt/autosign.conf
> > > >
> > > >
> > > > ==> /etc/salt/forman.yaml ( What does this config mean? How to
> > > communicate
> > > > with foreman instance? How is the local setup of a foreman
> instance?)
> > > >
> > > > ---
> > > > :proto: https
> > > > :host: vmg-utf-foreman-100.to3.zone.loc
> > > > :port: 443
> > > > :ssl_ca: "/var/lib/puppet/ssl/ca/ca_crt.pem"
> > > > :ssl_cert:
> > > "/var/lib/puppet/ssl/certs/vmg-utf-foreman-100.to3.zone.loc.pem"
> > > > :ssl_key:
> > > >
> "/var/lib/puppet/ssl/private_keys/vmg-utf-foreman-100.to3.zone.loc.pem"
> > > >
> > > > :timeout: 10
> > > > :salt: /usr/bin/salt
> > > > :upload_grains: true
> > > >
> > > >
> > > > ==> /etc/foreman-proxy/settings.d/salt.yml
> > > > ---
> > > > :enabled: https
> > > > :autosign_file: /etc/salt/autosign.conf
> > > > :salt_command_user: root
> > > > # Some features require using the Salt API - such as listing
> > > environments
> > > > and retrieving state info
> > > > :use_api: true
> > > > :api_url: https://vmg-utf-saltmaster-100.to3.zone.loc:9191
> > > > :api_auth: pam
> > > > :api_username: saltuser
> > > > :api_password: saltpassword
> > > >
> > > >
> > > > I've tried now my 3rd install routine (thanks for vm snapshots...)
> My
> > > dream
> > > > is to create in a continuous.
> > > > Unfortunately, I have until now not found a doc approach to this
> > > separate
> > > > setup foreman-frontend and saltmaster with smartproxy on separet
> > > machines. I
> > > > think most errors happen with the certificates. Mostly there are
> SSL
> > > > Errors. But meanwhile I've seen so much different possiblities of
> > > errors...
> > > > I've lost my mind..
> > > >
> > > > I will give it a new try.
> > > >
> > > > Maybe someone can give me a hint or maybe show me your setup|confs.
> It
> > > must
> > > > be possible to write a step-by-step guide. And that's what I'm
> working
> > > on.
> > > >
> > > > It must be possible to "run salt" from foreman and see it in the
> minion
> > > > logs, even also the minions report should go to the foreman
> instance.
> > > >
> > > >
> > > > -- Tom
> > > >
> > > > --
> > > > You received this message because you are subscribed to the Google
> > > Groups "Foreman users" group.
> > > > To unsubscribe from this group and stop receiving emails from it,
> send
> > > an email to foreman-user...@googlegroups.com .
> > > > To post to this group, send email to forema...@googlegroups.com
> > > .
> > > > Visit this group at https://groups.google.com/group/foreman-users.
> > > > For more options, visit https://groups.google.com/d/optout.
> > >
> > >
> > >
> > > --
> > > Best Regards,
> > >
> > > Stephen Benjamin
> > >
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "Foreman users" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to foreman-user...@googlegroups.com .
> > To post to this group, send email to forema...@googlegroups.com
> .
> > Visit this group at https://groups.google.com/group/foreman-users.
> > For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Best Regards,
>
> Stephen Benjamin
>