Callback from proxy fails with 403

No reports are made on foreman if Ansible executes playbook on proxy. At the start of the playbook the following error is displayed:
403 Client Error: Forbidden for url: https://foreman-server-url:4443/api/v2/hosts/facts
At the end:
403 Client Error: Forbidden for url: https://foreman-server-url:4443/api/v2/reports

Expected outcome:
I expected to see reports and the facts been updated on the foreman server

Foreman and Proxy versions:
both 1.19

Foreman and Proxy plugin versions:
proxy ansible: 2.0.3
server ansible: 2.2.3

Other relevant data:
In my production log I found:

2018-10-08T18:28:14 [I|app|] Started POST “/api/v2/hosts/facts” for at 2018-10-08 18:28:14 +0200
2018-10-08T18:28:14 [I|app|f17c1] Processing by Api::V2::HostsController#facts as JSON
2018-10-08T18:28:14 [I|app|f17c1] Parameters: {“facts”=>"[FILTERED]", “name”=>“”, “apiv”=>“v2”, “host”=>{“name”=>“”}}
2018-10-08T18:28:14 [W|app|f17c1] No smart proxy server found on [“”] and is not in trusted_hosts
2018-10-08T18:28:14 [I|app|f17c1] Rendering api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout
2018-10-08T18:28:14 [I|app|f17c1] Rendered api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout (1.2ms)
2018-10-08T18:28:14 [I|app|f17c1] Filter chain halted as #Proc:0x00000000099ed5a0@/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14 rendered or redirected
2018-10-08T18:28:14 [I|app|f17c1] Completed 403 Forbidden in 47ms (Views: 7.1ms | ActiveRecord: 12.4ms)

However, I do have a registered smart proxy in foreman as “”. AFAIK it is not set as a trusted source, but I thought it would be implied if the callback tried to authenticate using the correct certificates?

work-around is to actually add the FQDN/Cert CN to trusted hosts in Settings>Authentication; but feels a bit redundant?

This is the way as otherwise every server could report to the ENC, so Foreman.

The issue I see is that we cannot hit a dot for the FQDN in that field and you need to copy/paste it, then it works.

Bug ?

I am having the same issue. Which FQDN are you referring to? The name of the foreman server or my ansible server?


Nick T

Hi @Asumble,

I actually meant the CN of the certificate of the smart-proxy running the ansible script :slight_smile:
(which should be the FQDN as seen in the foreman web UI for your smart proxy)