When I try to register host using “Generate command” from The Foreman (with chosen foreman-proxy.mydomain) I get the following:
“Internal Server Error”
The logs on smart proxy shows:
Error when rendering Global Registration Template: OpenSSL::SSL::SSLError: SSL_read: ssl/tls alert unsupported certificate
I reverted snapshots without puppet installation on Smart Proxy and host registration via Smart Proxy works as intended. I wonder what is the correct foreman-installer command to install a Puppet Proxy and Puppet Proxy CA on Smart Proxy.
2025-04-27 12:20:08 [NOTICE] [root] Loading installer configuration. This will take some time.
2025-04-27 12:20:19 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2025-04-27 12:20:19 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
2025-04-27 12:20:23 [NOTICE] [checks] System checks passed
2025-04-27 12:20:49 [NOTICE] [configure] Starting system configuration.
2025-04-27 12:22:28 [NOTICE] [configure] 250 configuration steps out of 1597 steps complete.
2025-04-27 12:22:32 [NOTICE] [configure] 500 configuration steps out of 1599 steps complete.
2025-04-27 12:23:35 [ERROR ] [configure] ‘/opt/puppetlabs/bin/puppetserver ca setup’ returned 1 instead of one of [0]
2025-04-27 12:23:35 [ERROR ] [configure] /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: change from ‘notrun’ to [‘0’] failed: ‘/opt/puppetlabs/bin/puppetserver ca setup’ returned 1 instead of one of [0]
2025-04-27 12:24:26 [ERROR ] [configure] /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]: Failed to call refresh: ‘/opt/puppetlabs/bin/puppetserver ca setup’ returned 1 instead of one of [0]
2025-04-27 12:24:26 [ERROR ] [configure] /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]: ‘/opt/puppetlabs/bin/puppetserver ca setup’ returned 1 instead of one of [0]
2025-04-27 12:24:27 [NOTICE] [configure] 750 configuration steps out of 1604 steps complete.
2025-04-27 12:24:28 [NOTICE] [configure] 1000 configuration steps out of 1605 steps complete.
2025-04-27 12:24:29 [NOTICE] [configure] 1250 configuration steps out of 1605 steps complete.
2025-04-27 12:25:01 [NOTICE] [configure] 1500 configuration steps out of 1605 steps complete.
2025-04-27 12:25:14 [NOTICE] [configure] System configuration has finished.
Error 1: Puppet Exec resource ‘puppet_server_config-generate_ca_cert’ failed. Logs:
/Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/require
require to Concat[/etc/puppetlabs/puppet/puppet.conf]
require to Exec[puppet_server_config-create_ssl_dir]
/Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]
Starting to evaluate the resource (524 of 1600)
Failed to call refresh: ‘/opt/puppetlabs/bin/puppetserver ca setup’ returned 1 instead of one of [0]
‘/opt/puppetlabs/bin/puppetserver ca setup’ returned 1 instead of one of [0]
Evaluated in 113.71 seconds
/Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/creates
Checking that ‘creates’ path ‘/etc/puppetlabs/puppetserver/ca/ca_crt.pem’ exists
Checking that ‘creates’ path ‘/etc/puppetlabs/puppetserver/ca/ca_crt.pem’ exists
Execpuppet_server_config-generate_ca_cert
Executing ‘/opt/puppetlabs/bin/puppetserver ca setup’
Executing ‘/opt/puppetlabs/bin/puppetserver ca setup’
/Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns
Error:
Missing public key to match private key at /etc/puppetlabs/puppet/ssl/private_keys/foreman-proxy.mydomain.local.com.pem
Missing public key to match private key at /etc/puppetlabs/puppet/ssl/private_keys/foreman-proxy.mydomain.local.com.pem
change from ‘notrun’ to [‘0’] failed: ‘/opt/puppetlabs/bin/puppetserver ca setup’ returned 1 instead of one of [0]
Error:
Missing public key to match private key at /etc/puppetlabs/puppet/ssl/private_keys/foreman-proxy.mydomain.local.com.pem
Missing public key to match private key at /etc/puppetlabs/puppet/ssl/private_keys/foreman-proxy.mydomain.local.com.pem
1 error was detected during installation.
Please address the errors and re-run the installer to ensure the system is properly configured.
Failing to do so is likely to result in broken functionality.
The full log is at /var/log/foreman-installer/foreman-proxy-content.log
Installing an additional PuppetCA on a smart-proxy is a tricky setup that sadly does not work out of the box currently.
The main reason for this is that many parts of the Foreman stack rely on the Puppet certificates in the background for anthentification/authorization, and by setting up a new CA on the smart-proxy, you essentially override the client certificates from the CA-bundle file with new ones from the new CA.
In case you really need a seperate Puppet CA on the smart-proxy, there are ways to enable this kind of setup with a lot of manually moving files around and passing a ton of parameters to Foreman installer,
At least this is what went wrong in your last post.
For the first attempt, I am unsure what went wrong from the info you posted. From the installer command, maybe the foreman-proxy-registration plugin was missing (--foreman-proxy-registration true)? Though if that was the case, I would expect a different error message or not to be able to select the proxy in the first place.
