Hey all!

Hoping someone can tell me what I´m doing wrong after banging my head
against this wall for a few days:)

At home I have set up ISC-DHCP, TFTP and running a SAMBA AD with DNS that
we´ll call 'foo.bar'. Since before I´ve had a puppet server
('puppet.foo.bar') with Puppet Dashboard but wanted to experiment with The
Foreman as well.

In this domain I´ve now set up 'foreman.foo.bar' with smart proxies and
everything real nice, I can do bear metal provisions and everything, great.
Except that after provision, agents cannot retrieve their catalog:
Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed: [self signed certificate in certificate chain
for /CN=Puppet CA: puppet.foo.bar]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

Huh? Why the heck do the agent think it´s right to connect towards
'puppet.foo.bar' instead of 'foreman.foo.bar'? Check this out from the
puppet master´s log:
…
2015-03-06 22:33:17 +0100 Puppet (debug): Creating new connection for
https://puppet:8140
2015-03-06 22:33:17 +0100 Puppet (err): SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verify failed: [self
signed certificate in certificate chain for /CN=Puppet CA: puppet.foo.bar]

Find the complete agent run log attached. Where does this 'puppet' come
from? I´ve checked every setting I could think of and haven´t been able to
see anywhere I´ve mistyped 'foreman' for this 'puppet'. Have looked in
Foreman > Settings > Puppet > puppet_server and it said 'puppet', so
changed that, didn´t help. Have these in 'settings.yaml':
:domain: 'foo.bar'
:fqdn: 'foreman.foo.bar'
:puppet_server: 'foreman.foo.bar'

Doesn´t help either. Also saw in the database that even though I changed
the 'puppet_server' setting in Foreman, the default still said 'puppet', so
tried to update that, but it just defaults back to saying 'puppet' again…

By coincidence also found out that the default puppet certificate issues
dns alternate names for 'puppet' and 'puppet.foo.bar', so redid that as
well to say 'foreman' respectively; no dice.

Also checked puppet.conf for anything wierd but couldn´t see anything
obvious.

Why do the agents connect towards the wrong puppet server?

/K

puppetmaster.log (4.95 KB)

When a host is provisioned, it'll use the URL of the smart proxy that
is assigned to the host for it's puppetmaster. If you edit the host
and look on the first tab, you'll see a Puppetmaster field. Make a
note of that and then go to the Smart Proxy page. You'll probably
find that the url of that proxy is "https://puppet.foo.bar:8443". If
so, change it to the value you want the host to use - it must be
reachable by Foreman on this URL though.

Hope that helps
Greg

Sadly no, that's not the problem, it accurately states 'https://foreman.foo.bar:8443' and checking in ${foreman-proxy_dir}/settings.d/puppet.yml I've:
:puppet_url: "https:/foreman.foo.bar:8140"

Anything else that comes to mind?

/K

Can you pastebin the rendered templates for one of these hosts? And,
the raw templates before rendering? Something in there is probably
doing it, the question is, what?

>
> Can you pastebin the rendered templates for one of these hosts? And,
> the raw templates before rendering? Something in there is probably
> doing it, the question is, what?

Sure, I can do that, but I'm actually not sure that's the issue either,
because I can import modules from the Puppet server into Foreman (both
running in 'foreman.foo.bar') and associate them to this host. If a module
class has facts, they are downloaded and evaluated on the host, and visible
back in the Foreman to. But as soon as the host tries to fetch it's catalog
it reaches out to the wrong address and is rightfully denied.

/K

>
> –
> You received this message because you are subscribed to a topic in the
Google Groups "Foreman users" group.
> To unsubscribe from this topic, visit
https://groups.google.com/d/topic/foreman-users/q0A1hi5zNrc/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
foreman-users+unsubscribe@googlegroups.com.

Oh that's interesting. So the correct server (foreman.foo.bar) is
specified in the host's puppet.conf?

>
> >
> >>
> >> Can you pastebin the rendered templates for one of these hosts? And,
> >> the raw templates before rendering? Something in there is probably
> >> doing it, the question is, what?
> >
> > Sure, I can do that, but I'm actually not sure that's the issue either,
> > because I can import modules from the Puppet server into Foreman (both
> > running in 'foreman.foo.bar') and associate them to this host. If a
module
> > class has facts, they are downloaded and evaluated on the host, and
visible
> > back in the Foreman to. But as soon as the host tries to fetch it's
catalog
> > it reaches out to the wrong address and is rightfully denied.
>
> Oh that's interesting.

I know, right? Never seen this before.

> So the correct server (foreman.foo.bar) is
> specified in the host's puppet.conf?

Yup:)

/K

>
> –
> You received this message because you are subscribed to a topic in the
Google Groups "Foreman users" group.
> To unsubscribe from this topic, visit
https://groups.google.com/d/topic/foreman-users/q0A1hi5zNrc/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
foreman-users+unsubscribe@googlegroups.com.

Very odd indeed. Have you altered the certs in any way, or is this a
default install of foreman? Any custom flags passed to the installer?

> Very odd indeed. Have you altered the certs in any way, or is this a
> default install of foreman?

Well, default and default, it´s like this:

And yes, I´m guilty of being OP. And no, I don´t know if everything´s done
"right" but it works (sort of)

About the certs, I tried starting puppet for the first time using the
built-in webrick server to auto-generate the certs and saw it actually
issues dns alternate names for 'puppet' and 'puppet.foo.bar', so I redid
that by starting over with:

puppet clean --all

puppet cert generate --dns_alt_names foreman,foreman.foo.bar

foreman.foo.bar

And then redoing the certs for all of the foreman-proxies.

> Any custom flags passed to the installer?
>

I have tried deploying both an Ubuntu 14.04 and CentOS 6.6 using the
default templates (Preseed and Kickstart) without any modifications what so
ever. I wanted to see it work before doing any modifications, but I can´t
even come that far…

/K

Interesting. You say you had a puppetserver before on puppet.foo.bar,
and that the client has "server = foreman.foo.bar" in it's config -
was this machine talking to the old puppetserver? Has it cached the
CA? If so, maybe clean out /var/lib/puppet entirely on the client and
resign a new cert?

Greg

>
> > About the certs, I tried starting puppet for the first time using the
> > built-in webrick server to auto-generate the certs and saw it actually
> > issues dns alternate names for 'puppet' and 'puppet.foo.bar', so I redid
> > that by starting over with:
> > # puppet clean --all
> > # puppet cert generate --dns_alt_names foreman,foreman.foo.bar
> > foreman.foo.bar
>
> Interesting. You say you had a puppetserver before on puppet.foo.bar,
> and that the client has "server = foreman.foo.bar" in it's config -
> was this machine talking to the old puppetserver?

No, it's been all new unattended deploys on two different operating
systems, behaving in the same way.

> Has it cached the
> CA? If so, maybe clean out /var/lib/puppet entirely on the client and
> resign a new cert?

Checking the client's cert may be interresting anyway, I'll do that and
check back later.

/K

>
> Greg
>
> –
> You received this message because you are subscribed to a topic in the
Google Groups "Foreman users" group.
> To unsubscribe from this topic, visit
https://groups.google.com/d/topic/foreman-users/q0A1hi5zNrc/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
foreman-users+unsubscribe@googlegroups.com.