Problem: When attempting to install a new smart-proxy instance, I am getting an ERF12-2530 error when the installer tries to register the smart-proxy to the Foreman server.
Expected outcome: Successful installation and registration of Smart Proxy instance
Foreman and Proxy versions: Foreman 2.3.2-1 (Katello 3.18) with Foreman Proxy 2.3.2-1
Foreman and Proxy plugin versions:
| Name | Description | Author | Version |
|---|---|---|---|
| foreman-tasks | The goal of this plugin is to unify the way of showing task statuses across the Foreman instance. It defines Task model for keeping the information about the tasks and Lock for assigning the tasks to resources. The locking allows dealing with preventing multiple colliding tasks to be run on the same resource. It also optionally provides Dynflow infrastructure for using it for managing the tasks. | Ivan Nečas | 3.0.2 |
| foreman_ansible | Ansible integration with Foreman | Daniel Lobato Garcia | 6.1.1 |
| foreman_azure_rm | This gem provides Azure Resource Manager as a compute resource for The Foreman | Aditi Puntambekar, Shimon Shtein, and Tyler Gregory | 2.1.2 |
| foreman_bootdisk | Plugin for Foreman that creates iPXE-based boot disks to provision hosts without the need for PXE infrastructure. | Dominic Cleal | 17.0.2 |
| foreman_discovery | MaaS Discovery Plugin engine for Foreman | Aditi Puntambekar, alongoldboim, Alon Goldboim, amirfefer, Amit Karsale, Amit Upadhye, Amos Benari, Avi Sharvit, Bryan Kearney, bshuster, Daniel Lobato, Daniel Lobato Garcia, Daniel Lobato García, Danny Smit, David Davis, Djebran Lezzoum, Dominic Cleal, Eric D. Helms, Ewoud Kohl van Wijngaarden, Frank Wall, Greg Sutcliffe, ChairmanTubeAmp, Ido Kanner, imriz, Imri Zvik, Ivan Nečas, Joseph Mitchell Magen, June Zhang, kgaikwad, Lars Berntzon, ldjebran, Leos Stejskal, Lukas Zapletal, Lukáš Zapletal, Marek Hulan, Marek Hulán, Martin Bačovský, Matt Jarvis, Michael Moll, Nick, odovzhenko, Ohad Levy, Ondrej Prazak, Ondřej Ezr, Ori Rabin, orrabin, Partha Aji, Petr Chalupa, Phirince Philip, Rahul Bajaj, Robert Antoni Buj Gelonch, Ron Lavi, Scubafloyd, Sean O’Keeffe, Sebastian Gräßl, Shimon Shtein, Shlomi Zadok, Stephen Benjamin, Swapnil Abnave, Thomas Gelf, Timo Goebel, Tomas Strych, Tom Caspy, Tomer Brisker, and Yann Cézard | 16.3.4 |
| foreman_hooks | Plugin engine for Foreman that enables running custom hook scripts on Foreman events | Dominic Cleal | 0.3.17 |
| foreman_openscap | Foreman plug-in for managing security compliance reports | slukasik@redhat.com | 4.1.2 |
| foreman_remote_execution | A plugin bringing remote execution to the Foreman, completing the config management functionality with remote management functionality. | Foreman Remote Execution team | 4.2.2 |
| foreman_statistics | Statistics and Trends for Foreman gives users overview of their infrastructure. | Ondrej Ezr | 1.0.0 |
| foreman_templates | Engine to synchronise provisioning templates from GitHub | Greg Sutcliffe | 9.0.1 |
| foreman_virt_who_configure | A plugin to make virt-who configuration easy | Foreman virt-who-configure team | 0.5.5 |
| katello | Katello adds Content and Subscription Management to Foreman. For this it relies on Candlepin and Pulp. | N/A | 3.18.1 |
Distribution and version:
Other relevant data:
Foreman was installed with the following options:
foreman-installer
–verbose
–scenario katello
–tuning medium
–enable-foreman
–enable-foreman-cli
–enable-foreman-compute-ec2
–enable-foreman-compute-gce
–enable-foreman-compute-libvirt
–enable-foreman-compute-openstack
–enable-foreman-compute-ovirt
–enable-foreman-compute-vmware
–enable-foreman-plugin-ansible
–enable-foreman-plugin-azure
–enable-foreman-plugin-bootdisk
–enable-foreman-plugin-discovery
–enable-foreman-plugin-hooks
–enable-foreman-plugin-openscap
–enable-foreman-plugin-remote-execution
–enable-foreman-plugin-statistics
–enable-foreman-plugin-templates
–enable-foreman-plugin-virt-who-configure
–enable-foreman-proxy-plugin-dhcp-remote-isc
–enable-foreman-proxy-plugin-openscap
–enable-foreman-proxy-plugin-pulp
–enable-foreman-proxy-plugin-remote-execution-ssh
–enable-katello
–foreman-proxy-dhcp false
–foreman-proxy-dns false
–foreman-initial-admin-first-name “Administrative”
–foreman-initial-admin-last-name “User”
–foreman-initial-admin-username “”
–foreman-initial-admin-password “”
–foreman-initial-organization “MyOrganization”
–foreman-initial-location “MyLocation”
–foreman-proxy-logs true
–foreman-proxy-tftp true
–foreman-proxy-tftp-managed true
and the SSL Certificate was generated from this server and copied to the smart proxy host using the following command:
rm -rf /root/ssl-build && foreman-proxy-certs-generate
–certs-update-all
–foreman-proxy-fqdn “proxyserver.example.com”
–foreman-proxy-cname “loadbalancer.example.com”
–certs-tar “/root/proxyserver.example.com-certs.tar”
Then we attempted to install the Smart Proxy using the following command (server names have been obfuscated):
foreman-installer --scenario foreman-proxy-content
–verbose
–certs-cname “loadbalancer.example.com”
–certs-tar-file “/root/proxyserver.example.com-certs.tar”
–enable-foreman-proxy-plugin-ansible
–enable-foreman-proxy-plugin-remote-execution-ssh
–foreman-proxy-content-parent-fqdn “foremanserver.example.com”
–foreman-proxy-foreman-base-url “https://foremanserver.example.com”
–foreman-proxy-oauth-consumer-key “”
–foreman-proxy-oauth-consumer-secret “”
–foreman-proxy-puppetca “true”
–foreman-proxy-register-in-foreman “true”
–foreman-proxy-tftp “true”
–foreman-proxy-tftp-managed “true”
–foreman-proxy-tftp-servername “proxyserver.example.com”
–foreman-proxy-trusted-hosts “foremanserver.example.com”
–foreman-proxy-trusted-hosts “proxyserver.example.com”
–puppet-ca-server “proxyserver.example.com”
–puppet-dns-alt-names “loadbalancer.example.com”
–puppet-server-foreman-url “https://foremanserver.example.com”
When we run this command, the following errors are generated in /var/log/foreman-installer/foreman-proxy-content.log:
2021-01-27 15:53:07 [ERROR ] [configure] Proxy proxyserver.example.com cannot be registered: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)) for proxy https://proxyserver.example.com:9090/v2/features Please check the proxy is configured and running on the host.
2021-01-27 15:53:07 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[proxyserver.example.com]/ensure: change from ‘absent’ to ‘present’ failed: Proxy proxyserver.example.com cannot be registered: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)) for proxy https://proxyserver.example.com:9090/v2/features Please check the proxy is configured and running on the host.
The /etc/foreman-proxy/settings.yml lines for the SSL certificates look like this:
:ssl_ca_file: /etc/foreman-proxy/ssl_ca.pem
:ssl_certificate: /etc/foreman-proxy/ssl_cert.pem
:ssl_private_key: /etc/foreman-proxy/ssl_key.pem
:foreman_ssl_ca: /etc/foreman-proxy/foreman_ssl_ca.pem
:foreman_ssl_cert: /etc/foreman-proxy/foreman_ssl_cert.pem
:foreman_ssl_key: /etc/foreman-proxy/foreman_ssl_key.pem
and I did check these using katello-certs-check on the proxy server:
katello-certs-check -t foreman-proxy -c /etc/foreman-proxy/ssl_cert.pem -k /etc/foreman-proxy/ssl_key.pem -b /etc/foreman-proxy/ssl_ca.pem which came back all OK
katello-certs-check -t foreman-proxy -c /etc/foreman-proxy/foreman_ssl_cert.pem -k /etc/foreman-proxy/foreman_ssl_key.pem -b /etc/foreman-proxy/foreman_ssl_ca.pem which came back with a FAIL for The /etc/foreman-proxy/foreman_ssl_ca.pem does not verify the /etc/foreman-proxy/foreman_ssl_cert.pem
/etc/foreman-proxy/foreman_ssl_cert.pem: C = US, ST = North Carolina, O = FOREMAN, OU = FOREMAN_PROXY, CN = proxyserver.example.com
error 20 at 0 depth lookup:unable to get local issuer certificate
but since I am using all default/generated SSL certificates, I’m not sure how the foreman_ssl_cert is not being signed correctly.
I have tried placing both the katello-server-ca.pem and katello-default-ca.crt files into /etc/pki/ca-trust/source/anchors and run the update-ca-trust as well as the update-ca-trust extract commands, along with specifying the CA bundle /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem file in the installer, but the issue is still present (I also checked the bundle against the foreman_ssl_cert.pem file using katello-certs-check but it comes up failed as well with the CA not having signed the cert).
Any thoughts the community can share, or a direction that can guide me would be very much appreciated. I’ve been going bonkers trying to figure this out.