Error add smart proxy to foreman

vivitare · April 3, 2019, 3:34pm

Hello, i’m trying to add smart proxy to foreman because i need it to use remote execution plugin.
The problem is i follow the installation guide step by step but at moment to add proxy, an error appear :

tuto smat proxy installation :
https://theforeman.org/manuals/1.21/index.html#4.3.1SmartProxyInstallation

tuto ssl configuration :
https://theforeman.org/manuals/1.21/index.html#4.3.10SSL

impossible de communiquer avec le proxy : ERF12-2530 [ProxyAPI::ProxyException]: Impossible de détecter les capacités ([OpenSSL::SSL::SSLError]: hostname "192.168.0.131" does not match the server certificate) pour le proxy https://192.168.0.131:8443/features et Merci de vérifier si le proxy est configuré et fonctionnel sur l'hôte.

I genereted new certificates with the tuto on foreman manual.

Thks for help

ekohl · April 3, 2019, 4:15pm

Using IPs doesn’t work well with certificates. You should be using DNS names

vivitare · April 4, 2019, 7:11am

ok ok but i can’t use DNS Names, so there he a way to force the proxy to accept the certificates or other way to use the remote execution plugin without this proxy ?

ekohl · April 4, 2019, 7:44am

Not as far as I know. Our authentication is built around client certificates with DNS names. In most places we still check the CN field rather than subjectAltName. Even where we have subjectAltName support, I think it only implements DNS: support and not IP:.

What is the reason you can’t use DNS?

vivitare · April 4, 2019, 7:46am

Because i’m working in company and they don’t want i use the DNS
And i tried before to modify the /etc/hosts but it’s the same things
look the picture

vivitare · April 4, 2019, 8:23am

And on the Foreman manual, it’s written that ‘the smart proxy “CAN” work in SSL mode’ but not “must”’
So how can we disable this SSL mode ?

4.3.10 SSL

The smart proxy can work in SSL mode, where both sides verify and trust each other. Requests from Foreman will only be accepted if the SSL certificate can be verified. Since proxies abstract a high level of control over your infrastructure, the configuration and security of keys and certificates is important.

ekohl · April 4, 2019, 8:31am

Use without SSL is not advised. Ironically enough it relies even more heavily on DNS to validate names. It uses reverse DNS and validates it with the forward to get a hostname.

The one in your screenshot should have worked. OpenSSL is quite bad at producing error messages. Perhaps it used the incorrect CA to validate? In the settings you can configure the CA used to connect.

You can manually connect with openssl s_client -connect hostname:port -CAfile /path/to/ca.pem -cert /path/to/cert.pem -key/path/to/key.pem which usually gives more information.

vivitare · April 4, 2019, 8:41am

The command return :

root@foreman:/home/cfast# openssl s_client -connect foreman.otgst.telecom.com:8443 -CAfile /etc/puppetlabs/puppet/ssl/certs/ca.pem -cert /etc/puppetlabs/puppet/ssl/certs/new-smart-proxy-foreman.pem -key /etc/puppetlabs/puppet/ssl/private_keys/new-smart-proxy-foreman.pem 
CONNECTED(00000003)
depth=1 CN = Puppet CA: foreman.otgst.telecom
verify return:1
depth=0 CN = new-smart-proxy-foreman
verify return:1
---
Certificate chain
 0 s:/CN=new-smart-proxy-foreman
   i:/CN=Puppet CA: foreman.otgst.telecom
 1 s:/CN=Puppet CA: foreman.otgst.telecom
   i:/CN=Puppet CA: foreman.otgst.telecom
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFhTCCA22gAwIBAgIBAjANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDDCBQdXBw
[...]
fFKJZdPstiXyc/6Q8ENptM6i0qrHSFOrNg==
-----END CERTIFICATE-----
subject=/CN=new-smart-proxy-foreman
issuer=/CN=Puppet CA: foreman.otgst.telecom
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
---
SSL handshake has read 4651 bytes and written 4135 bytes
Verification: OK
---
New, TLSv1.2, Cipher is AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-GCM-SHA256
    Session-ID: 9712099EF9A669E995F7298F3D327958282681905C12CD273F498D03EEB16A9E
    Session-ID-ctx: 
    Master-Key: 396C931DC0A87737913771836D2285260507BD4EB68B1C7888388AE06FB3AA6F507C878DA0BFA15D8E1538B4E3FFE8FD
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 58 f1 f8 34 ab c5 b4 ee-41 7f 9e 14 9f 37 6d 4d   X..4....A....7mM
[...]
    0640 - e6 34 f5 54 79 b7 e4 6e-0b 16 c0 32 a2 e0 9a c3   .4.Ty..n...2....

    Start Time: 1554367133
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
closed

vivitare · April 4, 2019, 8:47am

Where can we change this parameter in TheForeman interface ?

ekohl · April 4, 2019, 9:01am

In the openssl output you can see the CN is new-smart-proxy-foreman which doesn’t match foreman.otgst.telecom. The error message is actually correct and it’s best to regenerate the certificate used on the proxy.

vivitare · April 4, 2019, 9:28am

Should not just change value in puppet settings ?
I have already generated new certificates, but it not just missing parameter to change ?

ekohl · April 8, 2019, 12:00pm

I’m not sure what you mean. Which setting are you talking about?

vivitare · April 10, 2019, 9:08am

Settings that indicate to foreman or puppet where is the certificates but i have find where were the problem.