Error add smart proxy to foreman

Hello, i’m trying to add smart proxy to foreman because i need it to use remote execution plugin.
The problem is i follow the installation guide step by step but at moment to add proxy, an error appear :

tuto smat proxy installation :

tuto ssl configuration :

impossible de communiquer avec le proxy : ERF12-2530 [ProxyAPI::ProxyException]: Impossible de détecter les capacités ([OpenSSL::SSL::SSLError]: hostname "" does not match the server certificate) pour le proxy et Merci de vérifier si le proxy est configuré et fonctionnel sur l'hôte.

I genereted new certificates with the tuto on foreman manual.

Thks for help

Using IPs doesn’t work well with certificates. You should be using DNS names

ok ok but i can’t use DNS Names, so there he a way to force the proxy to accept the certificates or other way to use the remote execution plugin without this proxy ?

Not as far as I know. Our authentication is built around client certificates with DNS names. In most places we still check the CN field rather than subjectAltName. Even where we have subjectAltName support, I think it only implements DNS: support and not IP:.

What is the reason you can’t use DNS?

Because i’m working in company and they don’t want i use the DNS
And i tried before to modify the /etc/hosts but it’s the same things
look the picture

And on the Foreman manual, it’s written that ‘the smart proxy “CAN” work in SSL mode’ but not “must”’
So how can we disable this SSL mode ?

4.3.10 SSL

The smart proxy can work in SSL mode, where both sides verify and trust each other. Requests from Foreman will only be accepted if the SSL certificate can be verified. Since proxies abstract a high level of control over your infrastructure, the configuration and security of keys and certificates is important.

Use without SSL is not advised. Ironically enough it relies even more heavily on DNS to validate names. It uses reverse DNS and validates it with the forward to get a hostname.

The one in your screenshot should have worked. OpenSSL is quite bad at producing error messages. Perhaps it used the incorrect CA to validate? In the settings you can configure the CA used to connect.

You can manually connect with openssl s_client -connect hostname:port -CAfile /path/to/ca.pem -cert /path/to/cert.pem -key/path/to/key.pem which usually gives more information.

The command return :

root@foreman:/home/cfast# openssl s_client -connect -CAfile /etc/puppetlabs/puppet/ssl/certs/ca.pem -cert /etc/puppetlabs/puppet/ssl/certs/new-smart-proxy-foreman.pem -key /etc/puppetlabs/puppet/ssl/private_keys/new-smart-proxy-foreman.pem 
depth=1 CN = Puppet CA: foreman.otgst.telecom
verify return:1
depth=0 CN = new-smart-proxy-foreman
verify return:1
Certificate chain
 0 s:/CN=new-smart-proxy-foreman
   i:/CN=Puppet CA: foreman.otgst.telecom
 1 s:/CN=Puppet CA: foreman.otgst.telecom
   i:/CN=Puppet CA: foreman.otgst.telecom
Server certificate
issuer=/CN=Puppet CA: foreman.otgst.telecom
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
SSL handshake has read 4651 bytes and written 4135 bytes
Verification: OK
New, TLSv1.2, Cipher is AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : AES128-GCM-SHA256
    Session-ID: 9712099EF9A669E995F7298F3D327958282681905C12CD273F498D03EEB16A9E
    Master-Key: 396C931DC0A87737913771836D2285260507BD4EB68B1C7888388AE06FB3AA6F507C878DA0BFA15D8E1538B4E3FFE8FD
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 58 f1 f8 34 ab c5 b4 ee-41 7f 9e 14 9f 37 6d 4d   X..4....A....7mM
    0640 - e6 34 f5 54 79 b7 e4 6e-0b 16 c0 32 a2 e0 9a c3   .4.Ty..n...2....

    Start Time: 1554367133
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no

Where can we change this parameter in TheForeman interface ?

In the openssl output you can see the CN is new-smart-proxy-foreman which doesn’t match foreman.otgst.telecom. The error message is actually correct and it’s best to regenerate the certificate used on the proxy.

Should not just change value in puppet settings ?
I have already generated new certificates, but it not just missing parameter to change ?

I’m not sure what you mean. Which setting are you talking about?

Settings that indicate to foreman or puppet where is the certificates but i have find where were the problem.