we try to use openscap with Foreman/Katello and the installation looks good but we got the following error.
maybe there is a problem with the certificates. the system is registered with subscription-manager without any problem.
i found this article https://access.redhat.com/solutions/2175231 but its old and i think not more relevant. you can see my config files below.
maybe i need to change or reset something happen with the certificates.
any ideas or help?
Error occurred: Neither PUB key nor PRIV key: nested asn1 error
Foreman and Proxy versions:
Foreman and Proxy plugin versions:
Other relevant data:
# DO NOT EDIT THIS FILE MANUALLY # IT IS MANAGED BY PUPPET # Foreman proxy to which reports should be uploaded :server: 'katello01.example.com' :port: 9090 # Timeout for sending reports to proxy :timeout: 60 # Should --fetch-remote-resources be added to `oscap xccdf eval` command :fetch_remote_resources: false # HTTP proxy server for downloading remote resources :http_proxy_server: :http_proxy_port: ## SSL specific options ## # Client CA file. # It could be Puppet CA certificate (e.g., '/var/lib/puppet/ssl/certs/ca.pem') # Or (recommended for client reporting to Katello) subscription manager CA file, (e.g., '/etc/rhsm/ca/katello-server-ca.pem') :ca_file: '/etc/rhsm/ca/katello-server-ca.pem' # Client host certificate. # It could be Puppet agent host certificate (e.g., '/var/lib/puppet/ssl/certs/myhost.example.com.pem') # Or (recommended for client reporting to Katello) consumer certificate (e.g., '/etc/pki/consumer/cert.pem') :host_certificate: '/etc/pki/consumer/cert.pem' # Client private key # It could be Puppet agent private key (e.g., '/var/lib/puppet/ssl/private_keys/myhost.example.com.pem') # Or (recommended for client reporting to Katello) consumer private key (e.g., '/etc/pki/consumer/key.pem') :host_private_key: '/etc/pki/consumer/key.pem' # policy (key is id as in Foreman) 3: :profile: 'xccdf_org.ssgproject.content_profile_stig-rhel7-disa' :content_path: '/var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml' # Download path # A path to download SCAP content from proxy :download_path: '/compliance/policies/3/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e' :tailoring_path: '' :tailoring_download_path: '' 4: :profile: 'xccdf_org.ssgproject.content_profile_hipaa' :content_path: '/var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml' # Download path # A path to download SCAP content from proxy :download_path: '/compliance/policies/4/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e' :tailoring_path: '' :tailoring_download_path: ''
--- :enabled: https # Log file for the forwarding script. :openscap_send_log_file: /var/log/foreman-proxy/openscap-send.log # Directory where OpenSCAP audits are stored # if they failed to post to Foreman. smart_proxy_openscap_send will # try to re-send them. :spooldir: /var/spool/foreman-proxy/openscap # Directory where OpenSCAP content XML are stored # So we will not request the XML from Foreman each time :contentdir: /var/lib/foreman-proxy/openscap/content # Directory where OpenSCAP report XML are stored # So Foreman can request arf xml reports :reportsdir: /var/lib/foreman-proxy/openscap/reports # Directory where OpenSCAP report XML are stored # In case sending to Foreman succeeded, yet failed to save to reportsdir :failed_dir: /var/lib/foreman-proxy/openscap/failed # Directory where corrupted OpenSCAP report XML are stored # when proxy cannot parse the report sent by client :corrupted_dir: /var/lib/foreman-proxy/openscap/corrupted # Proxy name to send to Foreman with parsed report # Foreman matches it against names of registered proxies to find the report source :registered_proxy_name: katello01.example.com # Proxy url to send to Foreman with parsed report # Foreman matches it against urls of registered proxies to find the report source :registered_proxy_url: https://katello01.example.com:9090 # Timeout to send ARF reports to Foreman, in seconds :timeout: 60