Error occurred: Neither PUB key nor PRIV key: nested asn1 error (openscap)

svenvogel · June 6, 2019, 8:41am

Problem:
we try to use openscap with Foreman/Katello and the installation looks good but we got the following error.

maybe there is a problem with the certificates. the system is registered with subscription-manager without any problem.
i found this article https://access.redhat.com/solutions/2175231 but its old and i think not more relevant. you can see my config files below.

maybe i need to change or reset something happen with the certificates.

any ideas or help?

Error occurred: Neither PUB key nor PRIV key: nested asn1 error

Expected outcome:
No Error

Foreman and Proxy versions:
Foreman: 1.21.3
Katello: 3.11
OpenScap: 0.7.1

Foreman and Proxy plugin versions:
Proxy: 1.21.3

Other relevant data:
/etc/foreman_scap_client/config.yaml

# DO NOT EDIT THIS FILE MANUALLY
# IT IS MANAGED BY PUPPET

# Foreman proxy to which reports should be uploaded
:server: 'katello01.example.com'
:port: 9090

# Timeout for sending reports to proxy
:timeout: 60

# Should --fetch-remote-resources be added to `oscap xccdf eval` command
:fetch_remote_resources: false

# HTTP proxy server for downloading remote resources
:http_proxy_server:
:http_proxy_port:

## SSL specific options ##
# Client CA file.
# It could be Puppet CA certificate (e.g., '/var/lib/puppet/ssl/certs/ca.pem')
# Or (recommended for client reporting to Katello) subscription manager CA file, (e.g., '/etc/rhsm/ca/katello-server-ca.pem')
:ca_file: '/etc/rhsm/ca/katello-server-ca.pem'
# Client host certificate.
# It could be Puppet agent host certificate (e.g., '/var/lib/puppet/ssl/certs/myhost.example.com.pem')
# Or (recommended for client reporting to Katello) consumer certificate (e.g., '/etc/pki/consumer/cert.pem')
:host_certificate: '/etc/pki/consumer/cert.pem'
# Client private key
# It could be Puppet agent private key (e.g., '/var/lib/puppet/ssl/private_keys/myhost.example.com.pem')
# Or (recommended for client reporting to Katello) consumer private key (e.g., '/etc/pki/consumer/key.pem')
:host_private_key: '/etc/pki/consumer/key.pem'

# policy (key is id as in Foreman)

3:
  :profile: 'xccdf_org.ssgproject.content_profile_stig-rhel7-disa'
  :content_path: '/var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml'
  # Download path
  # A path to download SCAP content from proxy
  :download_path: '/compliance/policies/3/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e'
  :tailoring_path: ''
  :tailoring_download_path: ''

4:
  :profile: 'xccdf_org.ssgproject.content_profile_hipaa'
  :content_path: '/var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml'
  # Download path
  # A path to download SCAP content from proxy
  :download_path: '/compliance/policies/4/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e'
  :tailoring_path: ''
  :tailoring_download_path: ''

/etc/foreman-proxy/settings.d/openscap.yml

---
:enabled: https

# Log file for the forwarding script.
:openscap_send_log_file: /var/log/foreman-proxy/openscap-send.log

# Directory where OpenSCAP audits are stored
# if they failed to post to Foreman. smart_proxy_openscap_send will
# try to re-send them.
:spooldir: /var/spool/foreman-proxy/openscap

# Directory where OpenSCAP content XML are stored
# So we will not request the XML from Foreman each time
:contentdir: /var/lib/foreman-proxy/openscap/content

# Directory where OpenSCAP report XML are stored
# So Foreman can request arf xml reports
:reportsdir: /var/lib/foreman-proxy/openscap/reports

# Directory where OpenSCAP report XML are stored
# In case sending to Foreman succeeded, yet failed to save to reportsdir
:failed_dir: /var/lib/foreman-proxy/openscap/failed

# Directory where corrupted OpenSCAP report XML are stored
# when proxy cannot parse the report sent by client
:corrupted_dir: /var/lib/foreman-proxy/openscap/corrupted

# Proxy name to send to Foreman with parsed report
# Foreman matches it against names of registered proxies to find the report source
:registered_proxy_name: katello01.example.com

# Proxy url to send to Foreman with parsed report
# Foreman matches it against urls of registered proxies to find the report source
:registered_proxy_url: https://katello01.example.com:9090

# Timeout to send ARF reports to Foreman, in seconds
:timeout: 60

svenvogel · June 6, 2019, 8:53am

i forgott to say i tried these command (id 3 or 4)…

/usr/bin/foreman_scap_client 4

File /var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml is missing. Downloading it from proxy.
Download SCAP content xml from: https://katello01.example.com:9090/compliance/policies/4/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e
SCAP content is missing and download failed with error: 500 "Internal Server Error "

Dirk · June 6, 2019, 9:22am

What tells /var/log/foreman/production.log on the Katello system about the 500 Internal Server Error?

svenvogel · June 6, 2019, 9:28am

@Dirk

nothing.

the only message is in the proxy log where it should normally be i think.

/var/log/foreman-proxy/proxy.log

2019-06-06T11:27:15 c95352e6 [I] Started GET /policies/4/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e
2019-06-06T11:27:15 c95352e6 [I] Creating directory to store SCAP file: /var/lib/foreman-proxy/openscap/content/4
2019-06-06T11:27:15 c95352e6 [E] Error occurred: Neither PUB key nor PRIV key: nested asn1 error
2019-06-06T11:27:15 c95352e6 [D] Error occurred: Neither PUB key nor PRIV key: nested asn1 error
2019-06-06T11:27:15 c95352e6 [I] Finished GET /policies/4/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e with 500 (1.27 ms)

Dirk · June 6, 2019, 10:46am

Yes, you are right, only the Proxy is involved here.

The proxy requires a certificate based authentication for the url so you could test it with openssl from your client.

 openssl s_client -connect foreman.localdomain:8443 -CAfile /etc/puppetlabs/puppet/ssl/certs/ca.pem -cert /etc/puppetlabs/puppet/ssl/certs/foreman.localdomain.pem -key /etc/puppetlabs/puppet/ssl/private_keys/foreman.localdomain.pem

svenvogel · June 6, 2019, 11:05am

Hi Dirk, (@Dirk)

thanks for the command.

Any questions. maybe i dont understand it correctly.

which port 8443 or 9090?
why these puppet certificates? why not certificates from from scap client below?
For the client config of “/etc/foreman_scap_client/config.yaml” there are other certs.


:ca_file: '/etc/rhsm/ca/katello-server-ca.pem'
:host_certificate: '/etc/pki/consumer/cert.pem'
:host_private_key: '/etc/pki/consumer/key.pem'

if i run the following command from my client
openssl s_client -connect katello01.example.com:9090 -CAfile /etc/puppetlabs/puppet/ssl/certs/ca.pem -cert /etc/puppetlabs/puppet/ssl/certs/kvm08.example.com.pem -key /etc/puppetlabs/puppet/ssl/private_keys/kvm08.example.com.pem

CONNECTED(00000003)
depth=1 C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = katello01.example.com
verify return:1
depth=0 C = US, ST = North Carolina, O = FOREMAN, OU = SMART_PROXY, CN = katello01.example.com
verify return:1
140467391272848:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1493:SSL alert number 48
140467391272848:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/C=US/ST=North Carolina/O=FOREMAN/OU=SMART_PROXY/CN=katello01.example.com
   i:/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=katello01.example.com
 1 s:/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=katello01.example.com
   i:/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=katello01.example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE9jCCA96gAwIBAgIJANnK/HDuABasMA0GCSqGSIb3DQEBCwUAMIGBMQswCQYD
VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
Z2gxEDAOBgNVBAoMB0thdGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MR8wHQYD
VQQDDBZrYXRlbGxvMDEuY3MuZXdlcmsuY29tMB4XDTE5MDUyODIxMDYwOVoXDTM4
MDExNzIxMDYwOVowbzELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9s
aW5hMRAwDgYDVQQKDAdGT1JFTUFOMRQwEgYDVQQLDAtTTUFSVF9QUk9YWTEfMB0G
A1UEAwwWa2F0ZWxsbzAxLmNzLmV3ZXJrLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALle2+v4uQ9UrclfjLMAs4txeVij8mMZY5oY50FQ2+fOsHPl
tDlCHOrJa88aIAgQj7DLw+aPFW/23l03x4tCWrajNGqxOKfBoxdUbcRiB4WTWqEZ
Es2yMllhv2uqOlImCXCxwqsu8lx1x5HZiDRBk8lu4PKjTFKyuXwHjST26f1afHaW
RFt7dXc1oi0OeIWvwnLJKJGoAF2b2jTPgn3OOSeTn+EUVpd7+UH6pYW5HFP/GGml
FcI8JFkRFpkNhpJl8yGyJVq213+iWyxdNQIv1ryEaocKyEuO8hUTXkb4qX7EvyaX
KPsk+5CH+fTVvIRudeuwZpZkvR29jOkL6JqH/XUCAwEAAaOCAYAwggF8MAkGA1Ud
EwQCMAAwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjARBglghkgBhvhCAQEEBAMCBkAwNQYJYIZIAYb4QgENBCgWJkthdGVsbG8gU1NM
IFRvb2wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBT5/ovmglVC448O
uwePro09GaM8DjCBtgYDVR0jBIGuMIGrgBSj7p0qeTa6UoYxSTPyHsmMcRCPbKGB
h6SBhDCBgTELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAw
DgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdLYXRlbGxvMRQwEgYDVQQLDAtTb21l
T3JnVW5pdDEfMB0GA1UEAwwWa2F0ZWxsbzAxLmNzLmV3ZXJrLmNvbYIJANnK/HDu
ABaCMCEGA1UdEQQaMBiCFmthdGVsbG8wMS5jcy5ld2Vyay5jb20wDQYJKoZIhvcN
AQELBQADggEBALeivw8FksUnOER095dy6IocwWTtbqkmtfAc6PnWK+RuBv4NreG3
vAYlCmP7PqBQOc62MGLkSyl9aKz5szuuJL+4V4so9D1//K0x6jlaNVhIstK+txoz
fTNes6F5stek57yfRgOx/6MRpzVNqq/9iW1whnWiOMR9zgFwrrQYhKr8d2NXa1GB
MSEBc+I4yHj2L6DpU+hpPndXhvnOR+xdLbLXbGdDa/4nW2VposTTmoHzIggPqw+L
PAzkNhk4O/x1qMRTx6+gE8c47z8+1ibQO5Mf34w1cyUqHLGAB3l+4bo7t++gmPVN
3rvuWNY2PKXcAQoieO+0slo+5sr2u22Sin0=
-----END CERTIFICATE-----
subject=/C=US/ST=North Carolina/O=FOREMAN/OU=SMART_PROXY/CN=katello01.example.com
issuer=/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=katello01.example.com
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
---
SSL handshake has read 2674 bytes and written 3696 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-GCM-SHA256
    Session-ID:
    Session-ID-ctx:
    Master-Key: 5FED289A8B2E2DDA8A4913B2FD83C038624C3256D3F9372AB8428A8B95941087F52F60518F9A31D1B74B618396691E38
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1559818999
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

svenvogel · June 6, 2019, 11:11am

@Dirk

if i run this command with the certs from the scap client it seems to work
openssl s_client -connect katello01.example.com:9090 -CAfile /etc/rhsm/ca/katello-server-ca.pem -cert /etc/pki/consumer/cert.pem -key /etc/pki/consumer/key.pem

CONNECTED(00000003)
depth=1 C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = katello01.example.com
verify return:1
depth=0 C = US, ST = North Carolina, O = FOREMAN, OU = SMART_PROXY, CN = katello01.example.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=North Carolina/O=FOREMAN/OU=SMART_PROXY/CN=katello01.example.com
   i:/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=katello01.example.com
 1 s:/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=katello01.example.com
   i:/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=katello01.example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE9jCCA96gAwIBAgIJANnK/HDuABasMA0GCSqGSIb3DQEBCwUAMIGBMQswCQYD
VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
Z2gxEDAOBgNVBAoMB0thdGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MR8wHQYD
VQQDDBZrYXRlbGxvMDEuY3MuZXdlcmsuY29tMB4XDTE5MDUyODIxMDYwOVoXDTM4
MDExNzIxMDYwOVowbzELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9s
aW5hMRAwDgYDVQQKDAdGT1JFTUFOMRQwEgYDVQQLDAtTTUFSVF9QUk9YWTEfMB0G
A1UEAwwWa2F0ZWxsbzAxLmNzLmV3ZXJrLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALle2+v4uQ9UrclfjLMAs4txeVij8mMZY5oY50FQ2+fOsHPl
tDlCHOrJa88aIAgQj7DLw+aPFW/23l03x4tCWrajNGqxOKfBoxdUbcRiB4WTWqEZ
Es2yMllhv2uqOlImCXCxwqsu8lx1x5HZiDRBk8lu4PKjTFKyuXwHjST26f1afHaW
RFt7dXc1oi0OeIWvwnLJKJGoAF2b2jTPgn3OOSeTn+EUVpd7+UH6pYW5HFP/GGml
FcI8JFkRFpkNhpJl8yGyJVq213+iWyxdNQIv1ryEaocKyEuO8hUTXkb4qX7EvyaX
KPsk+5CH+fTVvIRudeuwZpZkvR29jOkL6JqH/XUCAwEAAaOCAYAwggF8MAkGA1Ud
EwQCMAAwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjARBglghkgBhvhCAQEEBAMCBkAwNQYJYIZIAYb4QgENBCgWJkthdGVsbG8gU1NM
IFRvb2wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBT5/ovmglVC448O
uwePro09GaM8DjCBtgYDVR0jBIGuMIGrgBSj7p0qeTa6UoYxSTPyHsmMcRCPbKGB
h6SBhDCBgTELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAw
DgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdLYXRlbGxvMRQwEgYDVQQLDAtTb21l
T3JnVW5pdDEfMB0GA1UEAwwWa2F0ZWxsbzAxLmNzLmV3ZXJrLmNvbYIJANnK/HDu
ABaCMCEGA1UdEQQaMBiCFmthdGVsbG8wMS5jcy5ld2Vyay5jb20wDQYJKoZIhvcN
AQELBQADggEBALeivw8FksUnOER095dy6IocwWTtbqkmtfAc6PnWK+RuBv4NreG3
vAYlCmP7PqBQOc62MGLkSyl9aKz5szuuJL+4V4so9D1//K0x6jlaNVhIstK+txoz
fTNes6F5stek57yfRgOx/6MRpzVNqq/9iW1whnWiOMR9zgFwrrQYhKr8d2NXa1GB
MSEBc+I4yHj2L6DpU+hpPndXhvnOR+xdLbLXbGdDa/4nW2VposTTmoHzIggPqw+L
PAzkNhk4O/x1qMRTx6+gE8c47z8+1ibQO5Mf34w1cyUqHLGAB3l+4bo7t++gmPVN
3rvuWNY2PKXcAQoieO+0slo+5sr2u22Sin0=
-----END CERTIFICATE-----
subject=/C=US/ST=North Carolina/O=FOREMAN/OU=SMART_PROXY/CN=katello01.example.com
issuer=/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=katello01.example.com
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
---
SSL handshake has read 3981 bytes and written 3208 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-GCM-SHA256
    Session-ID: 3C3AB29BDDDBE6F08A230F691E0478EE1B9EFB8F98A9C09EDA854443A499B92C
    Session-ID-ctx:
    Master-Key: C87AAD7F65EA236B2F78C5B5FBED53FE6971F1939BAD1A0B0550F2549E0FEB342B172D88E5C12D17AF2B0C109945F841
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 35 e8 32 35 67 7d ae 0a-9b 1d e9 1c 04 ef 6b fa   5.25g}........k.
    0010 - 55 a0 3b d6 74 82 d2 c3-ef 79 55 b8 ad 96 70 e4   U.;.t....yU...p.
    0020 - 93 64 f6 d8 6f a5 8a 1c-57 8d 29 47 9d 5e 93 70   .d..o...W.)G.^.p
    0030 - 8d e7 13 4f 64 e7 db 1e-38 17 b8 fa 07 83 c5 56   ...Od...8......V
    0040 - f3 70 e6 4d 81 45 43 3b-d2 31 7c 43 f4 57 1d 04   .p.M.EC;.1|C.W..
    0050 - 08 9a 7a 2e ff c2 b5 cb-05 41 dd aa ab d3 39 cb   ..z......A....9.
    0060 - 12 f6 8b e8 fe bf 43 38-6a d2 48 4a 56 0e 5e 79   ......C8j.HJV.^y
    0070 - 26 9f 1b 9b 42 23 fc 9c-96 f3 5a 43 4d 1a d4 a7   &...B#....ZCM...
    0080 - 82 69 f9 fa bb 40 cd 51-11 e5 4c 9f f5 82 33 f2   .i...@.Q..L...3.
    0090 - 9b 32 7e 7b 3f 10 44 6b-18 36 7a 7c bc 66 ba 96   .2~{?.Dk.6z|.f..
    00a0 - 9c aa cd cb 26 12 35 9d-b9 15 74 bb 37 80 92 d7   ....&.5...t.7...
    00b0 - 5a 6d 13 f0 0d 5e b3 b9-e1 5e 0d 95 3d 9d d2 b1   Zm...^...^..=...
    00c0 - 2a ee 13 13 cd 06 6f e2-57 f4 18 cf fc 54 cb b6   *.....o.W....T..
    00d0 - b5 5f 24 39 f0 c4 e7 84-0c b2 2f 38 67 2c ab 4d   ._$9....../8g,.M
    00e0 - ed c3 0b 91 eb f9 b1 24-8b 15 a8 73 55 14 7e cf   .......$...sU.~.
    00f0 - 2e d4 ec c6 24 59 75 e1-84 e1 89 e1 51 10 3b fb   ....$Yu.....Q.;.
    0100 - a8 73 70 23 98 cd 6c 04-dd ad eb 71 ab a0 49 20   .sp#..l....q..I
    0110 - 4e 5a 18 d9 74 2b 1e a2-54 2a 2d 77 42 6d f9 31   NZ..t+..T*-wBm.1
    0120 - b7 e4 e5 76 2b 3b af 4c-b8 87 74 0a ed a4 65 c8   ...v+;.L..t...e.
    0130 - 79 0c 91 dc dc 87 70 e8-f7 35 8e f1 c1 f8 ef a2   y.....p..5......
    0140 - 91 e9 33 a2 c8 d0 f4 7a-89 4b 34 6b 90 c6 68 17   ..3....z.K4k..h.
    0150 - c4 ae ce cd 6a e3 dc f0-4f 7e 32 c2 dd 70 52 5d   ....j...O~2..pR]
    0160 - 07 81 6a 4d 28 45 f1 59-27 33 05 71 67 16 59 d4   ..jM(E.Y'3.qg.Y.
    0170 - 31 b6 15 f0 d1 7b c6 0f-95 66 e3 68 8d 43 e5 86   1....{...f.h.C..
    0180 - ae 18 e5 a0 2e 03 8c 57-8f 3a 62 e8 83 1b af 7e   .......W.:b....~
    0190 - 00 40 0f c1 0f 81 98 fb-2f 6f bd b3 65 8b ca 90   .@....../o..e...
    01a0 - 8d b3 47 f4 8b 72 86 d0-8b 4a 4e 49 28 5b 3d 31   ..G..r...JNI([=1
    01b0 - 80 d4 6b 58 94 cf 0a 1d-18 57 37 b9 7c a4 e3 c0   ..kX.....W7.|...
    01c0 - a6 36 3e 6f 7e 66 82 66-29 4c 05 86 4e 90 3e a7   .6>o~f.f)L..N.>.
    01d0 - d2 24 50 3e c3 7d 75 bd-3e c7 2b c5 8f 70 9d 4f   .$P>.}u.>.+..p.O
    01e0 - eb f8 b5 23 23 8b 05 4d-09 6d 2a e4 eb 4e b6 57   ...##..M.m*..N.W
    01f0 - 43 5b fe e8 af 7a 21 36-36 8f 9c bd d3 b1 e4 d6   C[...z!66.......
    0200 - 1d 62 d8 b4 0d 1b 9c 8a-fb 3d c5 8a 05 10 25 53   .b.......=....%S
    0210 - ee 7e 2a 8b 0d da d0 ca-bd b6 fa c9 ef cf 88 64   .~*............d
    0220 - fc b3 8e 9d a2 9d a4 4c-f0 80 7b 52 68 b9 86 ba   .......L..{Rh...
    0230 - d9 6e 71 03 ae 3f 66 a5-70 b1 08 ee e4 cf 39 2a   .nq..?f.p.....9*
    0240 - 72 99 64 92 f2 08 a0 bd-52 1e 62 6f bf 3e 12 67   r.d.....R.bo.>.g
    0250 - 6f 7f 32 4d b6 77 c1 f0-0b 4b 09 39 01 e2 38 6d   o.2M.w...K.9..8m
    0260 - de f3 ec 69 2b cb c6 f8-ab 5c ea b7 46 3b 5f 5d   ...i+....\..F;_]
    0270 - 37 0e cb 5f 79 c5 bd bd-26 13 be 12 4e 6d c2 15   7.._y...&...Nm..
    0280 - 57 eb e5 90 a5 6d ce 6d-5a cf e5 d9 0a b4 e7 52   W....m.mZ......R
    0290 - f9 ce 7c 7b d2 5e 3f 7e-33 7a 59 34 b8 04 70 39   ..|{.^?~3zY4..p9
    02a0 - 3b 5e 16 b8 85 90 f1 60-fd df e0 a2 31 74 9b 3b   ;^.....`....1t.;
    02b0 - 63 45 a5 fd cb 16 dc de-29 71 1b b5 4d e0 5c 9c   cE......)q..M.\.
    02c0 - 0d dc 54 6e b0 d0 fe 8a-18 03 ec d0 6f 89 82 92   ..Tn........o...
    02d0 - 5a ba 34 ef 69 ec 25 98-b3 a8 72 91 98 94 b7 24   Z.4.i.%...r....$
    02e0 - a2 88 90 bf d0 1e 70 60-db d3 1d 8c 16 91 6e 94   ......p`......n.
    02f0 - bc 79 22 d1 51 08 92 16-d1 4b 31 09 5b fc f6 8a   .y".Q....K1.[...
    0300 - 9e e2 2a 52 6d 5f 9c 3c-60 1a 9b 82 6a 1f a2 22   ..*Rm_.<`...j.."
    0310 - 21 83 ff 5e d7 85 2d 6a-c4 c2 ae ac a7 af 9c e6   !..^..-j........
    0320 - e7 e8 8d 5c 20 da 8d 8b-56 4b 2c 34 f5 ac d8 b8   ...\ ...VK,4....
    0330 - 37 fa 10 a0 4c 3b 47 05-27 a8 3c 6e 7b 82 23 90   7...L;G.'.<n{.#.
    0340 - 7a 98 f4 ae f2 9e 80 38-19 23 9a 60 07 87 38 d4   z......8.#.`..8.
    0350 - c5 c5 7a dc 07 f4 83 28-24 c8 c2 91 dc 6e 3f 9f   ..z....($....n?.
    0360 - c3 e6 91 9b f2 15 c4 d1-d7 ab 93 75 82 cd 76 97   ...........u..v.
    0370 - 8f c0 e6 8f 4e fb ff ae-f1 33 d0 ea ad ec ee 6c   ....N....3.....l
    0380 - f1 63 df 4b 63 8b 49 9a-62 8c 8b d1 33 e0 94 7b   .c.Kc.I.b...3..{
    0390 - cc 7b 75 a3 ac cb 17 31-bd 7d 3a 16 fd 33 42 33   .{u....1.}:..3B3
    03a0 - 72 5b db a7 92 8f bb 30-82 39 c7 2f f8 45 2f 09   r[.....0.9./.E/.
    03b0 - 17 e2 31 b6 89 47 8b bd-c8 ce f6 7f ed 12 ae a5   ..1..G..........
    03c0 - 88 a6 4e 3b 18 09 05 74-27 73 0a c5 ce 71 1d aa   ..N;...t's...q..
    03d0 - 9d e8 00 34 b8 6c 65 a2-e3 3d eb e0 96 31 e0 15   ...4.le..=...1..
    03e0 - c5 d6 db 4f 75 1d 4a ad-62 51 a9 fe e7 07 2d 5f   ...Ou.J.bQ....-_
    03f0 - 56 1c b9 81 31 9a 29 af-9f b6 d5 33 73 6b bb ec   V...1.)....3sk..
    0400 - c2 1e 73 ac b9 c8 bb c7-2b 6e b1 e0 98 7f d8 a1   ..s.....+n......
    0410 - 9f 1b 85 db c1 32 e1 40-50 a5 1b 44 57 c0 2d e0   .....2.@P..DW.-.
    0420 - 3e 60 a9 39 1b 56 08 aa-56 17 b4 0e c9 6c 82 28   >`.9.V..V....l.(
    0430 - e5 f6 cb d6 84 a4 f9 2f-57 71 10 75 2f e8 fe 88   ......./Wq.u/...
    0440 - d5 11 58 8e a0 a2 52 bf-61 60 9f a4 a6 9a e0 2f   ..X...R.a`...../
    0450 - 9a 58 d4 a9 73 f5 72 0d-63 6b 7d 7d 8b 9b ea c7   .X..s.r.ck}}....
    0460 - 47 ca 58 07 ad 03 99 0a-65 1b 3d 90 fe 6d 03 ff   G.X.....e.=..m..
    0470 - a9 2e 07 f0 fe 56 5a 82-b7 7b e3 4d b1 03 8b 18   .....VZ..{.M....
    0480 - 74 34 6e 3b 92 f2 71 f3-3c fb fd 07 33 67 0c d2   t4n;..q.<...3g..
    0490 - c7 93 3b eb 29 c2 f6 f4-4f bf 99 4f f4 e8 40 9b   ..;.)...O..O..@.
    04a0 - 55 15 29 95 a4 bf 20 68-a2 c2 fa be b0 20 4d 5b   U.)... h..... M[
    04b0 - 54 c7 f0 78 90 08 1a 35-6b 2d b2 9e ff 80 77 7b   T..x...5k-....w{
    04c0 - cc ae 74 8c cc fb 40 28-56 43 65 31 fc 61 cd 5c   ..t...@(VCe1.a.\
    04d0 - 44 70 d6 78 a7 9c 46 04-a0 8b f3 97 62 19 78 16   Dp.x..F.....b.x.

    Start Time: 1559819354
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Dirk · June 6, 2019, 11:21am

I used a Foreman setup to test, this is why my Smart Proxy runs with puppet certificates on port 8443.

So if it runs fine certificates with openssl s_client basic communication works, so I see no reason why foreman_scap_client should fail here.

svenvogel · June 6, 2019, 11:22am

puppet agent -t -v is working fine

i use katello as plugin so port will change to 9090

svenvogel · June 6, 2019, 3:08pm

opened ticket at Bug #26978: Error occurred: Neither PUB key nor PRIV key: nested asn1 error (openscap) - OpenSCAP - Foreman