The Apache server is presenting a self signed cert to Firefox, which I have
accepted previously. Firefox looks OK, using a known bad username logs an
immediate invalid user in /var/log/foreman/production.log and redirects to
the login screen again as expected. When using valid credentials it then
returns the above error. As far as I know the foreman server is only using
internal certificates. I'm not really clear what is failing or how to fix
this issue.
If Foreman is giving that error then it's unlikely to be the
browser-Foreman SSL trust. It sounds like it might be Foreman to LDAP
(production.log may confirm).
···
On 01/03/16 20:44, jp10558@gmail.com wrote:
> I have Foreman authenticating via LDAP to our Active Directory on Server
> 2008 R2. When you log in via the Web UI it now says:
>
>
> Oops, we're sorry but something went wrong
>
>
>
> Warning!
>
>
>
> SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
> certificate verify failed
>
> The Apache server is presenting a self signed cert to Firefox, which I
> have accepted previously. Firefox looks OK, using a known bad username
> logs an immediate invalid user in /var/log/foreman/production.log and
> redirects to the login screen again as expected. When using valid
> credentials it then returns the above error. As far as I know the
> foreman server is only using internal certificates. I'm not really clear
> what is failing or how to fix this issue.
Might this be a time sync issue between Foreman and the AD Server?
If it were a browser issue, wouldn't it appear prior to entering
credentials? - I assume OP gets this in the act of logging in not prior to.
I have seen similar errors on newly provisioned bare metal hosts where
the system time is way off from what Foreman's that the puppet agent's
certificate isn't validated.
···
On Wednesday, March 2, 2016 at 3:27:25 AM UTC-5, Dominic Cleal wrote:
>
> On 01/03/16 20:44, jp1...@gmail.com wrote:
> > I have Foreman authenticating via LDAP to our Active Directory on Server
> > 2008 R2. When you log in via the Web UI it now says:
> >
> >
> > Oops, we're sorry but something went wrong
> >
> >
> >
> > Warning!
> >
> >
> >
> > SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
> > certificate verify failed
> >
> > The Apache server is presenting a self signed cert to Firefox, which I
> > have accepted previously. Firefox looks OK, using a known bad username
> > logs an immediate invalid user in /var/log/foreman/production.log and
> > redirects to the login screen again as expected. When using valid
> > credentials it then returns the above error. As far as I know the
> > foreman server is only using internal certificates. I'm not really clear
> > what is failing or how to fix this issue.
>
> If Foreman is giving that error then it's unlikely to be the
> browser-Foreman SSL trust. It sounds like it might be Foreman to LDAP
> (production.log may confirm).
>
> Run through the steps at
> http://theforeman.org/manuals/1.8/index.html#4.1.1LDAPAuthentication
> again under the Trusting SSL certificates heading to make sure the AD
> server's certificate is trusted.
>
> --
> Dominic Cleal
> dom...@cleal.org
>
So it seems to be a kerberos auth issue. Is it possible to configure
foreman to use a specific ticket when connecting to AD? The error on the
domain controller is
While processing a TGS request for the target server HTTP/lnxcuc, the
account dab66@REALM did not have a suitable key for generating a Kerberos
ticket (the missing key has an ID of 8). The requested etypes were 18 17
16. The accounts available etypes were 23 -133 -128 18 17 3 1. Changing or
resetting the password of lnxcuc will generate a proper key.
The issue is the name used should be puppet . . .
···
On Wednesday, March 2, 2016 at 10:22:42 AM UTC-5, Sean A wrote:
>
> Might this be a time sync issue between Foreman and the AD Server?
>
> 1. If it were a browser issue, wouldn't it appear prior to entering
> credentials? - I assume OP gets this in the act of logging in not prior to.
> 2. I have seen similar errors on newly provisioned bare metal hosts where
> the system time is way off from what Foreman's that the puppet agent's
> certificate isn't validated.
>
> On Wednesday, March 2, 2016 at 3:27:25 AM UTC-5, Dominic Cleal wrote:
>>
>> On 01/03/16 20:44, jp1...@gmail.com wrote:
>> > I have Foreman authenticating via LDAP to our Active Directory on
>> Server
>> > 2008 R2. When you log in via the Web UI it now says:
>> >
>> >
>> > Oops, we're sorry but something went wrong
>> >
>> >
>> >
>> > Warning!
>> >
>> >
>> >
>> > SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
>> > certificate verify failed
>> >
>> > The Apache server is presenting a self signed cert to Firefox, which I
>> > have accepted previously. Firefox looks OK, using a known bad username
>> > logs an immediate invalid user in /var/log/foreman/production.log and
>> > redirects to the login screen again as expected. When using valid
>> > credentials it then returns the above error. As far as I know the
>> > foreman server is only using internal certificates. I'm not really
>> clear
>> > what is failing or how to fix this issue.
>>
>> If Foreman is giving that error then it's unlikely to be the
>> browser-Foreman SSL trust. It sounds like it might be Foreman to LDAP
>> (production.log may confirm).
>>
>> Run through the steps at
>> http://theforeman.org/manuals/1.8/index.html#4.1.1LDAPAuthentication
>> again under the Trusting SSL certificates heading to make sure the AD
>> server's certificate is trusted.
>>
>> --
>> Dominic Cleal
>> dom...@cleal.org
>>
>
Nope, it was indeed an expired SSL cert on the Domain Controller. It's too
bad the error message was so generic SSL error so I didn't think it related
to the DC connection, but rather inside of Foreman.
···
On Wednesday, March 2, 2016 at 11:47:27 AM UTC-5, jp1...@gmail.com wrote:
>
> So it seems to be a kerberos auth issue. Is it possible to configure
> foreman to use a specific ticket when connecting to AD? The error on the
> domain controller is
> While processing a TGS request for the target server HTTP/lnxcuc, the
> account dab66@REALM did not have a suitable key for generating a Kerberos
> ticket (the missing key has an ID of 8). The requested etypes were 18 17
> 16. The accounts available etypes were 23 -133 -128 18 17 3 1. Changing or
> resetting the password of lnxcuc will generate a proper key.
>
> The issue is the name used should be puppet . . .
>
> On Wednesday, March 2, 2016 at 10:22:42 AM UTC-5, Sean A wrote:
>>
>> Might this be a time sync issue between Foreman and the AD Server?
>>
>> 1. If it were a browser issue, wouldn't it appear prior to entering
>> credentials? - I assume OP gets this in the act of logging in not prior to.
>> 2. I have seen similar errors on newly provisioned bare metal hosts where
>> the system time is way off from what Foreman's that the puppet agent's
>> certificate isn't validated.
>>
>> On Wednesday, March 2, 2016 at 3:27:25 AM UTC-5, Dominic Cleal wrote:
>>>
>>> On 01/03/16 20:44, jp1...@gmail.com wrote:
>>> > I have Foreman authenticating via LDAP to our Active Directory on
>>> Server
>>> > 2008 R2. When you log in via the Web UI it now says:
>>> >
>>> >
>>> > Oops, we're sorry but something went wrong
>>> >
>>> >
>>> >
>>> > Warning!
>>> >
>>> >
>>> >
>>> > SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
>>> > certificate verify failed
>>> >
>>> > The Apache server is presenting a self signed cert to Firefox, which I
>>> > have accepted previously. Firefox looks OK, using a known bad username
>>> > logs an immediate invalid user in /var/log/foreman/production.log and
>>> > redirects to the login screen again as expected. When using valid
>>> > credentials it then returns the above error. As far as I know the
>>> > foreman server is only using internal certificates. I'm not really
>>> clear
>>> > what is failing or how to fix this issue.
>>>
>>> If Foreman is giving that error then it's unlikely to be the
>>> browser-Foreman SSL trust. It sounds like it might be Foreman to LDAP
>>> (production.log may confirm).
>>>
>>> Run through the steps at
>>> http://theforeman.org/manuals/1.8/index.html#4.1.1LDAPAuthentication
>>> again under the Trusting SSL certificates heading to make sure the AD
>>> server's certificate is trusted.
>>>
>>> --
>>> Dominic Cleal
>>> dom...@cleal.org
>>>
>>
