Foreman-ansible callback

Hi,

I am lost with setting of callback/foreman.py.

We use Foreman 1.15.2, Katello 3.4.2, foreman_ansible 1.4.5 (with updated callback/forman.py from github) and ansible 2.3.1 on CentOS 7.

I think i know where Foreman runs.
curl -k -H "Accept: application/json" https://fqdn.in.corp/status
{"result":"ok","status":"ok","version":"1.15.2","db_duration_ms":"3"}

Checked certification as is on https://www.theforeman.org/plugins/foreman_ansible/1.x/index.html#2.1Ansiblecallback
Request check for certifications http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification
python

import requests
requests.get('https://fqdn.in.corp/', cert=('/etc/foreman/client_cert.pem', '/etc/foreman/client_key.pem'))

<Response [200]>

But when run ansible -m setup client.in.corp i see

2017-07-18 14:26:25 91503c77 [app] [I] Started POST "/api/v2/hosts/facts" for IP_FOREMAN_URL at 2017-07-18 14:26:25 +0200
2017-07-18 14:26:25 91503c77 [app] [I] Processing by Api::V2::HostsController#facts as JSON
2017-07-18 14:26:25 91503c77 [app] [I] Parameters: {"facts"=>"[FILTERED]", "name"=>"client.in.corp", "apiv"=>"v2", :host=>{"name"=>"client.in.corp"}}
2017-07-18 14:26:25 91503c77 [app] [D] Importer Katello::RhsmFactImporter does not implement authorized_smart_proxy_features.
2017-07-18 14:26:25 91503c77 [app] [D] Importer ForemanAnsible::StructuredFactImporter does not implement authorized_smart_proxy_features.2017-07-18 14:26:25 91503c77 [app] [W] No SSL cert with CN supplied - request from IP_FOREMAN_URL,
2017-07-18 14:26:25 91503c77 [app] [W] SSO failed
2017-07-18 14:26:25 91503c77 [app] [I] Rendered api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout (0.8ms)
2017-07-18 14:26:25 91503c77 [app] [I] Filter chain halted as #<Proc:0x0000000b444908@/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14> <Proc:0x0000000b444908@/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14> rendered or redirected
2017-07-18 14:26:25 91503c77 [app] [I] Completed 403 Forbidden in 6ms (Views: 1.6ms | ActiveRecord: 0.0ms)

If i use FOREMAN_USER/FOREMAN_PASSWORD combination facts upload correctly. So i am pretty sure it is installed correctly.

Configuration part in callback/foreman.py
FOREMAN_URL = os.getenv('FOREMAN_URL', "https://fqdn.in.corp" <https://fqdn.in.corp>)

FOREMAN_SSL_CERT = (os.getenv('FOREMAN_SSL_CERT',
                              "/etc/foreman/client_cert.pem"),
                    os.getenv('FOREMAN_SSL_KEY',
                              "/etc/foreman/client_key.pem"))
FOREMAN_SSL_VERIFY = os.getenv('FOREMAN_SSL_VERIFY', "1")
FOREMAN_USER = os.getenv('FOREMAN_USER', "admin")  #It works with user
FOREMAN_PASSWORD = os.getenv('FOREMAN_PASSWORD', "S3cr3tPASS") # and password

I do not know which cert/key is for what. Thanks for hints and kicking me
in right direction.

Daniel Slezak

>
>
> Hi,
>
> I am lost with setting of callback/foreman.py.
>
> We use Foreman 1.15.2, Katello 3.4.2, foreman_ansible 1.4.5 (with updated callback/forman.py from github) and ansible 2.3.1 on CentOS 7.
>
> I think i know where Foreman runs.
> curl -k -H "Accept: application/json" https://fqdn.in.corp/status
> {"result":"ok","status":"ok","version":"1.15.2","db_duration_ms":"3"}
>
> Checked certification as is on https://www.theforeman.org/plugins/foreman_ansible/1.x/index.html#2.1Ansiblecallback
> Request check for certifications http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification
> python
>
> import requests
> requests.get('https://fqdn.in.corp/', cert=('/etc/foreman/client_cert.pem', '/etc/foreman/client_key.pem'))
>
> <Response [200]>
>
> But when run ansible -m setup client.in.corp i see
>
> 2017-07-18 14:26:25 91503c77 [app] [I] Started POST "/api/v2/hosts/facts" for IP_FOREMAN_URL at 2017-07-18 14:26:25 +0200
> 2017-07-18 14:26:25 91503c77 [app] [I] Processing by Api::V2::HostsController#facts as JSON
> 2017-07-18 14:26:25 91503c77 [app] [I] Parameters: {"facts"=>"[FILTERED]", "name"=>"client.in.corp", "apiv"=>"v2", :host=>{"name"=>"client.in.corp"}}
> 2017-07-18 14:26:25 91503c77 [app] [D] Importer Katello::RhsmFactImporter does not implement authorized_smart_proxy_features.
> 2017-07-18 14:26:25 91503c77 [app] [D] Importer ForemanAnsible::StructuredFactImporter does not implement authorized_smart_proxy_features.2017-07-18 14:26:25 91503c77 [app] [W] No SSL cert with CN supplied - request from IP_FOREMAN_URL,
> 2017-07-18 14:26:25 91503c77 [app] [W] SSO failed
> 2017-07-18 14:26:25 91503c77 [app] [I] Rendered api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout (0.8ms)
> 2017-07-18 14:26:25 91503c77 [app] [I] Filter chain halted as #<Proc:0x0000000b444908@/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14> <Proc:0x0000000b444908@/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14> rendered or redirected
> 2017-07-18 14:26:25 91503c77 [app] [I] Completed 403 Forbidden in 6ms (Views: 1.6ms | ActiveRecord: 0.0ms)
>
>
> If i use FOREMAN_USER/FOREMAN_PASSWORD combination facts upload correctly. So i am pretty sure it is installed correctly.
>
> Configuration part in callback/foreman.py
> FOREMAN_URL = os.getenv('FOREMAN_URL', "https://fqdn.in.corp" <https://fqdn.in.corp>)
>
> FOREMAN_SSL_CERT = (os.getenv('FOREMAN_SSL_CERT',
> "/etc/foreman/client_cert.pem"),
> os.getenv('FOREMAN_SSL_KEY',
> "/etc/foreman/client_key.pem"))
> FOREMAN_SSL_VERIFY = os.getenv('FOREMAN_SSL_VERIFY', "1")
> FOREMAN_USER = os.getenv('FOREMAN_USER', "admin") #It works with user
> FOREMAN_PASSWORD = os.getenv('FOREMAN_PASSWORD', "S3cr3tPASS") # and password
>
> I do not know which cert/key is for what. Thanks for hints and kicking me
> in right direction.

You can find the keys in /etc/httpd/conf.d/05-katello-ssl.conf or a
similar file if you just have Foreman. The values match those of
SSLCertificateFile, SSLCertificateKeyFile.

By default these are in

"/etc/pki/katello/certs/katello-default-ca.crt"
"/etc/pki/katello/private/katello-default-ca.key"

in a Foreman+Katello installation

If you just use foreman, it'd be something like:

/etc/puppetlabs/puppet/ssl/certs/yourfqdn.pem'
/etc/puppetlabs/puppet/ssl/private_keys/yourfqdn.pem'

(or maybe /var/lib/puppet/ssl, depending on your Puppet version)

Hi Daniel Lobato,
thanks for the replay. I use foreman with katello. So I
used /etc/pki/katello/certs/katello-apache.crt
and /etc/pki/katello/private/katello-apache.key as mentioned
in /etc/httpd/conf.d/05-foreman-ssl.conf but still without success.

Here are current logs:
==> /var/log/foreman/production.log <==
2017-07-19 09:27:50 d0a8c61a [app] [I] Started POST "/api/v2/hosts/facts"
for 172.27.9.166 at 2017-07-19 09:27:50 +0200
2017-07-19 09:27:50 d0a8c61a [app] [I] Processing by
Api::V2::HostsController#facts as JSON
2017-07-19 09:27:50 d0a8c61a [app] [I] Parameters:
{"facts"=>"[FILTERED]", "name"=>"client.in.corp", "apiv"=>"v2",
:host=>{"name"=>"client.in.corp"}}
2017-07-19 09:27:50 d0a8c61a [app] [W] No SSL cert with CN supplied -
request from 172.27.9.166,
2017-07-19 09:27:50 d0a8c61a [app] [W] SSO failed
2017-07-19 09:27:50 d0a8c61a [app] [I] Rendered
api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout
(1.0ms)
2017-07-19 09:27:50 d0a8c61a [app] [I] Filter chain halted as
#<Proc:0x00000009905b10@/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14>
rendered or redirected
2017-07-19 09:27:50 d0a8c61a [app] [I] Completed 403 Forbidden in 10ms
(Views: 2.1ms | ActiveRecord: 0.5ms)
2017-07-19 09:27:50 5216bc1a [app] [I] Started POST "/api/v2/hosts/facts"
for IP_FOREMAN_URL at 2017-07-19 09:27:50 +0200
2017-07-19 09:27:50 5216bc1a [app] [I] Processing by
Api::V2::HostsController#facts as JSON
2017-07-19 09:27:50 5216bc1a [app] [I] Parameters:
{"facts"=>"[FILTERED]", "name"=>"client.in.corp", "apiv"=>"v2",
:host=>{"name"=>"client.in.corp"}}
2017-07-19 09:27:50 5216bc1a [app] [W] No SSL cert with CN supplied -
request from IP_FOREMAN_URL,
2017-07-19 09:27:50 5216bc1a [app] [W] SSO failed
2017-07-19 09:27:50 5216bc1a [app] [I] Rendered
api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout
(0.5ms)
2017-07-19 09:27:50 5216bc1a [app] [I] Filter chain halted as
#<Proc:0x00000009905b10@/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14>
rendered or redirected
2017-07-19 09:27:50 5216bc1a [app] [I] Completed 403 Forbidden in 5ms
(Views: 1.4ms | ActiveRecord: 0.0ms)

Is there any debug mode or curl command which could give me some hint?

Thank you very moch.
Daniel Slezak

Dne úterý 18. července 2017 17:23:01 UTC+2 Daniel Lobato napsal(a):

> Hi Daniel Lobato,
> thanks for the replay. I use foreman with katello. So I
> used /etc/pki/katello/certs/katello-apache.crt
> and /etc/pki/katello/private/katello-apache.key as mentioned
> in /etc/httpd/conf.d/05-foreman-ssl.conf but still without success.

Are you sure that's it? My Apache config file is 05-katello-ssl.conf,
and the cert/key are:

SSLCertificateFile "/etc/pki/katello/certs/katello-default-ca.crt"
SSLCertificateKeyFile "/etc/pki/katello/private/katello-default-ca.key"

I don't have file 05-katello-ssl.conf just following

[root@myserver ~]# ls /etc/httpd/conf.d/
03-crane.conf 05-foreman-ssl.conf 25-puppet.conf pulp_content.conf
pulp_rpm.conf
05-foreman.conf 05-foreman-ssl.d passenger.conf pulp_docker.conf
pulp_streamer.conf
05-foreman.d 15-default.conf pulp.conf pulp_puppet.conf
ssl.conf
[root@myserver ~]#

I tried to use keys and certs from this configs, but with the same result.

Dne středa 19. července 2017 13:33:31 UTC+2 Daniel Lobato napsal(a):