Problem: Certificate verification failed.
Expected outcome: Verify certificates
Foreman and Proxy versions: Foreman 1.20
foreman-proxy-1.20.3-1.el7.noarch
Foreman and Proxy plugin versions:
Other relevant data:
Hi Support,
Want to Share our Journey towards Foreman scalable cluster setup till now and the challenges in that we faced/facing. It would be much appreciated if any one can provide there inputs.
We build the 2 foreman servers with external shared mysql database and the memcache server for caching. We have disabled smart proxies of each foreman instances.
We have setup a external puppet CA server for master’s client authentication.
We have setup external puppet master.
Now for the certificates we got for foreman , Puppet CA and master are from internal CA authority and placed in /etc/pki/tls directory locally on server while installing.
Now below is the process that we followed.
Setup foreman instance 1:
[root@frmserver01 ~]# foreman-installer --no-enable-puppet --foreman-proxy-puppetca=false --no-enable-foreman-plugin-bootdisk --no-enable-foreman-proxy --foreman-foreman-url=http://foreman-ha.example.com --foreman-db-type=mysql --foreman-db-manage=false --foreman-db-host=frmserverdb.example.com --foreman-db-database=foreman --foreman-db-username=foreman --foreman-db-password=XXXXXX --foreman-organizations-enabled=true --foreman-initial-organization=example --foreman-locations-enabled=true --foreman-initial-location=SanJose --foreman-admin-password=XXXXX --foreman-admin-username=admin --foreman-server-ssl-ca=/etc/pki/tls/certs/ca.pem --foreman-server-ssl-chain=/etc/pki/tls/certs/ca.pem --foreman-server-ssl-cert=/etc/pki/tls/certs/foreman-ha.example.com.pem --foreman-server-ssl-key=/etc/pki/tls/private/foreman-ha.example.com.pem
Installing Done [100%] [.........................................]
Success!
* Foreman is running at http://foreman-ha.example.com
Initial credentials are admin / example
The full log is at /var/log/foreman-installer/foreman.log
[root@frmserver01 ~]
Foreman Instance 2:
[root@frmserver02 ~]# foreman-installer --no-enable-puppet --foreman-proxy-puppetca=false --no-enable-foreman-plugin-bootdisk --no-enable-foreman-proxy --foreman-foreman-url=http://foreman-ha.example.com --foreman-db-type=mysql --foreman-db-manage=false --foreman-db-host=frmserverdb.example.com --foreman-db-database=foreman --foreman-db-username=foreman --foreman-db-password=XXXXX --foreman-organizations-enabled=true --foreman-initial-organization=example --foreman-locations-enabled=true --foreman-initial-location=SanJose --foreman-admin-password=XXXXXX --foreman-admin-username=admin --foreman-server-ssl-ca=/etc/pki/tls/certs/ca.pem --foreman-server-ssl-chain=/etc/pki/tls/certs/ca.pem --foreman-server-ssl-cert=/etc/pki/tls/certs/foreman-ha.example.com.pem --foreman-server-ssl-key=/etc/pki/tls/private/foreman-ha.example.com.pem
Installing Done [100%] [.........................................]
Success!
* Foreman is running at http://foreman-ha.example.com
Initial credentials are admin / example
The full log is at /var/log/foreman-installer/foreman.log
[root@frmserver02 ~]#
External Puppet CA:
[root@frmpuppetca ~]# foreman-installer --no-enable-foreman --no-enable-foreman-cli --no-enable-foreman-plugin-bootdisk --puppet-server-foreman-url=https://foreman-ha.example.com --enable-foreman-proxy --foreman-proxy-tftp=false --foreman-proxy-foreman-base-url=https://foreman-ha.example.com --foreman-proxy-trusted-hosts=foreman-ha.example.com,frmserver01.example.com,frmserver02.example.com,frmpuppetca.example.com --foreman-proxy-oauth-consumer-key=skEFx8EDNMPUozvK9dZsip6DZWQGqmWC --foreman-proxy-oauth-consumer-secret=Dwn9ad6hHmCLjjgtX9YE2fBcoRp2t4WY --foreman-proxy-foreman-ssl-ca=/etc/pki/tls/certs/ca.pem --foreman-proxy-foreman-ssl-cert=/etc/pki/tls/certs/foreman-ha.example.com.pem --foreman-proxy-foreman-ssl-key=/etc/pki/tls/private/foreman-ha.example.com.pem --foreman-proxy-ssl-ca=/etc/pki/tls/certs/ca.pem --foreman-proxy-ssl-cert=/etc/pki/tls/certs/frmpuppetca.example.com.pem --foreman-proxy-ssl-key=/etc/pki/tls/private/frmpuppetca.example.com.pem --foreman-proxy-bind-host=*
Installing Done [100%] [...............................................................................]
Success!
* Foreman Proxy is running at https://frmpuppetca.example.com:8443
* Puppetmaster is running at port 8140
The full log is at /var/log/foreman-installer/foreman.log
[root@frmpuppetca ~]#
External Puppet Master:
[root@puppet1 ~]# foreman-installer --no-enable-foreman --no-enable-foreman-cli --no-enable-foreman-plugin-bootdisk --no-enable-foreman-plugin-setup --enable-puppet --puppet-server-ca=false --puppet-ca-server=frmpuppetca.example.com --puppet-server-foreman-url=https://foreman-ha.example.com --enable-foreman-proxy --foreman-proxy-puppetca=false --foreman-proxy-tftp=false --foreman-proxy-foreman-base-url=https://foreman-ha.example.com --foreman-proxy-trusted-hosts=foreman-ha.example.com --foreman-proxy-oauth-consumer-key=skEFx8EDNMPUozvK9dZsip6DZWQGqmWC --foreman-proxy-oauth-consumer-secret=Dwn9ad6hHmCLjjgtX9YE2fBcoRp2t4WY --puppet-server-foreman-ssl-ca=/etc/pki/tls/certs/ca.pem --puppet-server-foreman-ssl-cert=/etc/pki/tls/certs/foreman-ha.example.com.pem --puppet-server-foreman-ssl-key=/etc/pki/tls/private/foreman-ha.example.com.pem --foreman-proxy-ssl-ca=/etc/pki/tls/certs/ca.pem --foreman-proxy-ssl-cert=/etc/pki/tls/certs/puppet-ha.example.com.pem --foreman-proxy-ssl-key=/etc/pki/tls/private/puppet-ha.example.com.pem --foreman-proxy-bind-host=*
Installing Done [100%] [...............................................................................]
Success!
* Foreman Proxy is running at https://puppet1.example.com:8443
* Puppetmaster is running at port 8140
The full log is at /var/log/foreman-installer/foreman.log
[root@puppet1 ~]#
Now at the client side below is the puppet.conf file.
====================================
# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html
[main]
logdir = /var/log/puppetlabs/puppet
reports = foreman
rundir = /var/run/puppetlabs
ssldir = /etc/puppetlabs/puppet/ssl
vardir = /opt/puppetlabs/puppet/cache
[agent]
pluginsync = true
report = true
ignoreschedules = true
daemon = false
ca_server = frmpuppetca.example.com
certname = puppetclient1.example.com
environment = production
server = puppet1.example.com
But when we are running agent its throwing below errors " Verification verifiy failed. "
==============================
[root@puppetclient1 ssl]# puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet1.example.com]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet1.example.com]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet1.example.com]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet1.example.com]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet1.example.com]
Info: Loading facts
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet1.example.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet1.example.com]
[root@puppetclient1 ssl]#
======================================
Please provide your input to get it fixed.