We are trying to add and new smart proxy to the existing foreman server.
After following this guide the last step is to run foreman-installer --scenario foreman-proxy-content command and it fails with below error.
[ERROR 2021-01-29T18:35:57 main] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[smartproxy-hostname]/ensure: change from 'absent' to 'present' failed: Proxy smartproxy-hostname cannot be registered: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([Errno::ECONNRESET]: Connection reset by peer - SSL_connect) for proxy https://smartproxy-hostname:9090/v2/features Please check the proxy is configured and running on the host.
Configured Smart Proxy
Foreman and Proxy versions:
Foreman and Proxy plugin versions:
Distribution and version:
Oracle Linux 7.8
Other relevant data:
Command used to install the smart proxy:
Hi @bhatsu, this does look like a network issue but can’t be sure yet, can you try to ping the katello server from the server where you are installing the foreman-proxy? If that works, also make sure you can reach https://smartproxy-hostname:9090/v2/features using the certificates you are providing using curl or something similar. If you can do that, let us know and we can debug further.
So you do have a network issues. Sounds like you block all ICMP. That is a serious network issue. You must not block all ICMP. ICMP is an essential network protocol. Blocking all ICMP messages causes all kinds of weird issues and problems. Some ICMP messages are mandatory and must not be blocked. If you feel like filtering ICMP then you need to read the RFCs and make sure to allow the important messages.
The s_client output also suggests that something is interfering with the connection. If you break IP by blocking all ICMP who knows what else you break… And as it’s working locally it suggests that it’s the filtering in between causing the problem because I guess locally it’s not filtered…
That’s the thing: if you break your network by filtering all ICMP it can have all kinds of effects, e.g. MTU issues. Possibly you may be able to connect fine (i.e. establish the TCP connection) because it only requires smaller packets but the moment something larger is transferred weird things happen, because your broke IP fragmentation.
In particular if you are in an internal network as it seems… Your network is broken. You cannot rule out anything based on that…
The URL is malformed. As you don’t post the exact command you have tried, it’s hard to tell what you really did…
As I wrote before: you don’t post the exact command. I don’t know what you do. I don’t know if you do it right or not…
Something is resetting the TLS connection. So far, all we know that you have a broken network due to a overzealous firewall. Check the firewall. Check with tcpdump on both ends and capture the traffic to find out what device is actually sending that reset.