Foreman (Katello) and separate Salt smart proxy - SSL

Dylan_Baars · March 21, 2016, 10:37pm

Hi all,

I am attempting to integrate a new Saltstack server and an existing Katello
installation. I have Katello 2.4 installed, which is running foreman
1.10.2. I have been
following Foreman :: Plugin Manuals
to configure things.

On my salt master I am running 2015.8.7-1.el7. It has foreman-proxy
1.10.2-1.e17 installed
On my Katello server, it has tfm-rubygem-foreman_salt installed as below

tfm-rubygem-foreman_salt.noarch 4.0.1-1.fm1_10.el7
@foreman-plugins
tfm-rubygem-hammer_cli_foreman_salt.noarch
tfm-rubygem-hammer_cli_foreman_salt-doc.noarch

I have a working cherrypy salt-API setup, running on port 8000. To prove
that, after logging in and getting a token using curl (using the zsaltuser
as seen further down), I can run the below

curl -ksi https://wellsaltdev.niwa.local:8000 -H "Accept:
application/x-yaml" -H "X-Auth-Token:
"780173c4e02c9ee4b18a32abe77c904e112727d3"" -d client='local' -d tgt='' -d
fun='test.ping'*

HTTP/1.1 200 OK
Content-Length: 72
Access-Control-Expose-Headers: GET, POST
Cache-Control: private
Vary: Accept-Encoding
Server: CherryPy/3.2.2
Allow: GET, HEAD, POST
Access-Control-Allow-Credentials: true
*Access-Control-Allow-Origin: **
Content-Type: application/x-yaml
Set-Cookie: session_id=780173c4e02c9ee4b18a32abe77c904e112727d3;
expires=Tue, 22 Mar 2016 08:10:48 GMT; Path=/

return:
- wellminiondev.niwa.local: true

wellsaltdev.niwa.local: true*

My /etc/salt/foreman.yaml is below

:proto: https
:host: wellkatellodev.niwa.local
:port: 443
:ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem"
:ssl_cert: "/var/lib/puppet/ssl/certs/wellsaltdev.niwa.local.pem"
:ssl_key: "/var/lib/puppet/ssl/private_keys/wellsaltdev.niwa.local.pem"

:timeout: 10
:salt: /usr/bin/salt
:upload_grains: true

As per the documentation, I have configured CherryPy in /etc/salt/master as
below

# Salt-API configuration
rest_cherrypy:

port: 8000*
ssl_crt: /var/lib/puppet/ssl/certs/wellsaltdev.niwa.local.pem*
ssl_key: /var/lib/puppet/ssl/private_keys/wellsaltdev.niwa.local.pem*

external_auth:

zsaltuser:*
```
 - .**
```

In /etc/foreman-proxy.settings.d/salt.yml configured the API-related
settings

···

*Date: Mon, 21 Mar 2016 22:10:48 GMT*

—
:enabled: true
:autosign_file: /etc/salt/autosign.conf
:salt_command_user: root

:use_api: true
:api_url: https://wellsaltdev.niwa.local:8000

:api_auth: ldap
:api_username: zsaltuser
:api_password: removed

and in /etc/foreman-proxy/settings.yml

:ssl_certificate: /var/lib/puppet/ssl/certs/wellsaltdev.niwa.local.pem
:ssl_ca_file: /var/lib/puppet/ssl/certs/ca.pem
:ssl_private_key:
/var/lib/puppet/ssl/private_keys/wellsaltdev.niwa.local.pem
:trusted_hosts:
- wellkatellodev.niwa.local
:forward_verify: true
:foreman_url: https://wellkatellodev.niwa.local
:daemon: true
:bind_host: '’*
:http_port: 9000
:https_port: 9001
:virsh_network: default
:log_level: DEBUG

To be sure, rebooted both servers. With the above configuration, if I login
to the Katello website, Infrastructure > Smart Proxies, I can add the Salt
smart proxy via HTTP - i.e. http://wellsaltdev.niwa.local:9000, however if
I try and use HTTPS and “Refresh features” I get

Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features ([Errno::EACCES]:
Permission denied - connect(2)) for proxy
https://wellsaltdev.niwa.local:9001/features and Please check the proxy is
configured and running on the host.

No extra messages in the logs on either server

In the foreman-proxy logs on the server, when I start the proxy (systemctl
start foreman-proxy) I get

D, [2016-03-22T11:32:31.223710 #7199] DEBUG – : TCPServer.new(0.0.0.0,
9000)
D, [2016-03-22T11:32:31.224020 #7199] DEBUG – : TCPServer.new(::, 9000)
W, [2016-03-22T11:32:31.224189 #7199] WARN – : TCPServer Error: Address
already in use - bind(2)
D, [2016-03-22T11:32:31.224315 #7199] DEBUG – : Rack::Handler::WEBrick is
mounted on /.
I, [2016-03-22T11:32:31.224457 #7199] INFO – :
WEBrick::HTTPServer#start: pid=7199 port=9000
D, [2016-03-22T11:32:31.224585 #7199] DEBUG – : TCPServer.new(0.0.0.0,
9001)
D, [2016-03-22T11:32:31.224768 #7199] DEBUG – : TCPServer.new(::, 9001)
W, [2016-03-22T11:32:31.224883 #7199] WARN – : TCPServer Error: Address
already in use - bind(2)
I, [2016-03-22T11:32:31.225973 #7199] INFO – :

but checking using lsof, only the foreman-proxy is using the ports

[root@wellsaltdev foreman-proxy]# lsof -wni tcp:9000
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ruby 7199 foreman-proxy 11u IPv4 57748 0t0 TCP *:cslistener
(LISTEN)
[root@wellsaltdev foreman-proxy]# lsof -wni tcp:9001
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ruby 7199 foreman-proxy 12u IPv4 58567 0t0 TCP *:etlservicemgr
(LISTEN)

The /var/log/foreman-proxy/proxy.log also shows the Puppet certificate
being loaded

I, [2016-03-22T11:32:31.225973 #7199] INFO – :
Certificate:

Data:*
```
   Version: 3 (0x2)*
```
```
   Serial Number: 4 (0x4)*
```
Signature Algorithm: sha256WithRSAEncryption*

   Issuer: CN=Puppet CA: wellkatellodev.niwa.local*

```
   Validity*
```

       Not Before: Mar 13 04:18:19 2016 GMT*

       Not After : Mar 13 04:18:19 2021 GMT*

```
   Subject: CN=wellsaltdev.niwa.local*
```
```
   Subject Public Key Info:*
```

       Public Key Algorithm: rsaEncryption*

```
           Public-Key: (4096 bit)*
```
```
           Modulus:*
```

               00:98:bd:54:ee:ef:3c:4c:ed:08:81:5c:d8:09:bf:*

               28:3a:09:d8:3c:f2:e3:13:8a:10:a2:50:d6:4c:8b:*

               0a:62:2c:4e:20:b2:51:fc:34:c7:a3:80:22:11:95:*

               62:62:49:16:af:9e:34:5c:44:4d:2a:6e:56:22:00:*

               34:70:ea:56:6f:cb:a0:7e:4e:19:36:13:87:5d:42:*

               31:fb:f4:4c:fe:d4:a6:59:46:36:8a:8e:6f:e4:ef:*

               63:1b:8a:f8:d3:e6:98:a0:81:93:de:4e:81:d8:23:*

               3f:14:da:b5:11:6a:09:89:83:19:9e:0d:f1:72:a2:*

               d9:6c:c1:51:a8:9d:55:cc:7a:e4:57:70:05:5f:58:*

               ae:05:a6:85:02:3d:d4:82:73:b5:f8:75:24:bc:76:*

               26:09:90:18:3e:69:dc:87:6e:88:1e:c2:8b:44:a2:*

               2a:5b:2f:55:72:a7:f9:0c:6b:13:62:69:af:b7:b8:*

               f8:8d:2c:e7:cb:61:ab:5f:81:bd:25:8d:38:df:d5:*

               5b:ba:08:1e:49:ff:c2:54:29:61:31:dd:06:16:33:*

               e7:3a:4c:3a:cc:b1:ae:4d:b0:0b:f9:20:df:21:f3:*

               05:f5:59:eb:6f:6a:14:6a:27:59:8d:7b:14:b2:09:*

               21:1c:c1:92:79:c6:00:f6:29:bf:2b:a7:76:fc:5b:*

               34:fe:c2:18:01:49:ac:bc:93:dd:83:72:13:01:7e:*

               7a:d5:c5:8e:bb:9b:da:44:cd:51:b4:ee:58:cb:5e:*

               25:53:73:0c:f0:15:8f:ec:aa:c9:a3:71:97:63:77:*

               e7:ab:b3:c1:bd:b6:af:2d:d5:e3:aa:94:eb:81:3c:*

               87:25:93:41:8e:02:67:22:aa:ec:f3:b6:61:e5:61:*

               d4:aa:bd:3b:d0:fd:80:92:75:f1:b1:dc:32:7c:79:*

               8a:4d:0c:d4:90:d9:c6:81:cf:c3:a2:b7:26:7a:d3:*

               ce:ce:c8:52:f8:d8:0c:18:0e:2c:fc:47:f1:55:23:*

               e8:e4:ba:f8:ab:97:78:ab:99:eb:93:8c:1d:41:16:*

               9b:59:07:f1:11:de:ae:aa:a0:87:4b:b5:99:dc:3c:*

               30:80:0b:7e:5f:22:eb:ed:92:50:a6:d5:83:ce:94:*

               8e:29:d1:fd:5d:b7:d2:a4:79:46:dc:53:54:dc:2d:*

               20:b2:56:d3:cf:02:97:3c:02:d4:d4:36:b0:d3:68:*

               ba:b2:e7:11:67:ab:d0:1b:e7:b7:3f:21:ca:e2:03:*

               50:68:7f:3f:c3:07:46:1a:49:da:0e:0d:d4:7d:16:*

               5b:75:4a:36:42:4e:70:f3:79:64:27:77:34:a1:29:*

               58:ff:9e:9a:68:d2:ca:43:69:ee:db:5a:0f:45:d9:*

```
               80:e0:ff*
```
```
           Exponent: 65537 (0x10001)*
```
```
   X509v3 extensions:*
```
```
       Netscape Comment:*
```

           Puppet Ruby/OpenSSL Internal Certificate*

```
       X509v3 Key Usage: critical*
```

           Digital Signature, Key Encipherment*

       X509v3 Extended Key Usage: critical*

           TLS Web Server Authentication, TLS Web Client

Authentication*

       X509v3 Basic Constraints: critical*

```
           CA:FALSE*
```
```
       X509v3 Subject Key Identifier:*
```

7B:97:A4:69:AF:A1:08:F5:49:2A:FC:3D:02:32:2D:04:FF:D5:F5:BA*

       X509v3 Authority Key Identifier:*

keyid:F7:A7:90:88:EC:2C:5A:C2:61:94:F7:83:E3:50:B0:66:C5:CD:D5:2D*

Signature Algorithm: sha256WithRSAEncryption*

    61:25:a5:b6:3e:02:3d:4c:85:b5:e2:31:e9:03:ce:44:04:03:*

    75:08:a2:2c:c8:c9:b1:c6:26:9c:42:9d:66:9d:64:17:19:bd:*

    89:a3:1f:f5:02:67:05:8c:6b:9f:ef:e2:a7:34:93:fa:3b:d8:*

    a7:29:3c:82:47:14:db:ef:57:34:a7:7f:52:50:05:16:ed:9e:*

    de:34:4f:54:0c:8a:5d:d8:7e:d3:0a:f8:f0:36:37:4c:67:94:*

    15:e6:5b:89:48:72:f5:05:79:f8:d0:26:bd:43:1f:6c:aa:7e:*

    7b:fd:f3:cf:33:f1:02:6f:eb:2d:d9:e3:6f:ec:16:3e:ac:03:*

    22:d7:d8:51:86:bd:84:37:94:be:32:c1:25:8f:d3:7c:89:3b:*

    a9:d8:56:ca:5a:87:1a:76:38:30:be:23:e6:d5:ae:75:7c:a5:*

    ca:2b:f1:82:31:ac:eb:86:06:cf:08:01:5a:b0:52:54:33:a5:*

    8b:69:5e:cd:61:74:86:6d:75:7e:0e:d1:d3:57:9b:f7:6b:ed:*

    d0:f9:d7:3f:a9:f0:ff:5c:8a:bf:a8:e7:fb:0a:75:fc:4f:a3:*

    ec:a1:65:4d:b1:d1:2b:cb:3a:68:1a:e0:ff:ea:28:a0:e8:c2:*

    39:cc:59:72:07:c9:cf:ae:94:cc:21:c5:ff:1a:21:9c:cc:4c:*

    b5:73:5b:62:6d:23:6a:5c:56:da:13:f4:e9:bb:c4:c5:16:15:*

    39:1e:49:d9:3a:b4:23:97:4e:0b:49:0b:37:c3:41:69:85:b5:*

    17:aa:f9:0f:98:8d:8f:20:37:d9:a5:2e:ad:fd:c3:76:01:d3:*

    25:2a:38:e6:68:96:81:2e:42:ff:72:a0:53:7a:fe:70:9a:54:*

    8c:14:3a:ac:34:92:f8:01:ea:88:73:eb:e7:30:69:a6:5f:97:*

    58:63:e9:06:f5:d6:32:b5:49:a0:63:ab:cf:2d:05:f1:79:f5:*

    37:7d:71:b3:e1:9a:7d:58:f1:5c:f3:b8:f4:37:e9:5d:97:39:*

    30:50:8c:a5:00:a7:52:63:db:9a:c3:24:46:c5:84:46:35:08:*

    33:ef:fe:40:9d:6b:bc:62:0f:df:98:f7:51:65:aa:8a:de:ba:*

    2c:f9:00:d4:16:82:56:c8:c6:07:3d:4d:78:73:a1:f5:69:a5:*

    6a:25:f1:57:4b:1b:18:0f:99:ad:8c:b0:1f:87:f8:6a:95:9a:*

    02:24:7e:3f:ab:cf:3a:5a:25:42:ce:25:cb:cc:c5:77:a1:8b:*

    b7:bf:4f:11:e0:8c:e1:a4:62:25:94:17:58:b1:5f:03:87:f3:*

    f6:7e:4f:fa:9a:d5:03:73:86:81:e0:97:9f:23:ed:3d:7a:4e:*

```
    9c:17:78:1c:c9:bc:9d:46*
```

D, [2016-03-22T11:32:31.226161 #7199] DEBUG – : Rack::Handler::WEBrick is
mounted on /.
I, [2016-03-22T11:32:31.226247 #7199] INFO – :
WEBrick::HTTPServer#start: pid=7199 port=9001

Can anyone help figure out why I can’t use SSL from the smart proxies page
in Katello?

Thanks heaps
Dylan

A possible spanner in the works, I have updated Katello to use our internal
certificate authority for the web page (https://wellkatellodev.niwa.local)
with this command, although this might be nothing:

*katello-installer
–certs-server-cert “/certs/wellkatellodev.niwa.local.crt”*

                 --certs-server-cert-req "/certs/wellkatellodev.niwa.local.csr"\*

                 --certs-server-key "/certs/wellkatellodev.niwa.local.key"\*

                 --certs-server-ca-cert "/certs/niwa_cacert.pem"\*

                 --certs-update-server --certs-update-server-ca*

stbenjam · March 22, 2016, 6:14pm

> From: "Dylan Baars" <baarsd@gmail.com>
> To: "Foreman users" <foreman-users@googlegroups.com>
> Sent: Monday, March 21, 2016 6:37:48 PM
> Subject: [foreman-users] Foreman (Katello) and separate Salt smart proxy - SSL
>
> Hi all,
>
> I am attempting to integrate a new Saltstack server and an existing Katello
> installation. I have Katello 2.4 installed, which is running foreman
> 1.10.2. I have been
> following
> Foreman :: Plugin Manuals
> to configure things.
>
> On my salt master I am running 2015.8.7-1.el7. It has foreman-proxy
> 1.10.2-1.e17 installed
> On my Katello server, it has tfm-rubygem-foreman_salt installed as below
>
> tfm-rubygem-foreman_salt.noarch 4.0.1-1.fm1_10.el7
> @foreman-plugins
> tfm-rubygem-hammer_cli_foreman_salt.noarch
> tfm-rubygem-hammer_cli_foreman_salt-doc.noarch
>
> I have a working cherrypy salt-API setup, running on port 8000. To prove
> that, after logging in and getting a token using curl (using the zsaltuser
> as seen further down), I can run the below
>
>
> curl -ksi https://wellsaltdev.niwa.local:8000 -H "Accept:
> application/x-yaml" -H "X-Auth-Token:
> "780173c4e02c9ee4b18a32abe77c904e112727d3"" -d client='local' -d tgt='' -d
> fun='test.ping'*
>
> HTTP/1.1 200 OK
> Content-Length: 72
> Access-Control-Expose-Headers: GET, POST
> Cache-Control: private
> Vary: Accept-Encoding
> Server: CherryPy/3.2.2
> Allow: GET, HEAD, POST
> Access-Control-Allow-Credentials: true
> Date: Mon, 21 Mar 2016 22:10:48 GMT
> Access-Control-Allow-Origin: **
> Content-Type: application/x-yaml
> Set-Cookie: session_id=780173c4e02c9ee4b18a32abe77c904e112727d3;
> expires=Tue, 22 Mar 2016 08:10:48 GMT; Path=/
>
> return:
> - wellminiondev.niwa.local: true
> * wellsaltdev.niwa.local: true
>
> My /etc/salt/foreman.yaml is below
>
> :proto: https
> :host: wellkatellodev.niwa.local
> :port: 443
> :ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem"
> :ssl_cert: "/var/lib/puppet/ssl/certs/wellsaltdev.niwa.local.pem"
> :ssl_key: "/var/lib/puppet/ssl/private_keys/wellsaltdev.niwa.local.pem"
>
> :timeout: 10
> :salt: /usr/bin/salt
> :upload_grains: true
>
> As per the documentation, I have configured CherryPy in /etc/salt/master as
> below
>
> # Salt-API configuration
> rest_cherrypy:
> * port: 8000*
> * ssl_crt: /var/lib/puppet/ssl/certs/wellsaltdev.niwa.local.pem*
> * ssl_key: /var/lib/puppet/ssl/private_keys/wellsaltdev.niwa.local.pem*
>
>
>
> external_auth:
> * zsaltuser:*
> * - .**
>
> In /etc/foreman-proxy.settings.d/salt.yml configured the API-related
> settings
>
> —
> :enabled: true
> :autosign_file: /etc/salt/autosign.conf
> :salt_command_user: root
>
> :use_api: true
> :api_url: https://wellsaltdev.niwa.local:8000
>
> :api_auth: ldap
> :api_username: zsaltuser
> :api_password: removed
>
> and in /etc/foreman-proxy/settings.yml
>
> :ssl_certificate: /var/lib/puppet/ssl/certs/wellsaltdev.niwa.local.pem
> :ssl_ca_file: /var/lib/puppet/ssl/certs/ca.pem
> :ssl_private_key:
> /var/lib/puppet/ssl/private_keys/wellsaltdev.niwa.local.pem
> :trusted_hosts:
> - wellkatellodev.niwa.local
> :forward_verify: true
> :foreman_url: https://wellkatellodev.niwa.local
> :daemon: true
> :bind_host: ''*
> :http_port: 9000
> :https_port: 9001
> :virsh_network: default
> :log_level: DEBUG
>
> To be sure, rebooted both servers. With the above configuration, if I login
> to the Katello website, Infrastructure > Smart Proxies, I can add the Salt
> smart proxy via HTTP - i.e. http://wellsaltdev.niwa.local:9000, however if
> I try and use HTTPS and "Refresh features" I get
>
> Unable to communicate with the proxy: ERF12-2530
> [ProxyAPI::ProxyException]: Unable to detect features ([Errno::EACCES]:
> Permission denied - connect(2)) for proxy
> https://wellsaltdev.niwa.local:9001/features and Please check the proxy is
> configured and running on the host.

Offhand, this sounds like SELinux. Have a look in /var/log/audit/auditd.log for
denials. The Foreman isn't allowed to connect out to unknown ports by our
selinux policy. You could try moving the proxy to 8443 or 9090 for https,
those should be allowed.

Or allow 9001, audit2allow tool would help you create the right rule.

Stephen

···

----- Original Message -----

No extra messages in the logs on either server

In the foreman-proxy logs on the server, when I start the proxy (systemctl
start foreman-proxy) I get

D, [2016-03-22T11:32:31.223710 #7199] DEBUG – : TCPServer.new(0.0.0.0,
9000)
D, [2016-03-22T11:32:31.224020 #7199] DEBUG – : TCPServer.new(::, 9000)
W, [2016-03-22T11:32:31.224189 #7199] WARN – : TCPServer Error: Address
already in use - bind(2)
D, [2016-03-22T11:32:31.224315 #7199] DEBUG – : Rack::Handler::WEBrick is
mounted on /.
I, [2016-03-22T11:32:31.224457 #7199] INFO – :
WEBrick::HTTPServer#start: pid=7199 port=9000
D, [2016-03-22T11:32:31.224585 #7199] DEBUG – : TCPServer.new(0.0.0.0,
9001)
D, [2016-03-22T11:32:31.224768 #7199] DEBUG – : TCPServer.new(::, 9001)
W, [2016-03-22T11:32:31.224883 #7199] WARN – : TCPServer Error: Address
already in use - bind(2)
I, [2016-03-22T11:32:31.225973 #7199] INFO – :

but checking using lsof, only the foreman-proxy is using the ports

[root@wellsaltdev foreman-proxy]# lsof -wni tcp:9000
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ruby 7199 foreman-proxy 11u IPv4 57748 0t0 TCP *:cslistener
(LISTEN)
[root@wellsaltdev foreman-proxy]# lsof -wni tcp:9001
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ruby 7199 foreman-proxy 12u IPv4 58567 0t0 TCP *:etlservicemgr
(LISTEN)

The /var/log/foreman-proxy/proxy.log also shows the Puppet certificate
being loaded

I, [2016-03-22T11:32:31.225973 #7199] INFO – :
Certificate:

Data:*
```
   Version: 3 (0x2)*
```
```
   Serial Number: 4 (0x4)*
```
Signature Algorithm: sha256WithRSAEncryption*

   Issuer: CN=Puppet CA: wellkatellodev.niwa.local*

```
   Validity*
```

       Not Before: Mar 13 04:18:19 2016 GMT*

       Not After : Mar 13 04:18:19 2021 GMT*

```
   Subject: CN=wellsaltdev.niwa.local*
```
```
   Subject Public Key Info:*
```

       Public Key Algorithm: rsaEncryption*

```
           Public-Key: (4096 bit)*
```
```
           Modulus:*
```

               00:98:bd:54:ee:ef:3c:4c:ed:08:81:5c:d8:09:bf:*

               28:3a:09:d8:3c:f2:e3:13:8a:10:a2:50:d6:4c:8b:*

               0a:62:2c:4e:20:b2:51:fc:34:c7:a3:80:22:11:95:*

               62:62:49:16:af:9e:34:5c:44:4d:2a:6e:56:22:00:*

               34:70:ea:56:6f:cb:a0:7e:4e:19:36:13:87:5d:42:*

               31:fb:f4:4c:fe:d4:a6:59:46:36:8a:8e:6f:e4:ef:*

               63:1b:8a:f8:d3:e6:98:a0:81:93:de:4e:81:d8:23:*

               3f:14:da:b5:11:6a:09:89:83:19:9e:0d:f1:72:a2:*

               d9:6c:c1:51:a8:9d:55:cc:7a:e4:57:70:05:5f:58:*

               ae:05:a6:85:02:3d:d4:82:73:b5:f8:75:24:bc:76:*

               26:09:90:18:3e:69:dc:87:6e:88:1e:c2:8b:44:a2:*

               2a:5b:2f:55:72:a7:f9:0c:6b:13:62:69:af:b7:b8:*

               f8:8d:2c:e7:cb:61:ab:5f:81:bd:25:8d:38:df:d5:*

               5b:ba:08:1e:49:ff:c2:54:29:61:31:dd:06:16:33:*

               e7:3a:4c:3a:cc:b1:ae:4d:b0:0b:f9:20:df:21:f3:*

               05:f5:59:eb:6f:6a:14:6a:27:59:8d:7b:14:b2:09:*

               21:1c:c1:92:79:c6:00:f6:29:bf:2b:a7:76:fc:5b:*

               34:fe:c2:18:01:49:ac:bc:93:dd:83:72:13:01:7e:*

               7a:d5:c5:8e:bb:9b:da:44:cd:51:b4:ee:58:cb:5e:*

               25:53:73:0c:f0:15:8f:ec:aa:c9:a3:71:97:63:77:*

               e7:ab:b3:c1:bd:b6:af:2d:d5:e3:aa:94:eb:81:3c:*

               87:25:93:41:8e:02:67:22:aa:ec:f3:b6:61:e5:61:*

               d4:aa:bd:3b:d0:fd:80:92:75:f1:b1:dc:32:7c:79:*

               8a:4d:0c:d4:90:d9:c6:81:cf:c3:a2:b7:26:7a:d3:*

               ce:ce:c8:52:f8:d8:0c:18:0e:2c:fc:47:f1:55:23:*

               e8:e4:ba:f8:ab:97:78:ab:99:eb:93:8c:1d:41:16:*

               9b:59:07:f1:11:de:ae:aa:a0:87:4b:b5:99:dc:3c:*

               30:80:0b:7e:5f:22:eb:ed:92:50:a6:d5:83:ce:94:*

               8e:29:d1:fd:5d:b7:d2:a4:79:46:dc:53:54:dc:2d:*

               20:b2:56:d3:cf:02:97:3c:02:d4:d4:36:b0:d3:68:*

               ba:b2:e7:11:67:ab:d0:1b:e7:b7:3f:21:ca:e2:03:*

               50:68:7f:3f:c3:07:46:1a:49:da:0e:0d:d4:7d:16:*

               5b:75:4a:36:42:4e:70:f3:79:64:27:77:34:a1:29:*

               58:ff:9e:9a:68:d2:ca:43:69:ee:db:5a:0f:45:d9:*

```
               80:e0:ff*
```
```
           Exponent: 65537 (0x10001)*
```
```
   X509v3 extensions:*
```
```
       Netscape Comment:*
```

           Puppet Ruby/OpenSSL Internal Certificate*

```
       X509v3 Key Usage: critical*
```

           Digital Signature, Key Encipherment*

       X509v3 Extended Key Usage: critical*

           TLS Web Server Authentication, TLS Web Client

Authentication*

       X509v3 Basic Constraints: critical*

```
           CA:FALSE*
```
```
       X509v3 Subject Key Identifier:*
```

7B:97:A4:69:AF:A1:08:F5:49:2A:FC:3D:02:32:2D:04:FF:D5:F5:BA*

       X509v3 Authority Key Identifier:*

keyid:F7:A7:90:88:EC:2C:5A:C2:61:94:F7:83:E3:50:B0:66:C5:CD:D5:2D*

Signature Algorithm: sha256WithRSAEncryption*

    61:25:a5:b6:3e:02:3d:4c:85:b5:e2:31:e9:03:ce:44:04:03:*

    75:08:a2:2c:c8:c9:b1:c6:26:9c:42:9d:66:9d:64:17:19:bd:*

    89:a3:1f:f5:02:67:05:8c:6b:9f:ef:e2:a7:34:93:fa:3b:d8:*

    a7:29:3c:82:47:14:db:ef:57:34:a7:7f:52:50:05:16:ed:9e:*

    de:34:4f:54:0c:8a:5d:d8:7e:d3:0a:f8:f0:36:37:4c:67:94:*

    15:e6:5b:89:48:72:f5:05:79:f8:d0:26:bd:43:1f:6c:aa:7e:*

    7b:fd:f3:cf:33:f1:02:6f:eb:2d:d9:e3:6f:ec:16:3e:ac:03:*

    22:d7:d8:51:86:bd:84:37:94:be:32:c1:25:8f:d3:7c:89:3b:*

    a9:d8:56:ca:5a:87:1a:76:38:30:be:23:e6:d5:ae:75:7c:a5:*

    ca:2b:f1:82:31:ac:eb:86:06:cf:08:01:5a:b0:52:54:33:a5:*

    8b:69:5e:cd:61:74:86:6d:75:7e:0e:d1:d3:57:9b:f7:6b:ed:*

    d0:f9:d7:3f:a9:f0:ff:5c:8a:bf:a8:e7:fb:0a:75:fc:4f:a3:*

    ec:a1:65:4d:b1:d1:2b:cb:3a:68:1a:e0:ff:ea:28:a0:e8:c2:*

    39:cc:59:72:07:c9:cf:ae:94:cc:21:c5:ff:1a:21:9c:cc:4c:*

    b5:73:5b:62:6d:23:6a:5c:56:da:13:f4:e9:bb:c4:c5:16:15:*

    39:1e:49:d9:3a:b4:23:97:4e:0b:49:0b:37:c3:41:69:85:b5:*

    17:aa:f9:0f:98:8d:8f:20:37:d9:a5:2e:ad:fd:c3:76:01:d3:*

    25:2a:38:e6:68:96:81:2e:42:ff:72:a0:53:7a:fe:70:9a:54:*

    8c:14:3a:ac:34:92:f8:01:ea:88:73:eb:e7:30:69:a6:5f:97:*

    58:63:e9:06:f5:d6:32:b5:49:a0:63:ab:cf:2d:05:f1:79:f5:*

    37:7d:71:b3:e1:9a:7d:58:f1:5c:f3:b8:f4:37:e9:5d:97:39:*

    30:50:8c:a5:00:a7:52:63:db:9a:c3:24:46:c5:84:46:35:08:*

    33:ef:fe:40:9d:6b:bc:62:0f:df:98:f7:51:65:aa:8a:de:ba:*

    2c:f9:00:d4:16:82:56:c8:c6:07:3d:4d:78:73:a1:f5:69:a5:*

    6a:25:f1:57:4b:1b:18:0f:99:ad:8c:b0:1f:87:f8:6a:95:9a:*

    02:24:7e:3f:ab:cf:3a:5a:25:42:ce:25:cb:cc:c5:77:a1:8b:*

    b7:bf:4f:11:e0:8c:e1:a4:62:25:94:17:58:b1:5f:03:87:f3:*

    f6:7e:4f:fa:9a:d5:03:73:86:81:e0:97:9f:23:ed:3d:7a:4e:*

```
    9c:17:78:1c:c9:bc:9d:46*
```

D, [2016-03-22T11:32:31.226161 #7199] DEBUG – : Rack::Handler::WEBrick is
mounted on /.
I, [2016-03-22T11:32:31.226247 #7199] INFO – :
WEBrick::HTTPServer#start: pid=7199 port=9001

Can anyone help figure out why I can’t use SSL from the smart proxies page
in Katello?

Thanks heaps
Dylan

A possible spanner in the works, I have updated Katello to use our internal
certificate authority for the web page (https://wellkatellodev.niwa.local)
with this command, although this might be nothing:

*katello-installer
–certs-server-cert “/certs/wellkatellodev.niwa.local.crt”*

                 --certs-server-cert-req

“/certs/wellkatellodev.niwa.local.csr”*

```
                 --certs-server-key
```

“/certs/wellkatellodev.niwa.local.key”*

                 --certs-server-ca-cert "/certs/niwa_cacert.pem"\*

                 --certs-update-server --certs-update-server-ca*

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Dylan_Baars · March 22, 2016, 6:34pm

Hi Stephen,

thanks for your reply. I checked 8443 was not in use (lsof -wni tcp:8443)
and then updated /etc/foreman-proxy/settings.yml to use 8443 for HTTPS and
restarted the service (systemctl restart foreman-proxy) on the salt master

Now if I update the smart proxy to use HTTPS on the foreman web interface
(so updated to https://wellsaltdev.niwa.local:8443) I get this error
from /var/log/foreman/production.log

2016-03-23 07:23:15 [app] [I] Failed to save: Unable to communicate with
the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read
server session ticket A: tlsv1 alert un…) for proxy
https://wellsaltdev.niwa.local:8443/features, Please check the proxy is
configured and running on the host.

and on the salt master, /var/log/foreman-proxy/proxy.log

E, [2016-03-23T07:24:39.925286 #14174] ERROR – : OpenSSL::SSL::SSLError:
SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1
alert unknown ca

   /usr/share/ruby/openssl/ssl.rb:226:in `accept&#39;*

Any further ideas?

Thanks heaps!
Dylan

···

On Wednesday, March 23, 2016 at 7:14:21 AM UTC+13, stephen wrote: > > > Offhand, this sounds like SELinux. Have a look in > /var/log/audit/auditd.log for > denials. The Foreman isn't allowed to connect out to unknown ports by our > selinux policy. You could try moving the proxy to 8443 or 9090 for https, > those should be allowed. > > Or allow 9001, audit2allow tool would help you create the right rule. > > - Stephen > >

stbenjam · March 22, 2016, 6:46pm

> From: "Dylan Baars" <baarsd@gmail.com>
> To: "Foreman users" <foreman-users@googlegroups.com>
> Cc: stephen@redhat.com
> Sent: Tuesday, March 22, 2016 2:34:44 PM
> Subject: Re: [foreman-users] Foreman (Katello) and separate Salt smart proxy - SSL
>
> Hi Stephen,
>
> thanks for your reply. I checked 8443 was not in use (lsof -wni tcp:8443)
> and then updated /etc/foreman-proxy/settings.yml to use 8443 for HTTPS and
> restarted the service (systemctl restart foreman-proxy) on the salt master
>
> Now if I update the smart proxy to use HTTPS on the foreman web interface
> (so updated to https://wellsaltdev.niwa.local:8443) I get this error
> from /var/log/foreman/production.log
>
> 2016-03-23 07:23:15 [app] [I] Failed to save: Unable to communicate with
> the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features
> ([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read
> server session ticket A: tlsv1 alert un…) for proxy
> https://wellsaltdev.niwa.local:8443/features, Please check the proxy is
> configured and running on the host.
>
> and on the salt master, /var/log/foreman-proxy/proxy.log
>
> E, [2016-03-23T07:24:39.925286 #14174] ERROR – : OpenSSL::SSL::SSLError:
> SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1
> alert unknown ca
> * /usr/share/ruby/openssl/ssl.rb:226:in `accept'*
>
> Any further ideas?

It looks like SELinux was the original problem, now you have SSL errors.

Katello doesn't quite use the same setup as Foreman for certificates, we have
our own CA. You want to use our capsule-certs-generate (Katello calls a proxy a
"capsule") to create some certificates for your proxy.

You needn't install a proper katello capsule, just get the certs and put them
in the right place.

I have a post here about how to do it with Puppet, should be similar for
Salt:

https://groups.google.com/forum/#!msg/foreman-users/WGt-AAJdymM/ZdvlQhs2O1wJ

Basically, you'll want to use "puppet-client" in /etc/salt/foreman.yaml. You'll also
need to do the Smart Proxy certificates (/etc/foreman-proxy/settings.yml) too. There's
an RPM in the capsule certs bundle for the foreman-proxy.

Stephen

···

----- Original Message -----

Thanks heaps!
Dylan

On Wednesday, March 23, 2016 at 7:14:21 AM UTC+13, stephen wrote:

Offhand, this sounds like SELinux. Have a look in
/var/log/audit/auditd.log for
denials. The Foreman isn’t allowed to connect out to unknown ports by our
selinux policy. You could try moving the proxy to 8443 or 9090 for https,
those should be allowed.

Or allow 9001, audit2allow tool would help you create the right rule.

Stephen

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Dylan_Baars · March 23, 2016, 10:40pm

Hi again,

I still get the same error I have done the below

On my Katello server ran: capsule-certs-generate --capsule-fqdn
"wellsaltdev.niwa.local" --certs-tar wellsaltdev.niwa.local-certs.tar

Copied that tar to wellsaltdev.niwa.local and extracted: tar -xzvf
wellsaltdev.niwa.local-certs.tar

installed the puppet-client and foreman-proxy certificate RPMs

cd ssl-build/wellsaltdev.niwa.local/

rpm -ivh wellsaltdev.niwa.local-puppet-client-1.0-1.noarch.rpm

rpm -ivh wellsaltdev.niwa.local-foreman-proxy-1.0-1.noarch.rpm

also installed the default-ca RPM

cd …

rpm -ivh katello-default-ca-1.0-1.noarch.rpm

copied the foreman-proxy certificates to /etc/foreman-proxy, plus the CA cert

cp /etc/pki/katello-certs-tools/certs/wellsaltdev.niwa.local-foreman-proxy.crt /etc/foreman-proxy

cp /etc/pki/katello-certs-tools/private/wellsaltdev.niwa.local-foreman-proxy.key /etc/foreman-proxy

cp /etc/pki/katello-certs-tools/certs/katello-default-ca.crt /etc/foreman-proxy

Set file rights

cd /etc/foreman-proxy

chown foreman-proxy:root wellsaltdev.niwa.local-foreman-proxy.key
chmod 400 wellsaltdev.niwa.local-foreman-proxy.key

chmod 644 wellsaltdev.niwa.local-foreman-proxy.crt

chmod 644 katello-default-ca.crt

Updated /etc/foreman-proxy/settings.yml

:ssl_certificate:
/etc/foreman-proxy/wellsaltdev.niwa.local-foreman-proxy.crt
:ssl_ca_file: /etc/foreman-proxy/katello-default-ca.crt
:ssl_private_key:
/etc/foreman-proxy/wellsaltdev.niwa.local-foreman-proxy.key

Next for /etc/salt/foreman.yaml
Copied the puppet-client certs to /etc/salt

cp /etc/pki/katello-certs-tools/certs/wellsaltdev.niwa.local-puppet-client.crt /etc/salt

cp /etc/pki/katello-certs-tools/private/wellsaltdev.niwa.local-puppet-client.key /etc/salt

cp /etc/pki/katello-certs-tools/certs/katello-default-ca.crt /etc/salt

Set file rights

cd /etc/salt

chown foreman-proxy:root wellsaltdev.niwa.local-puppet-client.key
chmod 400 wellsaltdev.niwa.local-puppet-client.key

chmod 644 wellsaltdev.niwa.local-puppet-client.crt

chmod 644 katello-default-ca.crt

And updated /etc/salt/foreman.yaml

:proto: https
:host: wellkatellodev.niwa.local
:port: 443
:ssl_ca: "/etc/salt/katello-default-ca.crt"
:ssl_cert: "/etc/salt/wellsaltdev.niwa.local-puppet-client.crt"
:ssl_key: "/etc/salt/wellsaltdev.niwa.local-puppet-client.key"
:timeout: 10
:salt: /usr/bin/salt
:upload_grains: true

Rebooted

In the Katello GUI, updated the smart proxy to https://wellsaltdev.niwa.local:8443

"Refresh features"

On wellkatellodev, /var/log/foreman/production.log

| Started PUT "/smart_proxies/2-wellsaltdev-niwa-local/refresh" for 192.168.222.132 at 2016-03-24 11:25:56 +1300
2016-03-24 11:25:56 [app] [I] Processing by SmartProxiesController#refresh as HTML
2016-03-24 11:25:56 [app] [I] Parameters: {"authenticity_token"=>"ZPqfYGjpMFdlkBjCZLzjHWy7m8Dxui0bYYm4aiIwnPk=", "id"=>"2-wellsaltdev-niwa-local"}
2016-03-24 11:25:56 [app] [I] Failed to save: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verif…) for proxy https://wellsaltdev.niwa.local:8443/features, Please check the proxy is configured and running on the host.
2016-03-24 11:25:56 [app] [I] Redirected to https://wellkatellodev.niwa.local/smart_proxies
2016-03-24 11:25:56 [app] [I] Completed 302 Found in 60ms (ActiveRecord: 7.2ms)
2016-03-24 11:25:56 [app] [I]*

and on wellsaltdev, /var/log/foreman-proxy/proxy.log

E, [2016-03-24T11:25:56.488868 #5727] ERROR – : OpenSSL::SSL::SSLError:
SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1
alert unknown ca /usr/share/ruby/openssl/ssl.rb:226:in `accept'

Still is the same error isn't it?
If I change back to http://wellsaltdev.niwa.local:9000, the refresh of
features works fine

I've compared the certificates that the puppet smart proxy is using (which
is locally installed on wellkatellodev) and they seem very similar (i.e.
the CA cert is the same, with obvious CN differences between the cert file
but otherwise similar)

Any ideas greatly appreciated! Thanks for your help so far

Dylan

···

On Wednesday, March 23, 2016 at 7:46:51 AM UTC+13, stephen wrote: > > It looks like SELinux was the original problem, now you have SSL errors. > > Katello doesn't quite use the same setup as Foreman for certificates, we > have > our own CA. You want to use our capsule-certs-generate (Katello calls a > proxy a > "capsule") to create some certificates for your proxy. > > You needn't install a proper katello capsule, just get the certs and put > them > in the right place. > > I have a post here about how to do it with Puppet, should be similar for > Salt: > > > https://groups.google.com/forum/#!msg/foreman-users/WGt-AAJdymM/ZdvlQhs2O1wJ > > Basically, you'll want to use "puppet-client" in /etc/salt/foreman.yaml. > You'll also > need to do the Smart Proxy certificates (/etc/foreman-proxy/settings.yml) > too. There's > an RPM in the capsule certs bundle for the foreman-proxy. > > > > - Stephen > >

Dylan_Baars · March 29, 2016, 1:07am

Of note: the defaul-ca is the wrong rpm to install, should install the
"katello-server-ca-1.0-2.noarch.rpm" rpm instead, which then puts
a katello-server-ca.crt cert into /etc/pki/katello-certs-tools/certs/

This is the same cert as downloaded by "wget
https://servername.domain/pub/katello-server-ca.crt"

However, even with this I still couldn't get it working. I've given up
running a separate server for Salt (this is a dev environment anyway if the
name of the servers didn't give it away already!), and installed
salt-master onto the katello server itself. SSL communication via the smart
proxy is working as expected!

Thanks for your help Stephen!
Dylan

···

On Thursday, March 24, 2016 at 11:40:33 AM UTC+13, Dylan Baars wrote: > > Hi again, > > I still get the same error :( I have done the below > > On my Katello server ran: capsule-certs-generate --capsule-fqdn > "wellsaltdev.niwa.local" --certs-tar wellsaltdev.niwa.local-certs.tar > > Copied that tar to wellsaltdev.niwa.local and extracted: tar -xzvf > wellsaltdev.niwa.local-certs.tar > > installed the puppet-client and foreman-proxy certificate RPMs > > cd ssl-build/wellsaltdev.niwa.local/ > > rpm -ivh wellsaltdev.niwa.local-puppet-client-1.0-1.noarch.rpm > > rpm -ivh wellsaltdev.niwa.local-foreman-proxy-1.0-1.noarch.rpm > > > also installed the default-ca RPM > > cd .. > > rpm -ivh katello-default-ca-1.0-1.noarch.rpm > > > copied the foreman-proxy certificates to /etc/foreman-proxy, plus the CA cert > > cp /etc/pki/katello-certs-tools/certs/wellsaltdev.niwa.local-foreman-proxy.crt /etc/foreman-proxy > > cp /etc/pki/katello-certs-tools/private/wellsaltdev.niwa.local-foreman-proxy.key /etc/foreman-proxy > > cp /etc/pki/katello-certs-tools/certs/katello-default-ca.crt /etc/foreman-proxy > > > Set file rights > > cd /etc/foreman-proxy > > chown foreman-proxy:root wellsaltdev.niwa.local-foreman-proxy.key > chmod 400 wellsaltdev.niwa.local-foreman-proxy.key > > chmod 644 wellsaltdev.niwa.local-foreman-proxy.crt > > chmod 644 katello-default-ca.crt > > > Updated /etc/foreman-proxy/settings.yml > > :ssl_certificate: > /etc/foreman-proxy/wellsaltdev.niwa.local-foreman-proxy.crt > :ssl_ca_file: /etc/foreman-proxy/katello-default-ca.crt > :ssl_private_key: > /etc/foreman-proxy/wellsaltdev.niwa.local-foreman-proxy.key > > Next for /etc/salt/foreman.yaml > Copied the puppet-client certs to /etc/salt > > cp /etc/pki/katello-certs-tools/certs/wellsaltdev.niwa.local-puppet-client.crt /etc/salt > > cp /etc/pki/katello-certs-tools/private/wellsaltdev.niwa.local-puppet-client.key /etc/salt > > cp /etc/pki/katello-certs-tools/certs/katello-default-ca.crt /etc/salt > > > Set file rights > > cd /etc/salt > > chown foreman-proxy:root wellsaltdev.niwa.local-puppet-client.key > chmod 400 wellsaltdev.niwa.local-puppet-client.key > > chmod 644 wellsaltdev.niwa.local-puppet-client.crt > > chmod 644 katello-default-ca.crt > > > And updated /etc/salt/foreman.yaml > > :proto: https > :host: wellkatellodev.niwa.local > :port: 443 > :ssl_ca: "/etc/salt/katello-default-ca.crt" > :ssl_cert: "/etc/salt/wellsaltdev.niwa.local-puppet-client.crt" > :ssl_key: "/etc/salt/wellsaltdev.niwa.local-puppet-client.key" > :timeout: 10 > :salt: /usr/bin/salt > :upload_grains: true > > > Rebooted > > > In the Katello GUI, updated the smart proxy to https://wellsaltdev.niwa.local:8443 > > "Refresh features" > > > On wellkatellodev, /var/log/foreman/production.log > > * | Started PUT "/smart_proxies/2-wellsaltdev-niwa-local/refresh" for 192.168.222.132 at 2016-03-24 11:25:56 +1300 > 2016-03-24 11:25:56 [app] [I] Processing by SmartProxiesController#refresh as HTML > 2016-03-24 11:25:56 [app] [I] Parameters: {"authenticity_token"=>"ZPqfYGjpMFdlkBjCZLzjHWy7m8Dxui0bYYm4aiIwnPk=", "id"=>"2-wellsaltdev-niwa-local"} > 2016-03-24 11:25:56 [app] [I] Failed to save: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verif...) for proxy https://wellsaltdev.niwa.local:8443/features , Please check the proxy is configured and running on the host. > 2016-03-24 11:25:56 [app] [I] Redirected to https://wellkatellodev.niwa.local/smart_proxies > 2016-03-24 11:25:56 [app] [I] Completed 302 Found in 60ms (ActiveRecord: 7.2ms) > 2016-03-24 11:25:56 [app] [I]* > > > and on wellsaltdev, /var/log/foreman-proxy/proxy.log > > *E, [2016-03-24T11:25:56.488868 #5727] ERROR -- : OpenSSL::SSL::SSLError: > SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1 > alert unknown ca /usr/share/ruby/openssl/ssl.rb:226:in `accept'* > > Still is the same error isn't it? :( > If I change back to http://wellsaltdev.niwa.local:9000, the refresh of > features works fine > > I've compared the certificates that the puppet smart proxy is using (which > is locally installed on wellkatellodev) and they seem very similar (i.e. > the CA cert is the same, with obvious CN differences between the cert file > but otherwise similar) > > Any ideas greatly appreciated! Thanks for your help so far > > Dylan > > > On Wednesday, March 23, 2016 at 7:46:51 AM UTC+13, stephen wrote: >> >> It looks like SELinux was the original problem, now you have SSL errors. >> >> Katello doesn't quite use the same setup as Foreman for certificates, we >> have >> our own CA. You want to use our capsule-certs-generate (Katello calls a >> proxy a >> "capsule") to create some certificates for your proxy. >> >> You needn't install a proper katello capsule, just get the certs and put >> them >> in the right place. >> >> I have a post here about how to do it with Puppet, should be similar for >> Salt: >> >> >> https://groups.google.com/forum/#!msg/foreman-users/WGt-AAJdymM/ZdvlQhs2O1wJ >> >> Basically, you'll want to use "puppet-client" in /etc/salt/foreman.yaml. >> You'll also >> need to do the Smart Proxy certificates (/etc/foreman-proxy/settings.yml) >> too. There's >> an RPM in the capsule certs bundle for the foreman-proxy. >> >> >> >> - Stephen >> >>