Foreman not getting callbacks from Ansible: SSL error

Leiocalyx · May 31, 2018, 9:19pm

I tried following the instructions, but something isn’t right.
Installed Foreman version 1.16, full-auto using foreman-installer.
Than the foreman-ansible-plugin.
Ansible version is 2.5.3

Ansible has the required [callback_foreman] fields configured.

But when I try to ansible -m setup localhost i get an error at the end:

HTTPSConnectionPool(host='foreman.local', port=443): Max retries exceeded with url: /api/v2/hosts/facts (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'),))
HTTPSConnectionPool(host='foreman.local', port=443): Max retries exceeded with url: /api/v2/reports (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'),))

Marek_Hulan · June 1, 2018, 6:11am

Hello,

based on the error, I assume the hostname foreman.local does not match the CN in x509 certificate that is installed on Foreman server. See the certificate and use the same hostname in callback configuration instead of foreman.local.

Hope that helps

–
Marek

Leiocalyx · June 1, 2018, 7:42am

For some weird reason I wanted to edit out the server name… which may have been misleading.

hostname -f
rainbow3-11.bru

Checked the certificates, they seem fine

openssl x509 -in /etc/puppetlabs/puppet/ssl/certs/rainbow3-11.bru.pem -text -noout
    Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Puppet CA: rainbow3-11.bru
        Validity
            Not Before: May 30 20:15:37 2018 GMT
            Not After : May 30 20:15:37 2023 GMT
        Subject: CN=rainbow3-11.bru

openssl x509 -in /etc/puppetlabs/puppet/ssl/certs/ca.pem -text -noout
    Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Puppet CA: rainbow3-11.bru
        Validity
            Not Before: May 30 20:15:34 2018 GMT
            Not After : May 30 20:15:34 2023 GMT
        Subject: CN=Puppet CA: rainbow3-11.bru

And here’s the part from ansible.cfg:

[callback_foreman]
url = 'https://rainbow3-11.bru'
ssl_cert = /etc/puppetlabs/puppet/ssl/certs/rainbow3-11.bru.pem
ssl_key = /etc/puppetlabs/puppet/ssl/private_keys/rainbow3-11.bru.pem
ssl_ca = /etc/puppetlabs/puppet/ssl/certs/ca.pem
verify_certs = 1

dLobatog · June 1, 2018, 8:48am

When verify_certs is set to 1, Ansible will use the local CA bundle (usually /etc/pki/tls/certs/ca-bundle.crt). It’s quite likely that the Foreman CA is not included in the local CA bundle.

You may use the path to the Foreman CA bundle directly, like this:
verify_certs=/etc/foreman-proxy/ssl_ca.pem

Could you try that? If that doesn’t work, could you try setting verify to False to make sure the SSL cert/key are correct? From the error I think it’s just the CA verification but let’s make sure.

Leiocalyx · June 1, 2018, 2:04pm

Thanks, that did it!

I didn’t have any certs in /etc/foreman-proxy/ but I pointed toward the same ca.pem and ansible finished without an error.

[callback_foreman]
url = 'https://rainbow3-11.bru'
ssl_cert = /etc/puppetlabs/puppet/ssl/certs/rainbow3-11.bru.pem
ssl_key = /etc/puppetlabs/puppet/ssl/private_keys/rainbow3-11.bru.pem
ssl_ca = /etc/puppetlabs/puppet/ssl/certs/ca.pem
verify_certs = /etc/puppetlabs/puppet/ssl/certs/ca.pem