While foreman picks up new modules from open source puppet master, when I
do a puppet agent -t on an agent I don't see it come into foreman. The
script external_node_v2.rb is is installed and tested to work. This is the
output I am getting on the agent when I do a puppet agent -t:

[root@puppetdb puppet]# puppet agent -t
Error: Could not request certificate: Error 500 on SERVER: <!DOCTYPE html>
<html>
<head>
<title>We're sorry, but something went wrong (500)</title>
<style type="text/css">
body { background-color: #fff; color: #666; text-align: center;
font-family: arial, sans-serif; }
.dialog {
width: 25em;
padding: 0 4em;
margin: 4em auto 0 auto;
border: 1px solid #ccc;
border-right-color: #999;
border-bottom-color: #999;
}
h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
#operator_info_panel {
width: 27em;
margin: 4em auto 0 auto;
line-height: 1.2em;
}
#show_operator_info { text-decoration: none; color: #99f; font-size:
smaller; }
#show_operator_info:hover { text-decoration: underline; }
#operator_info { color: #444; text-align: justify; }
</style>
</head>

<body>
<div class="dialog">
<h1>We're sorry, but something went wrong.</h1>
<p>We've been notified about this issue and we'll take a look at it
shortly.</p>
</div>
<div id="operator_info_panel">
<a id="show_operator_info"
href="javascript:void(showOperatorInfo())">Information for the
administrator of this website</a>
<div id="operator_info" style="display: none">
<p>The Phusion Passenger application server encountered an error
while starting your web application.
Because you are running this web application in staging or
production mode, the details of the error
have been omitted from this web page for security reasons.</p>
<p><strong>Please read <a
href="https://www.phusionpassenger.com/library/admin/log_file/">the
Passenger log file</a> to find the details of the error.</strong></p>
<p>Alternatively, you can turn on the "friendly error pages" feature
(see below), which will make Phusion Passenger show many details about the
error right in the browser.</p>
<p>To turn on friendly error pages:</p>
<ul>
<li><a
href="https://www.phusionpassenger.com/library/config/nginx/reference/#passenger_friendly_error_pages">Nginx
integration mode</a></li>
<li><a
href="https://www.phusionpassenger.com/library/config/apache/reference/#passengerfriendlyerrorpages">Apache
integration mode</a></li>
<li><a
href="https://www.phusionpassenger.com/library/config/standalone/reference/#--friendly-error-pages---no-friendly-error-pages-friendly_error_pages">Standalone
mode</a></li>
</ul>
</div>
</div>

<script>
function showOperatorInfo() {
document.getElementById('operator_info').style.display = 'block';
}
</script>
</body>
</html>

whats in your server logs?

made some headway - seemed to be some sort of invalid invisible character
in puppet.conf on puppetmaster, now however when I do a puppet agent -t on
the agent, this is what I see in foreman production logs:

Started GET "/node/puppetdb.kartikv.com?format=yml" for 192.168.1.181 at
2015-09-09 15:26:17 -0400
Processing by HostsController#externalNodes as YML
Parameters: {"name"=>"puppetdb.kartikv.com"}
SSL is required - request from 192.168.1.181
Redirected to http://foreman.kartikv.com/users/login
Filter chain halted as :require_puppetmaster_or_login rendered or redirected
Completed 403 Forbidden in 1ms (ActiveRecord: 0.0ms)

puppetdb.kartikv.com is the puppet agent

Thank you very much for taking an interest in my issue. All log files on
puppet master are empty.

What logs are you checking exactly? The problem here is actually that
your Puppet master appears to be down (500 errors from Passenger), way
before it ever involves Foreman.

Check syslog (e.g. /var/log/{syslog,messages} depending on OS) for any
messages from puppet-master in case it's refusing to start, and
httpd/apache2's error log for errors related to Passenger.

Change the URL in /etc/puppet/foreman.yaml (used by the external node
script you set up) to HTTPS.

By the way, are you aware that our installer can set up a new Foreman
instance with a Puppet master installed alongside, fully integrated? It
looks like you're unfamiliar with both Puppet and Foreman, so it's
probably a better way to get acquainted with them instead of configuring
it from scratch.

Suddenly I am no longer getting that error. I do not know what happened. I
am now however not able to get the foreman gui, this is in httpd error_log:

[ 2015-09-07 18:36:12.8483 31496/7f71c0be6700 Pool2/SmartSpawner.h:301 ]:
Preloader for /usr/share/foreman started on PID 31527, listening on
unix:/tmp/passenger.1.0.31472/generation-1/backends/preloader.315
43
/usr/share/gems/gems/passenger-4.0.18/helper-scripts/prespawn:114:in
connect': SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello from /usr/share/gems/gems/passenger-4.0.18/helper-scripts/prespawn:114:inconnect'
from
/usr/share/gems/gems/passenger-4.0.18/helper-scripts/prespawn:86:in socket' from /usr/share/gems/gems/passenger-4.0.18/helper-scripts/prespawn:90:inhead_request'
from
/usr/share/gems/gems/passenger-4.0.18/helper-scripts/prespawn:145:in
`<main>'

Thanks Dominic. I will try the fully integrated setup that you mentioned. I
have been looking for something like this. Are there explanatory notes
somewhere (easy to understand?).

Coming back to the current issue at hand, I made the change to https in
/etc/puppet/foreman.yaml, this is what I am now seeing:

NOTE: puppetdb.kartikv.com is the agent, puppet is at 192.168.1.181, and
foreman is at foreman.kartiukv.com

[root@puppetdb puppet]# puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will
continue:
Warning: Error 400 on SERVER: Failed to find puppetdb.kartikv.com via exec:
Execution of '/etc/puppet/foreman_external_node.rb puppetdb.kartikv.com'
returned 1:
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
Failed when searching for node puppetdb.kartikv.com: Failed to find
puppetdb.kartikv.com via exec: Execution of
'/etc/puppet/foreman_external_node.rb puppetdb.kartikv.com' returned 1:
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
[root@puppetdb puppet]#

[root@foreman conf.d]# tail -f /var/log/foreman/production.log
Started POST "/api/hosts/facts" for 192.168.1.181 at 2015-09-10 06:29:02
-0400
Processing by Api::V2::HostsController#facts as JSON
Parameters: {"facts"=>"[FILTERED]", "name"=>"puppetdb.kartikv.com",
"certname"=>"puppetdb.kartikv.com", "apiv"=>"v2", :host=>{"name"=>"
puppetdb.kartikv.com", "certname"=>"puppetdb.kartikv.com"}}
No SSL cert with CN supplied - request from 192.168.1.181,
Rendered api/v2/errors/access_denied.json.rabl within
api/v2/layouts/error_layout (0.4ms)
Filter chain halted as :require_puppetmaster_or_login rendered or redirected
Completed 403 Forbidden in 2ms (Views: 0.9ms | ActiveRecord: 0.0ms)

Started GET "/node/puppetdb.kartikv.com?format=yml" for 192.168.1.181 at
2015-09-10 06:29:02 -0400
Processing by HostsController#externalNodes as YML
Parameters: {"name"=>"puppetdb.kartikv.com"}
No SSL cert with CN supplied - request from 192.168.1.181,
Redirected to https://foreman.kartikv.com/users/login
Filter chain halted as :require_puppetmaster_or_login rendered or redirected
Completed 403 Forbidden in 2ms (ActiveRecord: 0.0ms)

> Thanks Dominic. I will try the fully integrated setup that you
> mentioned. I have been looking for something like this. Are there
> explanatory notes somewhere (easy to understand?).

Yes, follow the Get Started link on the website:
http://theforeman.org/manuals/latest/quickstart_guide.html

I would run it on a clean server though, probably not the one you're
currently configuring as it might not work reliably.

> Coming back to the current issue at hand, I made the change to https in
> /etc/puppet/foreman.yaml, this is what I am now seeing:
>
> No SSL cert with CN supplied - request from 192.168.1.181,
> Rendered api/v2/errors/access_denied.json.rabl within
> api/v2/layouts/error_layout (0.4ms)
> Filter chain halted as :require_puppetmaster_or_login rendered or redirected
> Completed 403 Forbidden in 2ms (Views: 0.9ms | ActiveRecord: 0.0ms)

How are you running Foreman?

Under Apache with Passenger? If so, check you have "SSLOptions
+StdEnvVars" in your VirtualHost configuration as Foreman uses these to
authenticate the incoming request. Also check that you have the
ssl_cert/ssl_key settings in foreman.yaml.
http://theforeman.org/manuals/1.9/index.html#5.4SecuringCommunicationswithSSL
has more information about securing these requests.

You can also disable the authentication and authorisation, which is
covered at the bottom of the same chapter. I wouldn't recommend this in
any untrusted network or production installation as anybody can attack
your Foreman installation.

Okay I restarted foreman, foreman-proxy, enabled sslengine
in 05-foreman-ssl.conf and added a hosts file entry on my windows system to
point to the foreman systems IP and am now able to get to the GUI.

On running puppet agent -t on the puppet agent I get:
[root@puppetdb puppet]# puppet agent -t
Info: Caching certificate for ca
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
[root@puppetdb puppet]#

I do not see the host in foreman

Dominic,

I try not to let ego get in the way and followed your advise and comment
that puppet-server and foreman are now integrated. One simple command
foreman-installer is all it took for me to create an open source
puppet+foreman environment. I could add an agent and add modules in the
foreman GUI.

Please let me know if I am missing something.

Thanks for helping newbies such as myself. Regards,

Kartik Vashishta

The client doesn't have a certificate ("no certificate found") so can't
talk to your Puppet master. Sign it via puppet cert list/sign on
the master.

https://docs.puppetlabs.com/guides/install_puppet/post_install.html#sign-the-new-nodes-certificate

Great to hear it's working - you're not missing anything, that's
everything you need to start with. It's configured the two bits of
software, plus the ENC (which you were doing) and the report processor.

[root@puppetdb puppet]# puppet agent -t

Info: Creating a new SSL key for puppetdb.kartikv.com

Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml

Info: Creating a new SSL certificate request for puppetdb.kartikv.com

Info: Certificate Request fingerprint (SHA256):
B4:3A:1C:22:E8:C9:D0:8D:CD:11:7C:30:07:04:59:54:62:5B:C0:EC:5C:33:11:62:14:7C:90:4C:5F:E7:A7:E0

Exiting; no certificate found and waitforcert is disabled

[root@puppetdb puppet]#

[root@puppet puppet]# puppet cert sign puppetdb.kartikv.com

Error: Could not parse /etc/puppet/puppet.conf: Could not match line
pluginsync = true

at /etc/puppet/puppet.conf:14

Notice: Signed certificate request for puppetdb.kartikv.com

Notice: Removing file Puppet::SSL::CertificateRequest puppetdb.kartikv.com
at '/etc/puppet/ssl/ca/requests/puppetdb.kartikv.com.pem'

[root@puppet puppet]#

[root@puppetdb puppet]# puppet agent -t

Info: Caching certificate for puppetdb.kartikv.com

Error: Could not request certificate: SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verify failed: [self
signed certificate in certificate chain for /CN=Puppet CA:
puppet.kartikv.com]

Exiting; failed to retrieve certificate and waitforcert is disabled

[root@puppetdb puppet]#

And Foreman is configured to create new hosts when facts are uploaded:

create_new_host_when_facts_are_uploaded true Foreman will create the host
when new facts are received create_new_host_when_report_is_uploaded true Foreman
will create the host when a report is received

I like to repeat previous successes, on a new vanilla server named
puppet.kartikv.com (not in DNS yet), I ran the installer and encountered
these errors, I am still able to login to foreman…but not with https,
it gave me an http connection

[ERROR 2015-09-17 14:16:14 main] Repeating errors encountered during run:
[ERROR 2015-09-17 14:16:14 main]
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[puppet.kartikv.com]:
Could not evaluate: Proxy puppet.kartikv.com cannot be registered (Could
not load data from https://puppet.kartikv.com
[ERROR 2015-09-17 14:16:14 main]
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[puppet.kartikv.com]:
Failed to call refresh: Proxy puppet.kartikv.com cannot be registered
(Could not load data from https://puppet.kartikv.com
[ERROR 2015-09-17 14:16:14 main]
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[puppet.kartikv.com]:
Proxy puppet.kartikv.com cannot be registered (Could not load data from
https://puppet.kartikv.com

are these harmless

unable to execute a successful puppet run:

[root@sys2 ~]# puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will
continue:
Warning: Error 400 on SERVER: Failed to find sys2.kartikv.com via exec:
Execution of '/etc/puppet/node.rb sys2.kartikv.com' returned 1:
Info: Retrieving pluginfacts
Info: Retrieving plugin
Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
Failed when searching for node sys2.kartikv.com: Failed to find
sys2.kartikv.com via exec: Execution of '/etc/puppet/node.rb
sys2.kartikv.com' returned 1:
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
[root@sys2 ~]#

Update: Added puppet.kartikv.com (the foreman/puppet server) in DNS, reran
foreman-installer, got the SUCCESS message, could successfully add a puppet
agent to this infrastructure and install a module.