Hi

I am having the exact same issue, have you found a solution yet?

On Thursday, 15 June 2017 17:29:01 UTC+2, Sai Krishna wrote:

Hello everyone,

I have installed openscap plugin for existing foreman 1.15 and trying to
get the compliance report for a server, facing few issues during this
process.

Having trouble assigning policy to host, its not loading to select the
existing policy.

So I have tried from command line by running /usr/bin/foreman_scap_client
1

below is the confi file /etc/foreman_scap_client/config.yaml

DO NOT EDIT THIS FILE MANUALLY

IT IS MANAGED BY PUPPET

Foreman proxy to which reports should be uploaded

:server: ‘foremanproxy.example.com’
:port: 8443

SSL specific options

Client CA file.

It could be Puppet CA certificate (e.g., '/var/lib/puppet/ssl/certs/ca.

pem’)

Or (recommended for client reporting to Katello) subscription manager

CA file, (e.g., ‘/etc/rhsm/ca/katello-server-ca.pem’)
:ca_file: ‘/etc/puppetlabs/puppet/ssl/certs/ca.pem’

Client host certificate.

It could be Puppet agent host certificate (e.g.,

‘/var/lib/puppet/ssl/certs/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer certificate

(e.g., ‘/etc/pki/consumer/cert.pem’)
:host_certificate: ‘/etc/puppetlabs/puppet/ssl/certs/
localhost.example.com.pem’

Client private key

It could be Puppet agent private key (e.g.,

‘/var/lib/puppet/ssl/private_keys/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer private key

(e.g., ‘/etc/pki/consumer/key.pem’)
:host_private_key: ‘/etc/puppetlabs/puppet/ssl/pr
ivate_keys/localhost.example.com.pem’

policy (key is id as in Foreman)

1:
:profile: ‘’
:content_path: ‘/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml’

Download path

A path to download SCAP content from proxy

:download_path: ‘/compliance/policies/1/content’
:tailoring_path: ‘’
:tailoring_download_path: ‘’

root localhost [~] # /usr/bin/foreman_scap_client 1
DEBUG: running: oscap xccdf eval --results-arf
/tmp/d20170615-1073-zzt674/results.xml /usr/share/xml/scap/ssg/conten
t/ssg-rhel7-ds.xml
WARNING: Skipping http://www.redhat.com/security
/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from
XCCDF content
DEBUG: running: /usr/bin/bzip2 /tmp/d20170615-1073-zzt674/results.xml
Uploading results to https://foreman.example.com:8443/compliance/arf/1

At https://foreman.example.com:8443/compliance/arf/1 it through a
message as " No client SSL certificate supplied "

Below are logs from foreman-proxy server
/var/log/foreman-proxy/proxy.log

/var/log/foreman-proxy/proxy.log - Pastebin.com

Can anyone please help me with this.

Thank you
Sai Krishna

–
You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit https://groups.google.com/d/
topic/foreman-users/TKcNVZQ4b4A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Hi

Please see what error I’m getting

root@dev-qua-za-centos7:/etc/cron.d# /usr/bin/foreman_scap_client 1
File /var/lib/openscap/content/3e1654fd14a5352d65294db555710b
fda5cad1a942209e2d787ea7940035616e.xml is missing. Downloading it from
proxy.
Download SCAP content xml from: https://foreman.qualica.com:
9090/compliance/policies/1/content/3e1654fd14a5352d65294db555710b
fda5cad1a942209e2d787ea7940035616e
SCAP content is missing and download failed with error: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed

root@dev-qua-za-centos7:/etc/cron.d# cat /etc/foreman_scap_client/
config.yaml

DO NOT EDIT THIS FILE MANUALLY

IT IS MANAGED BY PUPPET

Foreman proxy to which reports should be uploaded

:server: ‘foreman.qualica.com’
:port: 9090

SSL specific options

Client CA file.

It could be Puppet CA certificate (e.g., '/var/lib/puppet/ssl/certs/ca.

pem’)

Or (recommended for client reporting to Katello) subscription manager CA

file, (e.g., ‘/etc/rhsm/ca/katello-server-ca.pem’)
:ca_file: ‘/var/lib/puppet/ssl/certs/ca.pem’

Client host certificate.

It could be Puppet agent host certificate (e.g.,

‘/var/lib/puppet/ssl/certs/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer certificate

(e.g., ‘/etc/pki/consumer/cert.pem’)
:host_certificate: ‘/var/lib/puppet/ssl/certs/
dev-qua-za-centos7.dc.qualica.com.pem’

Client private key

It could be Puppet agent private key (e.g., '/var/lib/puppet/ssl/private_

keys/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer private key

(e.g., ‘/etc/pki/consumer/key.pem’)
:host_private_key: ‘/var/lib/puppet/ssl/private_
keys/dev-qua-za-centos7.dc.qualica.com.pem’

policy (key is id as in Foreman)

1:
:profile: ‘xccdf_org.ssgproject.content_profile_pci-dss’
:content_path: ‘/var/lib/openscap/content/3e1654fd14a5352d65294db555710b
fda5cad1a942209e2d787ea7940035616e.xml’

Download path

A path to download SCAP content from proxy

:download_path: ‘/compliance/policies/1/content/
3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e’

On Monday, 10 July 2017 17:10:30 UTC+2, Sai Krishna wrote:

Hi

In my situation I have manually changed the profile details in
/etc/foreman_scap_client/config.yaml file that’s the reason I have faced
errors. I have then created a host group in foreman and assigned required
profile and ran puppet agent from CLI in respective node. Make sure you
provide correct cert details.

let me know how it went.

Sai Krishna

On Mon, Jul 10, 2017 at 7:05 AM, Phillip Smith phi...@qualica.com >> wrote:

Hi

I am having the exact same issue, have you found a solution yet?

On Thursday, 15 June 2017 17:29:01 UTC+2, Sai Krishna wrote:

Hello everyone,

I have installed openscap plugin for existing foreman 1.15 and trying
to get the compliance report for a server, facing few issues during this
process.

Having trouble assigning policy to host, its not loading to select the
existing policy.

So I have tried from command line by running
/usr/bin/foreman_scap_client 1

below is the confi file /etc/foreman_scap_client/config.yaml

DO NOT EDIT THIS FILE MANUALLY

IT IS MANAGED BY PUPPET

Foreman proxy to which reports should be uploaded

:server: ‘foremanproxy.example.com’
:port: 8443

SSL specific options

Client CA file.

It could be Puppet CA certificate (e.g.,

‘/var/lib/puppet/ssl/certs/ca.pem’)

Or (recommended for client reporting to Katello) subscription manager

CA file, (e.g., ‘/etc/rhsm/ca/katello-server-ca.pem’)
:ca_file: ‘/etc/puppetlabs/puppet/ssl/certs/ca.pem’

Client host certificate.

It could be Puppet agent host certificate (e.g.,

‘/var/lib/puppet/ssl/certs/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer certificate

(e.g., ‘/etc/pki/consumer/cert.pem’)
:host_certificate: ‘/etc/puppetlabs/puppet/ssl/certs/
localhost.example.com.pem’

Client private key

It could be Puppet agent private key (e.g.,

‘/var/lib/puppet/ssl/private_keys/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer private key

(e.g., ‘/etc/pki/consumer/key.pem’)
:host_private_key: ‘/etc/puppetlabs/puppet/ssl/pr
ivate_keys/localhost.example.com.pem’

policy (key is id as in Foreman)

1:
:profile: ‘’
:content_path: ‘/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml’

Download path

A path to download SCAP content from proxy

:download_path: ‘/compliance/policies/1/content’
:tailoring_path: ‘’
:tailoring_download_path: ‘’

root localhost [~] # /usr/bin/foreman_scap_client 1
DEBUG: running: oscap xccdf eval --results-arf
/tmp/d20170615-1073-zzt674/results.xml /usr/share/xml/scap/ssg/conten
t/ssg-rhel7-ds.xml
WARNING: Skipping http://www.redhat.com/security
/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced
from XCCDF content
DEBUG: running: /usr/bin/bzip2 /tmp/d20170615-1073-zzt674/results.xml
Uploading results to https://foreman.example.com:8443/compliance/arf/1

At https://foreman.example.com:8443/compliance/arf/1 it through a
message as " No client SSL certificate supplied "

Below are logs from foreman-proxy server
/var/log/foreman-proxy/proxy.log

/var/log/foreman-proxy/proxy.log - Pastebin.com

Can anyone please help me with this.

Thank you
Sai Krishna

–
You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit https://groups.google.com/d/to
pic/foreman-users/TKcNVZQ4b4A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit https://groups.google.com/d/
topic/foreman-users/TKcNVZQ4b4A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Hi

I have tested that and it works, thank you. I am not getting a 500 error,
Internal Server Error, could you maybe see if you can advise?

Redirecting to Google Groups

On Tuesday, 11 July 2017 20:01:19 UTC+2, Sai Krishna wrote:

Hi

Hope you have tried this foreman_scap_client fails with 'SL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed' - Red Hat Customer Portal

above should work if you’re using redhat satellite server as foreman.

Which version of puppet are you using if it is 4.x certs location should
be something like this /etc/puppetlabs/puppet/ssl/certs/

On Tue, Jul 11, 2017 at 4:53 AM, Phillip Smith phi...@qualica.com >> wrote:

Hi

Please see what error I’m getting

root@dev-qua-za-centos7:/etc/cron.d# /usr/bin/foreman_scap_client 1
File /var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5
cad1a942209e2d787ea7940035616e.xml is missing. Downloading it from
proxy.
Download SCAP content xml from: https://foreman.qualica.com:90
90/compliance/policies/1/content/3e1654fd14a5352d65294db5557
10bfda5cad1a942209e2d787ea7940035616e
SCAP content is missing and download failed with error: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed

root@dev-qua-za-centos7:/etc/cron.d# cat /etc/foreman_scap_client/confi
g.yaml

DO NOT EDIT THIS FILE MANUALLY

IT IS MANAGED BY PUPPET

Foreman proxy to which reports should be uploaded

:server: ‘foreman.qualica.com’
:port: 9090

SSL specific options

Client CA file.

It could be Puppet CA certificate (e.g., '/var/lib/puppet/ssl/certs/ca.

pem’)

Or (recommended for client reporting to Katello) subscription manager

CA file, (e.g., ‘/etc/rhsm/ca/katello-server-ca.pem’)
:ca_file: ‘/var/lib/puppet/ssl/certs/ca.pem’

Client host certificate.

It could be Puppet agent host certificate (e.g.,

‘/var/lib/puppet/ssl/certs/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer certificate

(e.g., ‘/etc/pki/consumer/cert.pem’)
:host_certificate: ‘/var/lib/puppet/ssl/certs/dev-
qua-za-centos7.dc.qualica.com.pem’

Client private key

It could be Puppet agent private key (e.g.,

‘/var/lib/puppet/ssl/private_keys/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer private key

(e.g., ‘/etc/pki/consumer/key.pem’)
:host_private_key: ‘/var/lib/puppet/ssl/private_k
eys/dev-qua-za-centos7.dc.qualica.com.pem’

policy (key is id as in Foreman)

1:
:profile: ‘xccdf_org.ssgproject.content_profile_pci-dss’
:content_path: ‘/var/lib/openscap/content/3e1
654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml’

Download path

A path to download SCAP content from proxy

:download_path: ‘/compliance/policies/1/conten
t/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e’

On Monday, 10 July 2017 17:10:30 UTC+2, Sai Krishna wrote:

Hi

In my situation I have manually changed the profile details in
/etc/foreman_scap_client/config.yaml file that’s the reason I have
faced errors. I have then created a host group in foreman and assigned
required profile and ran puppet agent from CLI in respective node. Make
sure you provide correct cert details.

let me know how it went.

Sai Krishna

On Mon, Jul 10, 2017 at 7:05 AM, Phillip Smith phi...@qualica.com >>>> wrote:

Hi

I am having the exact same issue, have you found a solution yet?

On Thursday, 15 June 2017 17:29:01 UTC+2, Sai Krishna wrote:

Hello everyone,

I have installed openscap plugin for existing foreman 1.15 and trying
to get the compliance report for a server, facing few issues during this
process.

Having trouble assigning policy to host, its not loading to select
the existing policy.

So I have tried from command line by running
/usr/bin/foreman_scap_client 1

below is the confi file /etc/foreman_scap_client/config.yaml

DO NOT EDIT THIS FILE MANUALLY

IT IS MANAGED BY PUPPET

Foreman proxy to which reports should be uploaded

:server: ‘foremanproxy.example.com’
:port: 8443

SSL specific options

Client CA file.

It could be Puppet CA certificate (e.g.,

‘/var/lib/puppet/ssl/certs/ca.pem’)

Or (recommended for client reporting to Katello) subscription

manager CA file, (e.g., ‘/etc/rhsm/ca/katello-server-ca.pem’)
:ca_file: ‘/etc/puppetlabs/puppet/ssl/certs/ca.pem’

Client host certificate.

It could be Puppet agent host certificate (e.g.,

‘/var/lib/puppet/ssl/certs/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer

certificate (e.g., ‘/etc/pki/consumer/cert.pem’)
:host_certificate: ‘/etc/puppetlabs/puppet/ssl/certs/
localhost.example.com.pem’

Client private key

It could be Puppet agent private key (e.g.,

‘/var/lib/puppet/ssl/private_keys/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer private

key (e.g., ‘/etc/pki/consumer/key.pem’)
:host_private_key: ‘/etc/puppetlabs/puppet/ssl/pr
ivate_keys/localhost.example.com.pem’

policy (key is id as in Foreman)

1:
:profile: ‘’
:content_path: ‘/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml’

Download path

A path to download SCAP content from proxy

:download_path: ‘/compliance/policies/1/content’
:tailoring_path: ‘’
:tailoring_download_path: ‘’

root localhost [~] # /usr/bin/foreman_scap_client 1
DEBUG: running: oscap xccdf eval --results-arf
/tmp/d20170615-1073-zzt674/results.xml /usr/share/xml/scap/ssg/conten
t/ssg-rhel7-ds.xml
WARNING: Skipping http://www.redhat.com/security
/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced
from XCCDF content
DEBUG: running: /usr/bin/bzip2 /tmp/d20170615-1073-zzt674/results.xml
Uploading results to https://foreman.example.com:84
43/compliance/arf/1

At https://foreman.example.com:8443/compliance/arf/1 it through a
message as " No client SSL certificate supplied "

Below are logs from foreman-proxy server
/var/log/foreman-proxy/proxy.log

/var/log/foreman-proxy/proxy.log - Pastebin.com

Can anyone please help me with this.

Thank you
Sai Krishna

–
You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit https://groups.google.com/d/to
pic/foreman-users/TKcNVZQ4b4A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit https://groups.google.com/d/to
pic/foreman-users/TKcNVZQ4b4A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit https://groups.google.com/d/
topic/foreman-users/TKcNVZQ4b4A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.