Foreman-Openscap 0.7 functioning issues

Hello everyone,

I have installed openscap plugin for existing foreman 1.15 and trying to
get the compliance report for a server, facing few issues during this
process.

Having trouble assigning policy to host, its not loading to select the
existing policy.

So I have tried from command line by running /usr/bin/foreman_scap_client 1

below is the confi file /etc/foreman_scap_client/config.yaml

DO NOT EDIT THIS FILE MANUALLY

IT IS MANAGED BY PUPPET

Foreman proxy to which reports should be uploaded

:server: 'foremanproxy.example.com'
:port: 8443

SSL specific options

Client CA file.

It could be Puppet CA certificate (e.g.,

'/var/lib/puppet/ssl/certs/ca.pem')

Or (recommended for client reporting to Katello) subscription manager CA

file, (e.g., '/etc/rhsm/ca/katello-server-ca.pem')
:ca_file: '/etc/puppetlabs/puppet/ssl/certs/ca.pem'

Client host certificate.

It could be Puppet agent host certificate (e.g.,

'/var/lib/puppet/ssl/certs/myhost.example.com.pem')

Or (recommended for client reporting to Katello) consumer certificate

(e.g., '/etc/pki/consumer/cert.pem')
:host_certificate:
'/etc/puppetlabs/puppet/ssl/certs/localhost.example.com.pem'

Client private key

It could be Puppet agent private key (e.g.,

'/var/lib/puppet/ssl/private_keys/myhost.example.com.pem')

Or (recommended for client reporting to Katello) consumer private key

(e.g., '/etc/pki/consumer/key.pem')
:host_private_key:
'/etc/puppetlabs/puppet/ssl/private_keys/localhost.example.com.pem'

policy (key is id as in Foreman)

1:
:profile: ''
:content_path: '/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml'

Download path

A path to download SCAP content from proxy

:download_path: '/compliance/policies/1/content'
:tailoring_path: ''
:tailoring_download_path: ''

root localhost [~] # /usr/bin/foreman_scap_client 1
DEBUG: running: oscap xccdf eval --results-arf
/tmp/d20170615-1073-zzt674/results.xml
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
WARNING: Skipping
http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml
file which is referenced from XCCDF content
DEBUG: running: /usr/bin/bzip2 /tmp/d20170615-1073-zzt674/results.xml
Uploading results to https://foreman.example.com:8443/compliance/arf/1

At https://foreman.example.com:8443/compliance/arf/1 it through a message
as " No client SSL certificate supplied "

Below are logs from foreman-proxy server
/var/log/foreman-proxy/proxy.log

https://pastebin.com/uFLAZffP

Can anyone please help me with this.

Thank you
Sai Krishna

Hi

I am having the exact same issue, have you found a solution yet?

··· On Thursday, 15 June 2017 17:29:01 UTC+2, Sai Krishna wrote: > > > Hello everyone, > > > I have installed openscap plugin for existing foreman 1.15 and trying to > get the compliance report for a server, facing few issues during this > process. > > Having trouble assigning policy to host, its not loading to select the > existing policy. > > So I have tried from command line by running /usr/bin/foreman_scap_client 1 > > below is the confi file /etc/foreman_scap_client/config.yaml > > # DO NOT EDIT THIS FILE MANUALLY > # IT IS MANAGED BY PUPPET > > # Foreman proxy to which reports should be uploaded > :server: 'foremanproxy.example.com' > :port: 8443 > > ## SSL specific options ## > # Client CA file. > # It could be Puppet CA certificate (e.g., > '/var/lib/puppet/ssl/certs/ca.pem') > # Or (recommended for client reporting to Katello) subscription manager CA > file, (e.g., '/etc/rhsm/ca/katello-server-ca.pem') > :ca_file: '/etc/puppetlabs/puppet/ssl/certs/ca.pem' > # Client host certificate. > # It could be Puppet agent host certificate (e.g., > '/var/lib/puppet/ssl/certs/myhost.example.com.pem') > # Or (recommended for client reporting to Katello) consumer certificate > (e.g., '/etc/pki/consumer/cert.pem') > :host_certificate: > '/etc/puppetlabs/puppet/ssl/certs/localhost.example.com.pem' > # Client private key > # It could be Puppet agent private key (e.g., > '/var/lib/puppet/ssl/private_keys/myhost.example.com.pem') > # Or (recommended for client reporting to Katello) consumer private key > (e.g., '/etc/pki/consumer/key.pem') > :host_private_key: > '/etc/puppetlabs/puppet/ssl/private_keys/localhost.example.com.pem' > # policy (key is id as in Foreman) > > 1: > :profile: '' > :content_path: '/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml' > # Download path > # A path to download SCAP content from proxy > :download_path: '/compliance/policies/1/content' > :tailoring_path: '' > :tailoring_download_path: '' > > > root localhost [~] # /usr/bin/foreman_scap_client 1 > DEBUG: running: oscap xccdf eval --results-arf > /tmp/d20170615-1073-zzt674/results.xml > /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml > WARNING: Skipping > http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml > file which is referenced from XCCDF content > DEBUG: running: /usr/bin/bzip2 /tmp/d20170615-1073-zzt674/results.xml > Uploading results to https://foreman.example.com:8443/compliance/arf/1 > > > > At https://foreman.example.com:8443/compliance/arf/1 it through a > message as " No client SSL certificate supplied " > > > > Below are logs from foreman-proxy server > /var/log/foreman-proxy/proxy.log > > > https://pastebin.com/uFLAZffP > > > Can anyone please help me with this. > > Thank you > Sai Krishna >

Hi

In my situation I have manually changed the profile details in
/etc/foreman_scap_client/config.yaml file that's the reason I have faced
errors. I have then created a host group in foreman and assigned required
profile and ran puppet agent from CLI in respective node. Make sure you
provide correct cert details.

let me know how it went.

Sai Krishna

··· On Mon, Jul 10, 2017 at 7:05 AM, Phillip Smith wrote:

Hi

I am having the exact same issue, have you found a solution yet?

On Thursday, 15 June 2017 17:29:01 UTC+2, Sai Krishna wrote:

Hello everyone,

I have installed openscap plugin for existing foreman 1.15 and trying to
get the compliance report for a server, facing few issues during this
process.

Having trouble assigning policy to host, its not loading to select the
existing policy.

So I have tried from command line by running /usr/bin/foreman_scap_client
1

below is the confi file /etc/foreman_scap_client/config.yaml

DO NOT EDIT THIS FILE MANUALLY

IT IS MANAGED BY PUPPET

Foreman proxy to which reports should be uploaded

:server: ‘foremanproxy.example.com
:port: 8443

SSL specific options

Client CA file.

It could be Puppet CA certificate (e.g., '/var/lib/puppet/ssl/certs/ca.

pem’)

Or (recommended for client reporting to Katello) subscription manager

CA file, (e.g., ‘/etc/rhsm/ca/katello-server-ca.pem’)
:ca_file: ‘/etc/puppetlabs/puppet/ssl/certs/ca.pem’

Client host certificate.

It could be Puppet agent host certificate (e.g.,

‘/var/lib/puppet/ssl/certs/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer certificate

(e.g., ‘/etc/pki/consumer/cert.pem’)
:host_certificate: ‘/etc/puppetlabs/puppet/ssl/certs/
localhost.example.com.pem’

Client private key

It could be Puppet agent private key (e.g.,

‘/var/lib/puppet/ssl/private_keys/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer private key

(e.g., ‘/etc/pki/consumer/key.pem’)
:host_private_key: ‘/etc/puppetlabs/puppet/ssl/pr
ivate_keys/localhost.example.com.pem’

policy (key is id as in Foreman)

1:
:profile: ‘’
:content_path: ‘/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml’

Download path

A path to download SCAP content from proxy

:download_path: ‘/compliance/policies/1/content’
:tailoring_path: ‘’
:tailoring_download_path: ‘’

root localhost [~] # /usr/bin/foreman_scap_client 1
DEBUG: running: oscap xccdf eval --results-arf
/tmp/d20170615-1073-zzt674/results.xml /usr/share/xml/scap/ssg/conten
t/ssg-rhel7-ds.xml
WARNING: Skipping http://www.redhat.com/security
/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from
XCCDF content
DEBUG: running: /usr/bin/bzip2 /tmp/d20170615-1073-zzt674/results.xml
Uploading results to https://foreman.example.com:8443/compliance/arf/1

At https://foreman.example.com:8443/compliance/arf/1 it through a
message as " No client SSL certificate supplied "

Below are logs from foreman-proxy server
/var/log/foreman-proxy/proxy.log

https://pastebin.com/uFLAZffP

Can anyone please help me with this.

Thank you
Sai Krishna


You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit https://groups.google.com/d/
topic/foreman-users/TKcNVZQ4b4A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Hi

Please see what error I'm getting

root@dev-qua-za-centos7:/etc/cron.d# /usr/bin/foreman_scap_client 1
File
/var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml
is missing. Downloading it from proxy.
Download SCAP content xml from:
https://foreman.qualica.com:9090/compliance/policies/1/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e
SCAP content is missing and download failed with error: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed

root@dev-qua-za-centos7:/etc/cron.d# cat
/etc/foreman_scap_client/config.yaml

DO NOT EDIT THIS FILE MANUALLY

IT IS MANAGED BY PUPPET

Foreman proxy to which reports should be uploaded

:server: 'foreman.qualica.com'
:port: 9090

SSL specific options

Client CA file.

It could be Puppet CA certificate (e.g.,

'/var/lib/puppet/ssl/certs/ca.pem')

Or (recommended for client reporting to Katello) subscription manager CA

file, (e.g., '/etc/rhsm/ca/katello-server-ca.pem')
:ca_file: '/var/lib/puppet/ssl/certs/ca.pem'

Client host certificate.

It could be Puppet agent host certificate (e.g.,

'/var/lib/puppet/ssl/certs/myhost.example.com.pem')

Or (recommended for client reporting to Katello) consumer certificate

(e.g., '/etc/pki/consumer/cert.pem')
:host_certificate:
'/var/lib/puppet/ssl/certs/dev-qua-za-centos7.dc.qualica.com.pem'

Client private key

It could be Puppet agent private key (e.g.,

'/var/lib/puppet/ssl/private_keys/myhost.example.com.pem')

Or (recommended for client reporting to Katello) consumer private key

(e.g., '/etc/pki/consumer/key.pem')
:host_private_key:
'/var/lib/puppet/ssl/private_keys/dev-qua-za-centos7.dc.qualica.com.pem'

policy (key is id as in Foreman)

1:
:profile: 'xccdf_org.ssgproject.content_profile_pci-dss'
:content_path:
'/var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml'

Download path

A path to download SCAP content from proxy

:download_path:
'/compliance/policies/1/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e'

··· On Monday, 10 July 2017 17:10:30 UTC+2, Sai Krishna wrote: > > Hi > > In my situation I have manually changed the profile details in > /etc/foreman_scap_client/config.yaml file that's the reason I have faced > errors. I have then created a host group in foreman and assigned required > profile and ran puppet agent from CLI in respective node. Make sure you > provide correct cert details. > > let me know how it went. > > Sai Krishna > > On Mon, Jul 10, 2017 at 7:05 AM, Phillip Smith > wrote: > >> Hi >> >> I am having the exact same issue, have you found a solution yet? >> >> >> On Thursday, 15 June 2017 17:29:01 UTC+2, Sai Krishna wrote: >>> >>> >>> Hello everyone, >>> >>> >>> I have installed openscap plugin for existing foreman 1.15 and trying to >>> get the compliance report for a server, facing few issues during this >>> process. >>> >>> Having trouble assigning policy to host, its not loading to select the >>> existing policy. >>> >>> So I have tried from command line by running >>> /usr/bin/foreman_scap_client 1 >>> >>> below is the confi file /etc/foreman_scap_client/config.yaml >>> >>> # DO NOT EDIT THIS FILE MANUALLY >>> # IT IS MANAGED BY PUPPET >>> >>> # Foreman proxy to which reports should be uploaded >>> :server: 'foremanproxy.example.com' >>> :port: 8443 >>> >>> ## SSL specific options ## >>> # Client CA file. >>> # It could be Puppet CA certificate (e.g., >>> '/var/lib/puppet/ssl/certs/ca.pem') >>> # Or (recommended for client reporting to Katello) subscription manager >>> CA file, (e.g., '/etc/rhsm/ca/katello-server-ca.pem') >>> :ca_file: '/etc/puppetlabs/puppet/ssl/certs/ca.pem' >>> # Client host certificate. >>> # It could be Puppet agent host certificate (e.g., >>> '/var/lib/puppet/ssl/certs/myhost.example.com.pem') >>> # Or (recommended for client reporting to Katello) consumer certificate >>> (e.g., '/etc/pki/consumer/cert.pem') >>> :host_certificate: '/etc/puppetlabs/puppet/ssl/certs/ >>> localhost.example.com.pem' >>> # Client private key >>> # It could be Puppet agent private key (e.g., >>> '/var/lib/puppet/ssl/private_keys/myhost.example.com.pem') >>> # Or (recommended for client reporting to Katello) consumer private key >>> (e.g., '/etc/pki/consumer/key.pem') >>> :host_private_key: >>> '/etc/puppetlabs/puppet/ssl/private_keys/localhost.example.com.pem' >>> # policy (key is id as in Foreman) >>> >>> 1: >>> :profile: '' >>> :content_path: '/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml' >>> # Download path >>> # A path to download SCAP content from proxy >>> :download_path: '/compliance/policies/1/content' >>> :tailoring_path: '' >>> :tailoring_download_path: '' >>> >>> >>> root localhost [~] # /usr/bin/foreman_scap_client 1 >>> DEBUG: running: oscap xccdf eval --results-arf >>> /tmp/d20170615-1073-zzt674/results.xml >>> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml >>> WARNING: Skipping >>> http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml >>> file which is referenced from XCCDF content >>> DEBUG: running: /usr/bin/bzip2 /tmp/d20170615-1073-zzt674/results.xml >>> Uploading results to https://foreman.example.com:8443/compliance/arf/1 >>> >>> >>> >>> At https://foreman.example.com:8443/compliance/arf/1 it through a >>> message as " No client SSL certificate supplied " >>> >>> >>> >>> Below are logs from foreman-proxy server >>> /var/log/foreman-proxy/proxy.log >>> >>> >>> https://pastebin.com/uFLAZffP >>> >>> >>> Can anyone please help me with this. >>> >>> Thank you >>> Sai Krishna >>> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Foreman users" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/foreman-users/TKcNVZQ4b4A/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> foreman-user...@googlegroups.com . >> To post to this group, send email to forema...@googlegroups.com >> . >> Visit this group at https://groups.google.com/group/foreman-users. >> For more options, visit https://groups.google.com/d/optout. >> > >

Hi

Hope you have tried this https://access.redhat.com/solutions/2109131

above should work if you're using redhat satellite server as foreman.

Which version of puppet are you using if it is 4.x certs location should be
something like this /etc/puppetlabs/puppet/ssl/certs/

··· On Tue, Jul 11, 2017 at 4:53 AM, Phillip Smith wrote:

Hi

Please see what error I’m getting

root@dev-qua-za-centos7:/etc/cron.d# /usr/bin/foreman_scap_client 1
File /var/lib/openscap/content/3e1654fd14a5352d65294db555710b
fda5cad1a942209e2d787ea7940035616e.xml is missing. Downloading it from
proxy.
Download SCAP content xml from: https://foreman.qualica.com:
9090/compliance/policies/1/content/3e1654fd14a5352d65294db555710b
fda5cad1a942209e2d787ea7940035616e
SCAP content is missing and download failed with error: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed

root@dev-qua-za-centos7:/etc/cron.d# cat /etc/foreman_scap_client/
config.yaml

DO NOT EDIT THIS FILE MANUALLY

IT IS MANAGED BY PUPPET

Foreman proxy to which reports should be uploaded

:server: ‘foreman.qualica.com
:port: 9090

SSL specific options

Client CA file.

It could be Puppet CA certificate (e.g., '/var/lib/puppet/ssl/certs/ca.

pem’)

Or (recommended for client reporting to Katello) subscription manager CA

file, (e.g., ‘/etc/rhsm/ca/katello-server-ca.pem’)
:ca_file: ‘/var/lib/puppet/ssl/certs/ca.pem’

Client host certificate.

It could be Puppet agent host certificate (e.g.,

‘/var/lib/puppet/ssl/certs/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer certificate

(e.g., ‘/etc/pki/consumer/cert.pem’)
:host_certificate: ‘/var/lib/puppet/ssl/certs/
dev-qua-za-centos7.dc.qualica.com.pem’

Client private key

It could be Puppet agent private key (e.g., '/var/lib/puppet/ssl/private_

keys/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer private key

(e.g., ‘/etc/pki/consumer/key.pem’)
:host_private_key: ‘/var/lib/puppet/ssl/private_
keys/dev-qua-za-centos7.dc.qualica.com.pem’

policy (key is id as in Foreman)

1:
:profile: ‘xccdf_org.ssgproject.content_profile_pci-dss’
:content_path: ‘/var/lib/openscap/content/3e1654fd14a5352d65294db555710b
fda5cad1a942209e2d787ea7940035616e.xml’

Download path

A path to download SCAP content from proxy

:download_path: ‘/compliance/policies/1/content/
3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e’

On Monday, 10 July 2017 17:10:30 UTC+2, Sai Krishna wrote:

Hi

In my situation I have manually changed the profile details in
/etc/foreman_scap_client/config.yaml file that’s the reason I have faced
errors. I have then created a host group in foreman and assigned required
profile and ran puppet agent from CLI in respective node. Make sure you
provide correct cert details.

let me know how it went.

Sai Krishna

On Mon, Jul 10, 2017 at 7:05 AM, Phillip Smith phi...@qualica.com >> wrote:

Hi

I am having the exact same issue, have you found a solution yet?

On Thursday, 15 June 2017 17:29:01 UTC+2, Sai Krishna wrote:

Hello everyone,

I have installed openscap plugin for existing foreman 1.15 and trying
to get the compliance report for a server, facing few issues during this
process.

Having trouble assigning policy to host, its not loading to select the
existing policy.

So I have tried from command line by running
/usr/bin/foreman_scap_client 1

below is the confi file /etc/foreman_scap_client/config.yaml

DO NOT EDIT THIS FILE MANUALLY

IT IS MANAGED BY PUPPET

Foreman proxy to which reports should be uploaded

:server: ‘foremanproxy.example.com
:port: 8443

SSL specific options

Client CA file.

It could be Puppet CA certificate (e.g.,

‘/var/lib/puppet/ssl/certs/ca.pem’)

Or (recommended for client reporting to Katello) subscription manager

CA file, (e.g., ‘/etc/rhsm/ca/katello-server-ca.pem’)
:ca_file: ‘/etc/puppetlabs/puppet/ssl/certs/ca.pem’

Client host certificate.

It could be Puppet agent host certificate (e.g.,

‘/var/lib/puppet/ssl/certs/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer certificate

(e.g., ‘/etc/pki/consumer/cert.pem’)
:host_certificate: ‘/etc/puppetlabs/puppet/ssl/certs/
localhost.example.com.pem’

Client private key

It could be Puppet agent private key (e.g.,

‘/var/lib/puppet/ssl/private_keys/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer private key

(e.g., ‘/etc/pki/consumer/key.pem’)
:host_private_key: ‘/etc/puppetlabs/puppet/ssl/pr
ivate_keys/localhost.example.com.pem’

policy (key is id as in Foreman)

1:
:profile: ‘’
:content_path: ‘/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml’

Download path

A path to download SCAP content from proxy

:download_path: ‘/compliance/policies/1/content’
:tailoring_path: ‘’
:tailoring_download_path: ‘’

root localhost [~] # /usr/bin/foreman_scap_client 1
DEBUG: running: oscap xccdf eval --results-arf
/tmp/d20170615-1073-zzt674/results.xml /usr/share/xml/scap/ssg/conten
t/ssg-rhel7-ds.xml
WARNING: Skipping http://www.redhat.com/security
/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced
from XCCDF content
DEBUG: running: /usr/bin/bzip2 /tmp/d20170615-1073-zzt674/results.xml
Uploading results to https://foreman.example.com:8443/compliance/arf/1

At https://foreman.example.com:8443/compliance/arf/1 it through a
message as " No client SSL certificate supplied "

Below are logs from foreman-proxy server
/var/log/foreman-proxy/proxy.log

https://pastebin.com/uFLAZffP

Can anyone please help me with this.

Thank you
Sai Krishna


You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit https://groups.google.com/d/to
pic/foreman-users/TKcNVZQ4b4A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit https://groups.google.com/d/
topic/foreman-users/TKcNVZQ4b4A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Hi

I have tested that and it works, thank you. I am not getting a 500 error,
Internal Server Error, could you maybe see if you can advise?

https://groups.google.com/forum/#!topic/foreman-users/PjlZhTBklTs

··· On Tuesday, 11 July 2017 20:01:19 UTC+2, Sai Krishna wrote: > > Hi > > Hope you have tried this https://access.redhat.com/solutions/2109131 > > above should work if you're using redhat satellite server as foreman. > > Which version of puppet are you using if it is 4.x certs location should > be something like this /etc/puppetlabs/puppet/ssl/certs/ > > > On Tue, Jul 11, 2017 at 4:53 AM, Phillip Smith > wrote: > >> Hi >> >> Please see what error I'm getting >> >> root@dev-qua-za-centos7:/etc/cron.d# /usr/bin/foreman_scap_client 1 >> File >> /var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml >> is missing. Downloading it from proxy. >> Download SCAP content xml from: >> https://foreman.qualica.com:9090/compliance/policies/1/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e >> SCAP content is missing and download failed with error: SSL_connect >> returned=1 errno=0 state=SSLv3 read server certificate B: certificate >> verify failed >> >> root@dev-qua-za-centos7:/etc/cron.d# cat >> /etc/foreman_scap_client/config.yaml >> # DO NOT EDIT THIS FILE MANUALLY >> # IT IS MANAGED BY PUPPET >> >> # Foreman proxy to which reports should be uploaded >> :server: 'foreman.qualica.com' >> :port: 9090 >> >> ## SSL specific options ## >> # Client CA file. >> # It could be Puppet CA certificate (e.g., >> '/var/lib/puppet/ssl/certs/ca.pem') >> # Or (recommended for client reporting to Katello) subscription manager >> CA file, (e.g., '/etc/rhsm/ca/katello-server-ca.pem') >> :ca_file: '/var/lib/puppet/ssl/certs/ca.pem' >> # Client host certificate. >> # It could be Puppet agent host certificate (e.g., >> '/var/lib/puppet/ssl/certs/myhost.example.com.pem') >> # Or (recommended for client reporting to Katello) consumer certificate >> (e.g., '/etc/pki/consumer/cert.pem') >> :host_certificate: >> '/var/lib/puppet/ssl/certs/dev-qua-za-centos7.dc.qualica.com.pem' >> # Client private key >> # It could be Puppet agent private key (e.g., >> '/var/lib/puppet/ssl/private_keys/myhost.example.com.pem') >> # Or (recommended for client reporting to Katello) consumer private key >> (e.g., '/etc/pki/consumer/key.pem') >> :host_private_key: >> '/var/lib/puppet/ssl/private_keys/dev-qua-za-centos7.dc.qualica.com.pem' >> >> # policy (key is id as in Foreman) >> >> 1: >> :profile: 'xccdf_org.ssgproject.content_profile_pci-dss' >> :content_path: >> '/var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml' >> # Download path >> # A path to download SCAP content from proxy >> :download_path: >> '/compliance/policies/1/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e' >> >> >> >> On Monday, 10 July 2017 17:10:30 UTC+2, Sai Krishna wrote: >>> >>> Hi >>> >>> In my situation I have manually changed the profile details in >>> /etc/foreman_scap_client/config.yaml file that's the reason I have faced >>> errors. I have then created a host group in foreman and assigned required >>> profile and ran puppet agent from CLI in respective node. Make sure you >>> provide correct cert details. >>> >>> let me know how it went. >>> >>> Sai Krishna >>> >>> On Mon, Jul 10, 2017 at 7:05 AM, Phillip Smith >>> wrote: >>> >>>> Hi >>>> >>>> I am having the exact same issue, have you found a solution yet? >>>> >>>> >>>> On Thursday, 15 June 2017 17:29:01 UTC+2, Sai Krishna wrote: >>>>> >>>>> >>>>> Hello everyone, >>>>> >>>>> >>>>> I have installed openscap plugin for existing foreman 1.15 and trying >>>>> to get the compliance report for a server, facing few issues during this >>>>> process. >>>>> >>>>> Having trouble assigning policy to host, its not loading to select the >>>>> existing policy. >>>>> >>>>> So I have tried from command line by running >>>>> /usr/bin/foreman_scap_client 1 >>>>> >>>>> below is the confi file /etc/foreman_scap_client/config.yaml >>>>> >>>>> # DO NOT EDIT THIS FILE MANUALLY >>>>> # IT IS MANAGED BY PUPPET >>>>> >>>>> # Foreman proxy to which reports should be uploaded >>>>> :server: 'foremanproxy.example.com' >>>>> :port: 8443 >>>>> >>>>> ## SSL specific options ## >>>>> # Client CA file. >>>>> # It could be Puppet CA certificate (e.g., >>>>> '/var/lib/puppet/ssl/certs/ca.pem') >>>>> # Or (recommended for client reporting to Katello) subscription >>>>> manager CA file, (e.g., '/etc/rhsm/ca/katello-server-ca.pem') >>>>> :ca_file: '/etc/puppetlabs/puppet/ssl/certs/ca.pem' >>>>> # Client host certificate. >>>>> # It could be Puppet agent host certificate (e.g., >>>>> '/var/lib/puppet/ssl/certs/myhost.example.com.pem') >>>>> # Or (recommended for client reporting to Katello) consumer >>>>> certificate (e.g., '/etc/pki/consumer/cert.pem') >>>>> :host_certificate: '/etc/puppetlabs/puppet/ssl/certs/ >>>>> localhost.example.com.pem' >>>>> # Client private key >>>>> # It could be Puppet agent private key (e.g., >>>>> '/var/lib/puppet/ssl/private_keys/myhost.example.com.pem') >>>>> # Or (recommended for client reporting to Katello) consumer private >>>>> key (e.g., '/etc/pki/consumer/key.pem') >>>>> :host_private_key: >>>>> '/etc/puppetlabs/puppet/ssl/private_keys/localhost.example.com.pem' >>>>> # policy (key is id as in Foreman) >>>>> >>>>> 1: >>>>> :profile: '' >>>>> :content_path: '/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml' >>>>> # Download path >>>>> # A path to download SCAP content from proxy >>>>> :download_path: '/compliance/policies/1/content' >>>>> :tailoring_path: '' >>>>> :tailoring_download_path: '' >>>>> >>>>> >>>>> root localhost [~] # /usr/bin/foreman_scap_client 1 >>>>> DEBUG: running: oscap xccdf eval --results-arf >>>>> /tmp/d20170615-1073-zzt674/results.xml >>>>> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml >>>>> WARNING: Skipping >>>>> http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml >>>>> file which is referenced from XCCDF content >>>>> DEBUG: running: /usr/bin/bzip2 /tmp/d20170615-1073-zzt674/results.xml >>>>> Uploading results to https://foreman.example.com:8443/compliance/arf/1 >>>>> >>>>> >>>>> >>>>> At https://foreman.example.com:8443/compliance/arf/1 it through a >>>>> message as " No client SSL certificate supplied " >>>>> >>>>> >>>>> >>>>> Below are logs from foreman-proxy server >>>>> /var/log/foreman-proxy/proxy.log >>>>> >>>>> >>>>> https://pastebin.com/uFLAZffP >>>>> >>>>> >>>>> Can anyone please help me with this. >>>>> >>>>> Thank you >>>>> Sai Krishna >>>>> >>>> -- >>>> You received this message because you are subscribed to a topic in the >>>> Google Groups "Foreman users" group. >>>> To unsubscribe from this topic, visit >>>> https://groups.google.com/d/topic/foreman-users/TKcNVZQ4b4A/unsubscribe >>>> . >>>> To unsubscribe from this group and all its topics, send an email to >>>> foreman-user...@googlegroups.com. >>>> To post to this group, send email to forema...@googlegroups.com. >>>> Visit this group at https://groups.google.com/group/foreman-users. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Foreman users" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/foreman-users/TKcNVZQ4b4A/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> foreman-user...@googlegroups.com . >> To post to this group, send email to forema...@googlegroups.com >> . >> Visit this group at https://groups.google.com/group/foreman-users. >> For more options, visit https://groups.google.com/d/optout. >> > >

Hi,

I have seen the info you have posted looks configuration messed up, reach
out oprazak@redhat.com / oprazak in IRC freenode he can surely help you…
give a try…

··· On Thu, Jul 13, 2017 at 3:48 AM, Phillip Smith wrote:

Hi

I have tested that and it works, thank you. I am not getting a 500 error,
Internal Server Error, could you maybe see if you can advise?

https://groups.google.com/forum/#!topic/foreman-users/PjlZhTBklTs

On Tuesday, 11 July 2017 20:01:19 UTC+2, Sai Krishna wrote:

Hi

Hope you have tried this https://access.redhat.com/solutions/2109131

above should work if you’re using redhat satellite server as foreman.

Which version of puppet are you using if it is 4.x certs location should
be something like this /etc/puppetlabs/puppet/ssl/certs/

On Tue, Jul 11, 2017 at 4:53 AM, Phillip Smith phi...@qualica.com >> wrote:

Hi

Please see what error I’m getting

root@dev-qua-za-centos7:/etc/cron.d# /usr/bin/foreman_scap_client 1
File /var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5
cad1a942209e2d787ea7940035616e.xml is missing. Downloading it from
proxy.
Download SCAP content xml from: https://foreman.qualica.com:90
90/compliance/policies/1/content/3e1654fd14a5352d65294db5557
10bfda5cad1a942209e2d787ea7940035616e
SCAP content is missing and download failed with error: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed

root@dev-qua-za-centos7:/etc/cron.d# cat /etc/foreman_scap_client/confi
g.yaml

DO NOT EDIT THIS FILE MANUALLY

IT IS MANAGED BY PUPPET

Foreman proxy to which reports should be uploaded

:server: ‘foreman.qualica.com
:port: 9090

SSL specific options

Client CA file.

It could be Puppet CA certificate (e.g., '/var/lib/puppet/ssl/certs/ca.

pem’)

Or (recommended for client reporting to Katello) subscription manager

CA file, (e.g., ‘/etc/rhsm/ca/katello-server-ca.pem’)
:ca_file: ‘/var/lib/puppet/ssl/certs/ca.pem’

Client host certificate.

It could be Puppet agent host certificate (e.g.,

‘/var/lib/puppet/ssl/certs/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer certificate

(e.g., ‘/etc/pki/consumer/cert.pem’)
:host_certificate: ‘/var/lib/puppet/ssl/certs/dev-
qua-za-centos7.dc.qualica.com.pem’

Client private key

It could be Puppet agent private key (e.g.,

‘/var/lib/puppet/ssl/private_keys/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer private key

(e.g., ‘/etc/pki/consumer/key.pem’)
:host_private_key: ‘/var/lib/puppet/ssl/private_k
eys/dev-qua-za-centos7.dc.qualica.com.pem’

policy (key is id as in Foreman)

1:
:profile: ‘xccdf_org.ssgproject.content_profile_pci-dss’
:content_path: ‘/var/lib/openscap/content/3e1
654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml’

Download path

A path to download SCAP content from proxy

:download_path: ‘/compliance/policies/1/conten
t/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e’

On Monday, 10 July 2017 17:10:30 UTC+2, Sai Krishna wrote:

Hi

In my situation I have manually changed the profile details in
/etc/foreman_scap_client/config.yaml file that’s the reason I have
faced errors. I have then created a host group in foreman and assigned
required profile and ran puppet agent from CLI in respective node. Make
sure you provide correct cert details.

let me know how it went.

Sai Krishna

On Mon, Jul 10, 2017 at 7:05 AM, Phillip Smith phi...@qualica.com >>>> wrote:

Hi

I am having the exact same issue, have you found a solution yet?

On Thursday, 15 June 2017 17:29:01 UTC+2, Sai Krishna wrote:

Hello everyone,

I have installed openscap plugin for existing foreman 1.15 and trying
to get the compliance report for a server, facing few issues during this
process.

Having trouble assigning policy to host, its not loading to select
the existing policy.

So I have tried from command line by running
/usr/bin/foreman_scap_client 1

below is the confi file /etc/foreman_scap_client/config.yaml

DO NOT EDIT THIS FILE MANUALLY

IT IS MANAGED BY PUPPET

Foreman proxy to which reports should be uploaded

:server: ‘foremanproxy.example.com
:port: 8443

SSL specific options

Client CA file.

It could be Puppet CA certificate (e.g.,

‘/var/lib/puppet/ssl/certs/ca.pem’)

Or (recommended for client reporting to Katello) subscription

manager CA file, (e.g., ‘/etc/rhsm/ca/katello-server-ca.pem’)
:ca_file: ‘/etc/puppetlabs/puppet/ssl/certs/ca.pem’

Client host certificate.

It could be Puppet agent host certificate (e.g.,

‘/var/lib/puppet/ssl/certs/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer

certificate (e.g., ‘/etc/pki/consumer/cert.pem’)
:host_certificate: ‘/etc/puppetlabs/puppet/ssl/certs/
localhost.example.com.pem’

Client private key

It could be Puppet agent private key (e.g.,

‘/var/lib/puppet/ssl/private_keys/myhost.example.com.pem’)

Or (recommended for client reporting to Katello) consumer private

key (e.g., ‘/etc/pki/consumer/key.pem’)
:host_private_key: ‘/etc/puppetlabs/puppet/ssl/pr
ivate_keys/localhost.example.com.pem’

policy (key is id as in Foreman)

1:
:profile: ‘’
:content_path: ‘/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml’

Download path

A path to download SCAP content from proxy

:download_path: ‘/compliance/policies/1/content’
:tailoring_path: ‘’
:tailoring_download_path: ‘’

root localhost [~] # /usr/bin/foreman_scap_client 1
DEBUG: running: oscap xccdf eval --results-arf
/tmp/d20170615-1073-zzt674/results.xml /usr/share/xml/scap/ssg/conten
t/ssg-rhel7-ds.xml
WARNING: Skipping http://www.redhat.com/security
/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced
from XCCDF content
DEBUG: running: /usr/bin/bzip2 /tmp/d20170615-1073-zzt674/results.xml
Uploading results to https://foreman.example.com:84
43/compliance/arf/1

At https://foreman.example.com:8443/compliance/arf/1 it through a
message as " No client SSL certificate supplied "

Below are logs from foreman-proxy server
/var/log/foreman-proxy/proxy.log

https://pastebin.com/uFLAZffP

Can anyone please help me with this.

Thank you
Sai Krishna


You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit https://groups.google.com/d/to
pic/foreman-users/TKcNVZQ4b4A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit https://groups.google.com/d/to
pic/foreman-users/TKcNVZQ4b4A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit https://groups.google.com/d/
topic/foreman-users/TKcNVZQ4b4A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.