Problem:
I am not sure if I miss something here, or if there is a mixup in the parameters I am using.
I have a single foreman server foreman.local.lan (katello scenario) and want to add a second smart proxy smartproxy.local.lan. Before that, I replaced the foreman/katello SSL certificates for foreman.local.lan with a certificate from an external CA. All worked perfectly.
Now I generated a new private key/certificate for the new proxy and placed both files on the Forman server:
foreman:
/root/smartproxy.key
/root/smartproxy.crt
/root/ca.crt
The subject name (and also the SAN) of the smartproxy.crt is set to smartproxy.local.lan.
I run the following command:
katello-certs-check -t foreman-proxy -c smartproxy.crt -k smartproxy.key -b ca.crt
and all checks out “Validation succeeded”.
At the end of this run I get the command to run inside of the new smartproxy:
To use them inside a NEW $FOREMAN_PROXY, run this command:
foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY" \
--certs-tar "~/$FOREMAN_PROXY-certs.tar" \
--server-cert "/root/smartproxy.crt" \
--server-key "/root/smartproxy.key" \
--server-ca-cert "/root/ca.crt" \
So I ran the aforementioned command, replacing $FOREMAN_PROXY with smartproxy.local.lan on the foreman host. I received the certs.tar file, which I copied to smartproxy.local.lan.
On smartproxy.local.lan I ran the foreman-installer as the certs-generate command told me:
foreman-installer \
--scenario foreman-proxy-content \
--certs-tar-file "/root/smartproxy.local.lan-certs.tar"\
--foreman-proxy-content-parent-fqdn "foreman.local.lan"\
--foreman-proxy-register-in-foreman "true"\
--foreman-proxy-foreman-base-url "https://foreman.local.lan"\
--foreman-proxy-trusted-hosts "foreman.local.lan"\
--foreman-proxy-trusted-hosts "smartproxy.local.lan"\
--foreman-proxy-oauth-consumer-key "xxx"\
--foreman-proxy-oauth-consumer-secret "yyy"\
--puppet-server-foreman-url "https://foreman.local.lan"
The installation seems to succeed, but reports this error:
[ERROR 2020-11-18T20:28:27 main] Proxy smartproxy.local.lan cannot be registered: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([Errno::EHOSTUNREACH]: Failed to open TCP connection to smartproxy.local.lan:9090 (No route to host - connect(2) for "smartproxy.local.lan" port 9090)) for proxy https://smartproxy.local.lan:9090/v2/features Please check the proxy is configured and running on the host.
After some web searching I found out, that this error is usually caused by invalid certificates, so I went to check. Found all the certs installed by the certs-tar’s rpm inside of the directory /etc/pki/katello-certs-tools/certs/ and checked each.
All are correct, except the one smartproxy.local.lan-apache.crt
When opened in openssl it shows the subject as: foreman.local.lan, which is clearly false. Therefore a quick test with openssl:
openssl s_client -connect smartproxy.local.lan:9090
returned the wrong certificate, having the subject foreman.local.lan
Expected outcome:
The certificate file smartproxy.local.lan-apache.crt inside of the certs-tar should be taken from the –server-cert parameter of the foreman-proxy-certs-generate call.
Foreman and Proxy versions:
Foreman 2.2.1
Katello 3.17
Foreman and Proxy plugin versions:
Puppet 6
Distribution and version:
CentOS 7.9
Other relevant data: