Foreman-proxy in the puppet group

Hi All,

I'd like to configure and use foreman-proxy without adding it to the puppet
group. I tried copying my puppet certs into /etc/foreman-proxy/ssl/<etc>
with mode 0640 and ownership root:foreman-proxy on the cert files, but I
still get an error in my logs that foreman-proxy doesn't have read access
to a cert in /var/lib/puppet/ssl/<etc>. It looks like this:

Started POST "/api/v2/smart_proxies" for <IP Address>
Processing by Api::V2::SmartProxiesController#create as JSON
Parameters: {"smart_proxy"=>{"name"=>"foo",
"url"=>"https://foo.bar.baz:8888"}, "apiv"=>"v2"}
Authorized user admin(Admin User)
Unprocessable entity SmartProxy (id: new):
Unable to communicate with the proxy: Permission denied -
/var/lib/puppet/ssl/certs/foo.bar.baz.pem
Please check the proxy is configured and running on the host.

The foreman-proxy service seems like it starts ok, but then dies within 3
seconds when I try to refresh it manually, presumably because of the error
above.

Can I force foreman-proxy to look at the puppet certs in an alternate
location? If not, this seems like it would be a really useful feature to
have.

Thanks,
Kendall

I should also point out that in addition to adding them to
/etc/foreman-proxy/ssl, I also now reference those paths in
/etc/foreman-proxy/settings.yml.

> Hi All,
>
> I'd like to configure and use foreman-proxy without adding it to the
> puppet group. I tried copying my puppet certs into
> /etc/foreman-proxy/ssl/<etc> with mode 0640 and ownership
> root:foreman-proxy on the cert files, but I still get an error in my
> logs that foreman-proxy doesn't have read access to a cert in
> /var/lib/puppet/ssl/<etc>. It looks like this:
>
> Started POST "/api/v2/smart_proxies" for <IP Address>
> Processing by Api::V2::SmartProxiesController#create as JSON
> Parameters: {"smart_proxy"=>{"name"=>"foo",
> "url"=>"https://foo.bar.baz:8888"}, "apiv"=>"v2"}
> Authorized user admin(Admin User)
> Unprocessable entity SmartProxy (id: new):
> Unable to communicate with the proxy: Permission denied -
> /var/lib/puppet/ssl/certs/foo.bar.baz.pem
> Please check the proxy is configured and running on the host.

This error is from Foreman (/var/log/foreman/production.log), not
foreman-proxy - they're two separate processes, so it's not directly
related to the problem with the proxy.

Foreman uses SSL certs to communicate to the foreman-proxy process,
which are configured under Administer > Settings > Provisioning and
they're currently pointing to the Puppet certs. You'll need to change
the paths there and ensure they can be read by the 'foreman' user (I'd
suggest copying to /etc/foreman).

> The foreman-proxy service seems like it starts ok, but then dies within
> 3 seconds when I try to refresh it manually, presumably because of the
> error above.

It's probably unrelated. Check /var/log/foreman-proxy/proxy.log for any
errors, else try setting :daemon to false in
/etc/foreman-proxy/settings.yml, then run "sudo -u foreman-proxy
/usr/share/foreman-proxy/bin/smart-proxy" and see if it reports any errors.

Hi Dominic,

Thanks for the advice. Is there a place that I can set those paths on the
system rather than in the GUI?

Thanks,
Kendall

You can call foreman-rake config to change settings from the CLI, see
"foreman-rake config – --help" for the basics. Future versions of the
Hammer CLI have a settings subcommand that you can use too. Or if you
know the precise setting names, you can add them to
/etc/foreman/settings.yaml.

Ok, I have the specific variable names now, so I've put them in
settings.yaml.

You were correct about my smart-proxy issue being separate, and have since
worked that out and it's running now. I'm still getting a 422 error when
trying to do a REST.post (new_smart_proxy) though. The log indicates an SSL
connection error and looks like this:

Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]:
Unable to detect features ([OpenSSL::SSL::SSLError]: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verif…)
for proxy https://foo.bar.baz:8415/features

When I hit that hostname/port with openssl s_client, I can connect just
fine. When I tcpdump that port, I see traffic, so I know things are getting
there.

I've done some research and the general thought is that this error comes
from certs being signed by different CAs, but they are the same certs. I
think it's worth noting that they are not my puppet certs, but they are
valid nonetheless. They are also the certs I used when I tried s_client and
that worked as well. It seems to me like foreman is internally trying to
use my puppet certs, but it's not clear to me where. Here's what my
configuration looks like right now:

/etc/foreman/settings.yaml -> /etc/foreman/pki/<certs>
/etc/foreman-proxy/settings.yml -> /etc/foreman-proxy/pki/<certs>
/etc/httpd/conf.d/foreman-passenger.conf -> /etc/httpd/conf/pki/<certs>

I've verified that these certs are all indeed the same, and have grepped
for anything using /var/lib/puppet/ssl in my apache, foreman and
foreman-proxy spaces and have found nothing.

I'd appreciate any further thoughts on this.

Thanks,
Kendall