Foreman Proxy is not recognized

Support
1

Hello,

I have installed complete foreman on a separate vm, I have puppet master on
other vm. I have installed foreman proxy on master server so that all the
content which is on puppet master will be available on foreman. I'm seeing
the foreman proxy service is running on puppet master. but when am trying
to add that puppet master as smart proxy from foreman interface in the
dropdown menu select "Smart Proxies", "New Proxy", URL with port "Submit".
Please find the attachment for error.

*Unable to save *

  • Unable to communicate with the proxy: ERF12-2530
    [ProxyAPI::ProxyException]: Unable to detect features
    ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0
    state=SSLv3 read server certificate B: certificate verif…) for proxy
    https://nyrh146.sample.com:8443/features
  • Please check the proxy is configured and running on the host

Can anyone please guide me with the steps to configure puppet master with
foreman so that all the content in master is available in foreman and can
work from foreman and use foreman as CA.

Thank you
Sai Krishna

error.PNG1430×222 12.1 KB

2

I have changed the /etc/foreman-proxy/settings.yml file. I have change
trusted host and foreman_url from puppetmaster to foremanvers FQDN. is this
a wrong move ?

the hosts which the proxy accepts connections from

commenting the following lines would mean every verified SSL connection

allowed
:trusted_hosts:

Endpoint for reverse communication

:foreman_url: https://foremanserver.com

I have generated new smart proxy certificates from foreman server and
replaced the /etc/puppetlabs/ssl/certs/ca.pem, puppetserver.pem,
/etc/puppetlabs/ssl/private_keys/puppetserver.pem

Still do I need to change anything. Please advice.

Sai Krishna

3

using foreman - installer in interactive mode enabled puppet and foreman
proxy and configured according
to Foreman :: Manual
> setting up foreman with external puppet master.

Preparing installation Done
Something went wrong! Check the log for ERROR-level output

[ INFO 2016-07-27 16:13:21 main]
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:128:in
run' [ INFO 2016-07-27 16:13:21 main] /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:72:inexecute'
[ INFO 2016-07-27 16:13:21 main] /opt/puppetlabs/bin/puppet:5:in `<main>'
[ INFO 2016-07-27 16:13:21 main] Puppet has finished, bye!
[ INFO 2016-07-27 16:13:21 main] Executing hooks in group post
[DEBUG 2016-07-27 16:13:21 main] Hook
/usr/share/foreman-installer/hooks/post/10-post_install_message.rb returned
nil
[ INFO 2016-07-27 16:13:21 main] All hooks in group post finished
[DEBUG 2016-07-27 16:13:21 main] Exit with status code: 1 (signal was 1)

[ERROR 2016-07-27 16:13:21 main] Errors encountered during run:
[ERROR 2016-07-27 16:13:21 main] Evaluation Error: Error while evaluating
a Function Call, undefined class/module HighLine:: at
/usr/share/gems/gems/kafo-0.9.1/modules/kafo_configure/manifests/init.pp:14:3
on node puppetserver.com

[DEBUG 2016-07-27 16:13:21 main] Cleaning /tmp/d20160727-13857-1irv5ck
[DEBUG 2016-07-27 16:13:21 main] Cleaning
/tmp/kafo_hiera20160727-13857-16fcv4y
[DEBUG 2016-07-27 16:13:21 main] Cleaning /tmp/default_values.yaml

Please advice

4

Hi Sai,

your SSL error sounds exactly like this
issue: Bug #15530: Katello 3.0 capsule fails to register - Katello - Foreman

For my proxy, settings.yml as this as trusted hosts and reverse
communications entries:

the hosts which the proxy accepts connections from

commenting the following lines would mean every verified SSL connection

allowed
:trusted_hosts:

Endpoint for reverse communication

:foreman_url: https://mainforemanserver.com

It is worth checking you can connect the proxy via HTTP - so in
settings.yml make sure :http_port: is configured - e.g.
:http_port: 8000

and then try adding the smart proxy via that address -
http://foremanproxy.com:8000/

Hope that helps
Dylan

5

>
> Hi Dylan,
>

Appreciate your reply.

http is disabled by default. To enable, uncomment 'http_port' setting

https is enabled if certificate, CA certificate, and private key are

present in locations specifed by

ssl_certificate, ssl_ca_file, and ssl_private_key correspondingly

default values for https_port is 8443

:https_port: 8443

this was the intial setting I have changed it to 8000 but still facing same
error.

Please advice.
Sai Krishna

6

That sounds correct, but what happens now? It's unclear from your
message whether this works or if you still receive an error. Also verify
that those paths are the ones referenced in settings.yml.

··· On 27/07/16 20:27, Sai Krishna wrote: > I have changed the /etc/foreman-proxy/settings.yml file. I have change > trusted host and foreman_url from puppetmaster to foremanvers FQDN. is > this a wrong move ? > > # the hosts which the proxy accepts connections from > # commenting the following lines would mean every verified SSL > connection allowed > :trusted_hosts: > - foremansever.com > > # Endpoint for reverse communication > :foreman_url: https://foremanserver.com > > I have generated new smart proxy certificates from foreman server and > replaced the /etc/puppetlabs/ssl/certs/ca.pem, puppetserver.pem, > /etc/puppetlabs/ssl/private_keys/puppetserver.pem > > Still do I need to change anything. Please advice.


Dominic Cleal
dominic@cleal.org

7

This appears similar to Bug #15111: "!ruby/string:HighLine::String" in answers when using interactive mode - Kafo - Foreman, so
ensure ruby-kafo is at least version 0.8.2, preferably the latest we
ship (0.9.x).

··· On 27/07/16 21:43, Sai Krishna wrote: > *[ERROR 2016-07-27 16:13:21 main] Errors encountered during run:* > *[ERROR 2016-07-27 16:13:21 main] Evaluation Error: Error while > evaluating a Function Call, undefined class/module HighLine:: at > /usr/share/gems/gems/kafo-0.9.1/modules/kafo_configure/manifests/init.pp:14:3 > on node puppetserver.com*


Dominic Cleal
dominic@cleal.org

8

No you don't want to change the https port, you want to enable http

so you'll have

:https_port: 8443
:http_port: 8000

you then need to restart the proxy (systemctl restart foreman-proxy), make
sure the local firewall has that port open -

firewall-cmd --permanent --zone=public --add-port="8000/tcp"
firewall-cmd --complete-reload

and then try and connect via the GUI. Note this is just to test that
foreman can actually contact the proxy, you'll still have to figure out the
certificates issue (which I went into in quite a lot of detail in the
ticket, Bug #15530: Katello 3.0 capsule fails to register - Katello - Foreman)

Dylan

··· On Thursday, July 28, 2016 at 9:57:40 AM UTC+12, Sai Krishna wrote: > > Hi Dylan, >> > > Appreciate your reply. > > # http is disabled by default. To enable, uncomment 'http_port' setting > # https is enabled if certificate, CA certificate, and private key are > present in locations specifed by > # ssl_certificate, ssl_ca_file, and ssl_private_key correspondingly > # default values for https_port is 8443 > :https_port: 8443 > > this was the intial setting I have changed it to 8000 but still facing > same error. > > Please advice. > Sai Krishna >
9

/etc/foreman-proxy/settings.d/puppet_proxy_puppet_api.yml

>
>> - —
>> - # URL of the puppet master itself for API requests.
>> - :puppet_url: https://puppetmaster:8140
>> - # SSL certificates used to access the puppet API
>> - :puppet_ssl_ca: /etc/puppetlabs/puppet/ssl/certs/ca.pem
>> - :puppet_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem
>> - :puppet_ssl_key:
>> /etc/puppetlabs/puppet/ssl/private_keys/puppetmaster.pem
>>
>> Here the paths are different from settings.yml is this causing any cert
issue ?

10

This is a different error. It states that the hostname you're entering
in the Foreman UI is different to the hostname on the certificates.

Your later response says you're using "puppet cert generate
new-puppetmaster.example.com", which means you would need to use that
hostname (new-puppetmaster.example.com) when adding the smart proxy. If
the hostname you're adding is actually "nyrhdv146.cusa.canon.com" then
you should use "puppet cert generate nyrhdv146.cusa.canon.com" too.

··· On 28/07/16 16:08, Sai Krishna wrote: > # see http://theforeman.org/projects/smart-proxy/wiki/SSL for > more information > > :ssl_ca_file: /var/lib/puppet/ssl/certs/ca.pem > > :ssl_certificate: /var/lib/puppet/ssl/certs/puppetmaster.com.pem > > :ssl_private_key: > /var/lib/puppet/ssl/private_keys/puppetmaster.com.pem > > :trusted_hosts: > > - foremanserver.com > > # Endpoint for reverse communication > > :foreman_url: https://foremanserver.com > > I have replaced the puppetmaster certificates > /var/lib/puppet/ssl/certs/ca.pem , > /var/lib/puppet/ssl/certs/puppetmaster.pem, > /var/lib/puppet/ssl/private_keys/puppetmaster.pem with foreman > server certificates. which are also mentioned in settings.yml. > after this I have ran the foreman installer again enabling > puppet and foreman- proxy but still the error is same after > finishing the foreman installer installation. As you said I have > checked the ruby-kafo it is to the latest 0.9.1. On the > puppetmaster the smart proxy is running but when trying to add > in the foreman gui it is throwing same error. Let me know you > want me to check any other configuration settings or cert > settings. according to the error there is something wrong with > certificates configuration but not sure where to make changes. > > > error on foreman gui > *Unable to save* > Unable to communicate with the proxy: ERF12-2530 > [ProxyAPI::ProxyException]: Unable to detect features > ([OpenSSL::SSL::SSLError]: hostname "nyrhdv146.cusa.canon.com" does not > match the server certificate) for proxy > https://nyrhdv146.cusa.canon.com:8443/features > Please check the proxy is configured and running on the host.


Dominic Cleal
dominic@cleal.org

11

Dylan

I have enabled http_port: 8000, firewall has the port open and have
restarted the foreman-proxy there is no change in the error.

Sai Krishna

12

puppet cert generate new-puppetmaster.example.com

am generating new certs for puppetmaster on foreman server and replacing
new certs in puppetmaster is this correct way ?

Please advice
Sai Krishna

13

Hi Dominic,

> I have generated certificates in foreman server according to the
> puppetmaster hostname. The smart proxy (puppetmaster) has added to the
> smart proxy list in foreman GUI. Error is resolved.

> After that when am trying to add Puppet classes am getting below error
> on Foreman GUI.

*Error: *ERF12-2749 [ProxyAPI::ProxyException]: Unable to get environments
from Puppet ([RestClient::NotAcceptable]: 406 Not Acceptable) for proxy
https://puppetmaster.exapmle.com:8443/puppet

Below is error in /var/log/foreman-proxy/proxy.log

E, [2016-07-29T15:03:44.169966 #30702] ERROR – : Failed to list puppet
environments: SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed
I, [2016-07-29T15:03:44.170369 #30702] INFO – : 1x.1xx.xxx.xxx - -
[29/Jul/2016:15:03:44 -0400] "GET /puppet/environments HTTP/1.1" 406 131
0.0063
E, [2016-07-29T15:17:08.632367 #30702] ERROR – : OpenSSL::SSL::SSLError:
SSL_accept returned=1 errno=0 state=SSLv2/v3 read client hello A: unknown
protocol
/usr/share/ruby/openssl/ssl.rb:226:in `accept'

*Below has other error when I have tried curl *
curl -v https://puppetmaster.exapmle.com:8443/puppet

  • About to connect() to puppetmaster.example.com port 8443 (#0)
  • Trying xx.xxx.xxx.xxx
  • Connected to puppetmaster.example.com (xx.xx.xxx.xxx) port 8443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • Server certificate:
  •   start date: Jul 28 13:52:01 2016 GMT

  •   expire date: Jul 28 13:52:01 2021 GMT

  •   common name: puppetmaster.exapmle.com

  •   issuer: CN=Puppet CA: foremanserver.exapmle.com
  • NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
  • Peer's certificate issuer has been marked as not trusted by the user.
    ** Closing connection 0*
    curl: (60) Peer's certificate issuer has been marked as not trusted by the
    user.
    More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

··· * subject: CN=puppetmaster.exapmle.com ****************************************************************************************************************************************************************************************************************************** ls -ld /etc/puppetlabs/ drwxr-xr-x 8 puppet puppet 98 Jun 29 10:20 /etc/puppetlabs/ ls -ld /etc/puppetlabs/puppet/ drwxr-xr-x 3 puppet puppet 131 Jul 29 15:22 /etc/puppetlabs/puppet/ ls -ld /etc/puppetlabs/puppet/ssl/ drwxrwx--x 8 puppet puppet 119 Jul 14 15:21 /etc/puppetlabs/puppet/ssl/ ls -ld /etc/puppetlabs/puppet/ssl/certs/ca.pem -rw-r--r-- 1 puppet puppet 1997 Jul 29 09:50 /etc/puppetlabs/puppet/ssl/certs/ca.pem

sestatus
SELinux status: disabled

Foreman user is in puppet group [ puppet:x:249:foreman-proxy]

I have also tried sudo -u foreman-proxy cat
/var/lib/puppet/ssl/certs/ca.pem its working.

puppet --version (on puppetmaster where foreman smart proxy is running)
4.5.2

I have tried telnet from foreman server to puppet master it is connecting.
Foreman proxy is running on puppetmaster.

*/etc/puppetlabs/puppet/auth.conf *
path /puppet/v3/environments
method find
allow *

path /puppet/v3/resource_type
method search
allow *

Please advice
Sai Krishna