[Foreman-Proxy] Unable to communicate with the proxy: ERF12-2530

On Foreman 1.9 running on CentOS7.

I have setup a foreman realm proxy on a CentOS 7 server with SSL certs by
following the directions listed here :
http://www.theforeman.org/manuals/1.9/index.html#4.3.10SSL

I generated certificates on my puppetmaster (katello server) and they show
as valid in the certificate listing for the katello host (local smart
proxy).

I also trusted the ipa cert on the proxy (although I shouldn't have had to
because it is a dc already).

This is what I see in my production log when I try to add the new smart
proxy

2015-12-19 05:35:31 [app] [I] Parameters: {"utf8"=>"✓",
"authenticity_token"=>"ejoQfWXNuq+67ZrTpWQ/PfpGSbr92Yso7yMBhu7ZkQg=",
"smart_proxy"=>{"name"=>"dc1.mydomain.net",
"url"=>"https://dc1.mydomain.net:8443", "location_ids"=>[""],
"organization_ids"=>["", "5"]}}
2015-12-19 05:35:31 [app] [I] Failed to save: Unable to communicate with
the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verif…) for proxy
https://dc1.mydomain.net:8443/features, Please check the proxy is
configured and running on the host.

When I connect by wget to check and ensure the certificate being presented
looks ok, it seems fine. It is properly issued by the katello host I'm
trying to connect to the proxy on, and the names all match. Also the
result is ["realm"] if i load the page in a browser so it is turned on,
configured properly, and serving back the right result.

[root@katello1 foreman]# wget -d -v --no-check-certificate
https://dc1.mydomain.net:8443/features
Setting --verbose (verbose) to 1
Setting --check-certificate (checkcertificate) to 0
DEBUG output created by Wget 1.14 on linux-gnu.

URI encoding = ‘UTF-8’
–2015-12-19 05:48:36-- https://dc1.mydomain.net:8443/features
Resolving dc1.mydomain.net (dc1.mydomain.net)… 10.178.0.99
Caching dc1.mydomain.net => 10.178.0.99
Connecting to dc1.mydomain.net (dc1.mydomain.net)|10.178.0.99|:8443…
connected.
Created socket 3.
Releasing 0x00000000010af260 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x00000000010fe420
certificate:
issuer: /CN=Puppet CA: katello1.mydomain.net
WARNING: cannot verify dc1.mydomain.net's certificate, issued by
‘/CN=Puppet CA: katello1.mydomain.net’:
Self-signed certificate encountered.

—request begin—
GET /features HTTP/1.1
User-Agent: Wget/1.14 (linux-gnu)
Accept: /
Host: dc1.mydomain.net:8443
Connection: Keep-Alive

—request end—
HTTP request sent, awaiting response…
—response begin—
HTTP/1.1 200 OK
Content-Type: application/json;charset=utf-8
Content-Length: 9
Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-11-13) OpenSSL/1.0.1e
Connection: Keep-Alive

—response end—
200 OK
Registered socket 3 for persistent reuse.
URI content encoding = ‘utf-8’
Length: 9 [application/json]
Saving to: ‘features.1’

··· subject: /CN=dc1.mydomain.net Date: Sat, 19 Dec 2015 13:48:36 GMT

At present, if you are using Katello which has its own certificate setup,
you need to install Capsule which provides foreman proxy services but
configures certificates properly. We are working towards making the Foreman
proxy the premiere entity when using Katello.

Eric

··· On Dec 19, 2015 9:17 AM, "Nathan Peters" wrote:

On Foreman 1.9 running on CentOS7.

I have setup a foreman realm proxy on a CentOS 7 server with SSL certs by
following the directions listed here :
http://www.theforeman.org/manuals/1.9/index.html#4.3.10SSL

I generated certificates on my puppetmaster (katello server) and they show
as valid in the certificate listing for the katello host (local smart
proxy).

I also trusted the ipa cert on the proxy (although I shouldn’t have had to
because it is a dc already).

This is what I see in my production log when I try to add the new smart
proxy

2015-12-19 05:35:31 [app] [I] Parameters: {“utf8”=>“✓”,
“authenticity_token”=>“ejoQfWXNuq+67ZrTpWQ/PfpGSbr92Yso7yMBhu7ZkQg=”,
“smart_proxy”=>{“name”=>“dc1.mydomain.net”, “url”=>“
https://dc1.mydomain.net:8443”, “location_ids”=>[""],
“organization_ids”=>["", “5”]}}
2015-12-19 05:35:31 [app] [I] Failed to save: Unable to communicate with
the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verif…) for proxy
https://dc1.mydomain.net:8443/features, Please check the proxy is
configured and running on the host.

When I connect by wget to check and ensure the certificate being presented
looks ok, it seems fine. It is properly issued by the katello host I’m
trying to connect to the proxy on, and the names all match. Also the
result is [“realm”] if i load the page in a browser so it is turned on,
configured properly, and serving back the right result.

[root@katello1 foreman]# wget -d -v --no-check-certificate
https://dc1.mydomain.net:8443/features
Setting --verbose (verbose) to 1
Setting --check-certificate (checkcertificate) to 0
DEBUG output created by Wget 1.14 on linux-gnu.

URI encoding = ‘UTF-8’
–2015-12-19 05:48:36-- https://dc1.mydomain.net:8443/features
Resolving dc1.mydomain.net (dc1.mydomain.net)… 10.178.0.99
Caching dc1.mydomain.net => 10.178.0.99
Connecting to dc1.mydomain.net (dc1.mydomain.net)|10.178.0.99|:8443…
connected.
Created socket 3.
Releasing 0x00000000010af260 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x00000000010fe420
certificate:
subject: /CN=dc1.mydomain.net
issuer: /CN=Puppet CA: katello1.mydomain.net
WARNING: cannot verify dc1.mydomain.net’s certificate, issued by
‘/CN=Puppet CA: katello1.mydomain.net’:
Self-signed certificate encountered.

—request begin—
GET /features HTTP/1.1
User-Agent: Wget/1.14 (linux-gnu)
Accept: /
Host: dc1.mydomain.net:8443
Connection: Keep-Alive

—request end—
HTTP request sent, awaiting response…
—response begin—
HTTP/1.1 200 OK
Content-Type: application/json;charset=utf-8
Content-Length: 9
Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-11-13) OpenSSL/1.0.1e
Date: Sat, 19 Dec 2015 13:48:36 GMT
Connection: Keep-Alive

—response end—
200 OK
Registered socket 3 for persistent reuse.
URI content encoding = ‘utf-8’
Length: 9 [application/json]
Saving to: ‘features.1’


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Maybe I'm doing something wrong here but I can't seem to get the setup I
want. If I understand correctly, I can install this foreman capsule on my
domain controller and have it function only as a realm proxy.
I ignored the pulp settings that the certificate generator created, and
used the following command to configure it :

[root@dc1 foreman-proxy]# capsule-installer --parent-fqdn
"katello1.mydomain.net" --register-in-foreman "true" --foreman-oauth-key
"key" --foreman-oauth-secret "secret" --certs-tar
"~/dc1.mydomain.net-certs.tar" --foreman-proxy-http "false"
–freeipa-remove-dns "false" --realm "true" --realm-principal
"realm-proxy@MYDOMAIN.NET" --puppet "false" --templates "false"
Installing Done
[100%]
[…]
Success!
The full log is at /var/log/capsule-installer/capsule-installer.log

It properly showed up as a smart proxy in katello but the features are
listed as Puppet, and Realm, even though I told it not to install a puppet
proxy. I'm not sure if this i a bug or not. The command capsule-installer
–help lists puppet as false by default but I tried running the above
command without the puppet flag and it still installed. To confirm that
other features were properly updating, I removed the templates flag and it
installed due to its default being yes. Then I added the false flag and it
was removed. Puppet remains though no matter what I do. Seeing as this is
installed on a FreeIPA domain controller, we don't really want this
attempting to function as a puppetmaster.

··· On Saturday, December 19, 2015 at 8:10:03 AM UTC-8, Eric Helms wrote: > > At present, if you are using Katello which has its own certificate setup, > you need to install Capsule which provides foreman proxy services but > configures certificates properly. We are working towards making the Foreman > proxy the premiere entity when using Katello. > > Eric > On Dec 19, 2015 9:17 AM, "Nathan Peters" > wrote: > >> On Foreman 1.9 running on CentOS7. >> >> I have setup a foreman realm proxy on a CentOS 7 server with SSL certs by >> following the directions listed here : >> http://www.theforeman.org/manuals/1.9/index.html#4.3.10SSL >> >> I generated certificates on my puppetmaster (katello server) and they >> show as valid in the certificate listing for the katello host (local smart >> proxy). >> >> I also trusted the ipa cert on the proxy (although I shouldn't have had >> to because it is a dc already). >> >> This is what I see in my production log when I try to add the new smart >> proxy >> >> 2015-12-19 05:35:31 [app] [I] Parameters: {"utf8"=>"✓", >> "authenticity_token"=>"ejoQfWXNuq+67ZrTpWQ/PfpGSbr92Yso7yMBhu7ZkQg=", >> "smart_proxy"=>{"name"=>"dc1.mydomain.net", "url"=>" >> https://dc1.mydomain.net:8443", "location_ids"=>[""], >> "organization_ids"=>["", "5"]}} >> 2015-12-19 05:35:31 [app] [I] Failed to save: Unable to communicate with >> the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features >> ([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read >> server certificate B: certificate verif...) for proxy >> https://dc1.mydomain.net:8443/features, Please check the proxy is >> configured and running on the host. >> >> >> When I connect by wget to check and ensure the certificate being >> presented looks ok, it seems fine. It is properly issued by the katello >> host I'm trying to connect to the proxy on, and the names all match. Also >> the result is ["realm"] if i load the page in a browser so it is turned on, >> configured properly, and serving back the right result. >> >> [root@katello1 foreman]# wget -d -v --no-check-certificate >> https://dc1.mydomain.net:8443/features >> Setting --verbose (verbose) to 1 >> Setting --check-certificate (checkcertificate) to 0 >> DEBUG output created by Wget 1.14 on linux-gnu. >> >> URI encoding = ‘UTF-8’ >> --2015-12-19 05:48:36-- https://dc1.mydomain.net:8443/features >> Resolving dc1.mydomain.net (dc1.mydomain.net)... 10.178.0.99 >> Caching dc1.mydomain.net => 10.178.0.99 >> Connecting to dc1.mydomain.net (dc1.mydomain.net)|10.178.0.99|:8443... >> connected. >> Created socket 3. >> Releasing 0x00000000010af260 (new refcount 1). >> Initiating SSL handshake. >> Handshake successful; connected socket 3 to SSL handle 0x00000000010fe420 >> certificate: >> subject: /CN=dc1.mydomain.net >> issuer: /CN=Puppet CA: katello1.mydomain.net >> WARNING: cannot verify dc1.mydomain.net's certificate, issued by >> ‘/CN=Puppet CA: katello1.mydomain.net’: >> Self-signed certificate encountered. >> >> ---request begin--- >> GET /features HTTP/1.1 >> User-Agent: Wget/1.14 (linux-gnu) >> Accept: */* >> Host: dc1.mydomain.net:8443 >> Connection: Keep-Alive >> >> ---request end--- >> HTTP request sent, awaiting response... >> ---response begin--- >> HTTP/1.1 200 OK >> Content-Type: application/json;charset=utf-8 >> Content-Length: 9 >> Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-11-13) OpenSSL/1.0.1e >> Date: Sat, 19 Dec 2015 13:48:36 GMT >> Connection: Keep-Alive >> >> ---response end--- >> 200 OK >> Registered socket 3 for persistent reuse. >> URI content encoding = ‘utf-8’ >> Length: 9 [application/json] >> Saving to: ‘features.1’ >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Foreman users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to foreman-user...@googlegroups.com . >> To post to this group, send email to forema...@googlegroups.com >> . >> Visit this group at https://groups.google.com/group/foreman-users. >> For more options, visit https://groups.google.com/d/optout. >> >