On Foreman 1.9 running on CentOS7.
I have setup a foreman realm proxy on a CentOS 7 server with SSL certs by
following the directions listed here :
http://www.theforeman.org/manuals/1.9/index.html#4.3.10SSL
I generated certificates on my puppetmaster (katello server) and they show
as valid in the certificate listing for the katello host (local smart
proxy).
I also trusted the ipa cert on the proxy (although I shouldn't have had to
because it is a dc already).
This is what I see in my production log when I try to add the new smart
proxy
2015-12-19 05:35:31 [app] [I] Parameters: {"utf8"=>"✓",
"authenticity_token"=>"ejoQfWXNuq+67ZrTpWQ/PfpGSbr92Yso7yMBhu7ZkQg=",
"smart_proxy"=>{"name"=>"dc1.mydomain.net",
"url"=>"https://dc1.mydomain.net:8443", "location_ids"=>[""],
"organization_ids"=>["", "5"]}}
2015-12-19 05:35:31 [app] [I] Failed to save: Unable to communicate with
the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verif…) for proxy
https://dc1.mydomain.net:8443/features, Please check the proxy is
configured and running on the host.
When I connect by wget to check and ensure the certificate being presented
looks ok, it seems fine. It is properly issued by the katello host I'm
trying to connect to the proxy on, and the names all match. Also the
result is ["realm"] if i load the page in a browser so it is turned on,
configured properly, and serving back the right result.
[root@katello1 foreman]# wget -d -v --no-check-certificate
https://dc1.mydomain.net:8443/features
Setting --verbose (verbose) to 1
Setting --check-certificate (checkcertificate) to 0
DEBUG output created by Wget 1.14 on linux-gnu.
URI encoding = ‘UTF-8’
–2015-12-19 05:48:36-- https://dc1.mydomain.net:8443/features
Resolving dc1.mydomain.net (dc1.mydomain.net)… 10.178.0.99
Caching dc1.mydomain.net => 10.178.0.99
Connecting to dc1.mydomain.net (dc1.mydomain.net)|10.178.0.99|:8443…
connected.
Created socket 3.
Releasing 0x00000000010af260 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x00000000010fe420
certificate:
issuer: /CN=Puppet CA: katello1.mydomain.net
WARNING: cannot verify dc1.mydomain.net's certificate, issued by
‘/CN=Puppet CA: katello1.mydomain.net’:
Self-signed certificate encountered.
—request begin—
GET /features HTTP/1.1
User-Agent: Wget/1.14 (linux-gnu)
Accept: /
Host: dc1.mydomain.net:8443
Connection: Keep-Alive
—request end—
HTTP request sent, awaiting response…
—response begin—
HTTP/1.1 200 OK
Content-Type: application/json;charset=utf-8
Content-Length: 9
Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-11-13) OpenSSL/1.0.1e
Connection: Keep-Alive
—response end—
200 OK
Registered socket 3 for persistent reuse.
URI content encoding = ‘utf-8’
Length: 9 [application/json]
Saving to: ‘features.1’