As you can hopefully see from the photo above, when running a simple
command through remote execution plugin in foreman I'm getting overal error
status…but output is returning correctly. I'm wondering how this can be?
It isn't really useful to run arbitrary commands on N number of hosts and
receive 100% failure rate even though most are successful.
Some context :
This is all being run from same server, so puppetmaster / foreman /
foreman-proxy / ca / etc are all on the same box. Foreman-Proxy user home
with .ssh has key in root's .ssh know_hosts file so it can ssh with keys.
One thing that I've noticed is messed up, that may be causing the overall
status to return as failure is the cert cannot be verified when curl the
foreman proxy address. Foreman-Proxy (ca / ssh / discovery / tftp /
dynflow) is all running on port 8443.
When I curl that port I get error that the cert could not be verified…I'm
wondering if that would cause the overall error code to be non-zero even
though the command output is successful.
root@puppetmaster:/var/log/foreman-proxy# curl -v
- Rebuilt URL to: https://puppetmaster.internaldomain.com:8443/
- Trying 10.1.1.105…
- Connected to puppetmaster.internaldomain.com (10.1.1.105) port 8443 (#0)
- found 173 certificates in /etc/ssl/certs/ca-certificates.crt
- found 694 certificates in /etc/ssl/certs
- ALPN, offering http/1.1
- SSL connection using TLS1.2 / RSA_AES_128_GCM_SHA256
- server certificate verification failed. CAfile: /etc/ssl/certs/ca-
certificates.crt CRLfile: none
- Closing connection 0
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca
-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
any ideas on how to fix this will be greatly appreciated.