Fresh install of foreman, cant view proxy's puppet certs

Lager_Nathan_T · November 6, 2013, 6:46pm

Fresh install of foreman, on RHEL6.4.

Puppet 3, foreman 1.3.

[root@masterofpuppet PROD ~]# rpm -qa | egrep 'foreman|puppet'
foreman-1.3.0-1.el6.noarch
puppet-server-3.3.1-1.el6.noarch
foreman-installer-1.3.0-1.el6.noarch
foreman-ovirt-1.3.0-1.el6.noarch
foreman-selinux-1.3.0-1.el6.noarch
foreman-release-1.3.0-1.el6.noarch
puppet-3.3.1-1.el6.noarch
foreman-compute-1.3.0-1.el6.noarch
foreman-postgresql-1.3.0-1.el6.noarch
foreman-proxy-1.3.0-1.el6.noarch
rubygem-foreman_api-0.1.6-1.el6.noarch

Foreman is running my puppet ca locally, so it has a definition for
itself in the proxies.

I joined an agent to puppet, by configuring its master as the foreman
server, and then running puppet agent --test. This contacted foremans
puppetmaster, and got that step completed.

Normally, what i'd do next, is login to foreman's web ui, browse to
more->configuration->smart proxies, and approve the new agent by
clicking on Certificates next to my proxy (the local foreman-proxy).

I did this, and instead of showing me a list of certs waiting ot be
approved, I got a nice friendly pink error saying:
ActiveRecord::RecordNotFound

I checked some logs, and found the following in the foreman-proxy's
proxy.log.

==> /var/log/foreman-proxy/proxy.log <==
D, [2013-11-06T13:44:08.959516 #30477] DEBUG – : Found puppetca at
/usr/bin/puppet
D, [2013-11-06T13:44:08.959835 #30477] DEBUG – : Found sudo at
/usr/bin/sudo
D, [2013-11-06T13:44:08.959899 #30477] DEBUG – : Executing
/usr/bin/sudo -S /usr/bin/puppet cert --ssldir /var/lib/puppet/ssl

–list --all
W, [2013-11-06T13:44:08.989254 #30477] WARN – : Failed to run puppetca:
E, [2013-11-06T13:44:08.989621 #30477] ERROR – : Failed to list
certificates: Execution of puppetca failed, check log files

This looks like the issue to me, but why is it happening? I tried the
listed command as root, /usr/bin/puppet cert --ssldir
/var/lib/puppet/ssl --list --all, and it returned a list of certs. I
was even able to manually approve the cert via the cli, and it shows
up in my hosts list, however, it still doesnt let me view the certs
via the web UI.

Is the failure in sudo? Is there another log I can check? Is there
deeper logging i can enable?

Thanks!

Lager_Nathan_T · November 6, 2013, 8:51pm

I figured this out, it relates to sudo.

I was troubleshooting another problem, here's a description for that
problem in case anyone is interested.

I added a test host, and then tried to delete it, and the UI gives me
the following error:

Failed to remove metaltest.dev's puppet certificate: 406 Not Acceptable

This also seems related to certs, so I thought it was related.

I checked the logs this time, foreman-proxy/proxy.log, and found this:

W, [2013-11-06T15:43:34.972415 #30477] WARN – : Failed to run
puppetca: sudo: sorry, you must have a tty to run sudo

I added the following to /etc/sudoers.
Defaults:foreman-proxy !requiretty

Tried removing my host again, and it worked. So then i tried opening
the certs dialog in the ui, as descrived in my first post, and it
works now.

Problem Solved.

···

On 11/06/2013 01:46 PM, Nathan wrote: > Fresh install of foreman, on RHEL6.4. > > Puppet 3, foreman 1.3. > > [root@masterofpuppet PROD ~]# rpm -qa | egrep 'foreman|puppet' > foreman-1.3.0-1.el6.noarch puppet-server-3.3.1-1.el6.noarch > foreman-installer-1.3.0-1.el6.noarch > foreman-ovirt-1.3.0-1.el6.noarch > foreman-selinux-1.3.0-1.el6.noarch > foreman-release-1.3.0-1.el6.noarch puppet-3.3.1-1.el6.noarch > foreman-compute-1.3.0-1.el6.noarch > foreman-postgresql-1.3.0-1.el6.noarch > foreman-proxy-1.3.0-1.el6.noarch > rubygem-foreman_api-0.1.6-1.el6.noarch > > > Foreman is running my puppet ca locally, so it has a definition > for itself in the proxies. > > I joined an agent to puppet, by configuring its master as the > foreman server, and then running puppet agent --test. This > contacted foremans puppetmaster, and got that step completed. > > Normally, what i'd do next, is login to foreman's web ui, browse > to more->configuration->smart proxies, and approve the new agent > by clicking on Certificates next to my proxy (the local > foreman-proxy). > > I did this, and instead of showing me a list of certs waiting ot > be approved, I got a nice friendly pink error saying: > ActiveRecord::RecordNotFound > > I checked some logs, and found the following in the > foreman-proxy's proxy.log. > > ==> /var/log/foreman-proxy/proxy.log <== D, > [2013-11-06T13:44:08.959516 #30477] DEBUG -- : Found puppetca at > /usr/bin/puppet D, [2013-11-06T13:44:08.959835 #30477] DEBUG -- : > Found sudo at /usr/bin/sudo D, [2013-11-06T13:44:08.959899 #30477] > DEBUG -- : Executing /usr/bin/sudo -S /usr/bin/puppet cert --ssldir > /var/lib/puppet/ssl --list --all W, [2013-11-06T13:44:08.989254 > #30477] WARN -- : Failed to run puppetca: E, > [2013-11-06T13:44:08.989621 #30477] ERROR -- : Failed to list > certificates: Execution of puppetca failed, check log files > > > > This looks like the issue to me, but why is it happening? I tried > the listed command as root, /usr/bin/puppet cert --ssldir > /var/lib/puppet/ssl --list --all, and it returned a list of certs. > I was even able to manually approve the cert via the cli, and it > shows up in my hosts list, however, it still doesnt let me view the > certs via the web UI. > > Is the failure in sudo? Is there another log I can check? Is there > deeper logging i can enable? > > Thanks! > >

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE, RHCVA (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042