One RHEL7 server runs all pieces, katello, foreman, proxy, etc.
This was originally built using using katello 3.4 (foreman-installer --scenario katello), with some upgrades along the way. Problem started after upgrade to katello 3.12 and foreman 1.22. There may be some puppet files installed, but we do not make use of Puppet at all. We are working with ansible.
I think something needs updated with my certs in /etc/foreman-proxy/settings.yml and/or /etc/smart_proxy_dynflow_core/settings.yml.
I have found these files on my server:
under /etc/pki/katello-certs-tools/certs
java-client.crt
kat7.xxx.xxx.com-apache.crt
kat7.xxx.xxx.com-foreman-client.crt
kat7.xxx.xxx.com-foreman-proxy-client.crt
kat7.xxx.xxx.com-foreman-proxy.crt
kat7.xxx.xxx.com-puppet-client.crt
kat7.xxx.xxx.com-qpid-broker.crt
kat7.xxx.xxx.com-qpid-client-cert.crt
kat7.xxx.xxx.com-qpid-router-client.crt
kat7.xxx.xxx.com-qpid-router-server.crt
kat7.xxx.xxx.com-tomcat.crt
katello-default-ca.crt
katello-server-ca.crt
pulp-client.crt
This is from our 1.22/3.12 testing instance.
The corresponding settings in in /etc/smart_proxy_dynflow_core/settings.yml look the same on our installation (except for the port of course).
No idea why this should break during an update, but try de-commenting those foreman_ssl lines and restart foreman-proxy. Afaik, those options need to be set.
I’ll assume you are talking about /etc/smart_proxy_dynflow_core/settings.yml, since that’s the only config I could find containing those settings.
The SSL settings look messed up, here is what we have in our environment:
:database:
:console_auth: true
# URL of the foreman, used for reporting back
:foreman_url: https://foreman.example.com
# SSL settings for client authentication against foreman.
:foreman_ssl_ca: /etc/foreman-proxy/foreman_ssl_ca.pem
:foreman_ssl_cert: /etc/foreman-proxy/foreman_ssl_cert.pem
:foreman_ssl_key: /etc/foreman-proxy/foreman_ssl_key.pem
# Listen on address
:listen: 0.0.0.0
# Listen on port
:port: 8008
:use_https: true
:ssl_ca_file: /etc/foreman-proxy/ssl_ca.pem
:ssl_certificate: /etc/foreman-proxy/ssl_cert.pem
:ssl_private_key: /etc/foreman-proxy/ssl_key.pem
In the future, I would ask you to
add an info which configs you are talking about when pasting them
Include log messages when possible instead of general explanations of the error message, adding which log they appeared in
be a bit more verbose in general about whether you tried things out and whether they worked, regardless of suggested things from other community members or things you came up with yourself
This helps us immensely understanding your problem and figuring out how we can help you.
Interesting. In the second log, there is an OpenSSL error, too. Looks like in that case, the proxy does not recognize Foreman’s SSL certs.
You cound try taking a look at /etc/foreman/settings.yaml and checking which SSL certificate files are configured there. Then take the semi-broken config (your original one) and try to set those files for the foreman_ssl_* settings in /etc/smart_proxy_dynflow_core/settings.yml and /etc/foreman-proxy/settings.yml.
You could also try rerunning foreman-installer to see if that helps. In theory, it should set the values correctly and since being idempotent, should not change anything that is “correct”. I would recommend running “foreman-installer -v --noop” first, though, to see what would be changed without the risk of actual undesired changes.
If nothing else helps, your certificates might have been corrupted. I have heard some rare reports about that happening the last weeks. In that case, you might need to regenerate them, but I cannot provided any steps for that from memory.
foreman-installer and this fixed /etc/foreman-proxy/settings.yml
foreman-installer --enable-foreman-plugin-remote-execution --enable-foreman-proxy-plugin-remote-execution-ssh and this fixed /etc/smart_proxy_dynflow_core/settings.yml
/etc/foreman-proxy/settings.yml now has
:ssl_ca_file: /etc/foreman-proxy/ssl_ca.pem
:ssl_certificate: /etc/foreman-proxy/ssl_cert.pem
:ssl_private_key: /etc/foreman-proxy/ssl_:foreman_ssl_ca: /etc/foreman-proxy/foreman_ssl_ca.pem
:foreman_ssl_cert: /etc/foreman-proxy/foreman_ssl_cert.pem
:foreman_ssl_key: /etc/foreman-proxy/foreman_ssl_key.pem