Installing an external Ubuntu Smart Proxy in a vanilla Ubuntu Foreman environment

mgilbert · October 5, 2023, 12:57am

Problem:
I can’t figure out how to properly install an external Smart Proxy on Ubuntu. The Foreman server is “vanilla” Foreman (without Katello), and it is also on Ubuntu. I’m not finding anything in the Debian/Ubuntu instructions (Installing Foreman Server nightly on Debian/Ubuntu) for installing a Smart Proxy, so I’ve been having to follow and augment the EL instructions (Installing a Smart Proxy Server nightly on CentOS/RHEL). If I install foreman-installer and run the installer command that is given in the instructions, it fails with the “parameter 'version' expects a String value, got Undef” error (same as in this post: Foreman installer error "parameter 'version' expects a String value, got Undef"). I ran this:

sudo foreman-installer \
  --no-enable-foreman \
  --no-enable-foreman-cli \
  --enable-puppet \
  --puppet-server-ca=false \
  --enable-foreman-proxy \
  --foreman-proxy-puppetca=false \
  --foreman-proxy-tftp=false \
  --foreman-proxy-foreman-base-url=https://foreman.mysite.com \
  --foreman-proxy-trusted-hosts=foreman

When I changed the installer command to add --no-enable-foreman-plugin-puppet and --no-enable-foreman-cli-puppet, those errors went away, but I got a different error:

[ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_host[foreman-proxy-fm-proxy01.mysite.com]: Could not evaluate: Exception Failed to open TCP connection to fm-proxy01.mysite.com:443 (Connection refused - connect(2) for "fm-proxy01.mysite.com" port 443) in get request to: https://fm-proxy01.mysite.com/api/v2/hosts?search=name%3D%22fm-proxy01.mysite.com%22

I don’t know what mechanism the Smart Proxy is supposed to be using to provide the API endpoint. Either something didn’t get installed or something is misconfigured. netstat shows that port 443 is not currently listening, so it makes sense that there would be a failure to do a GET request. Is apache2 supposed to get installed somewhere along the way to provide this endpoint? If not, what is it that provides it?

Basically, I’m just kind of stuck and could really use some help. Trying to patch together a correct installation procedure using different instructions isn’t working out so well.

Expected outcome:
I should (ideally) be able to follow the instructions to add a Smart Proxy without getting these errors.

Foreman and Proxy versions:
3.7

Foreman and Proxy plugin versions:
foreman_puppet plugin 5.1.2

Distribution and version:
Ubuntu 20.04

Other relevant data:

mgilbert · October 5, 2023, 1:23am

Something that I think I misunderstood in the instructions was the inclusion of the following 2 lines in the foreman-installer command:

  --foreman-proxy-oauth-consumer-key=oAuth_Consumer_Key \
  --foreman-proxy-oauth-consumer-secret=oAuth_Consumer_Secret

I just glossed over those, thinking they were only needed if you had configured Foreman for OAuth authentication on the frontend. I ended up finding this post, Foreman-installer fails tries to open connection to server on port 443 - #5 by CluelessTechnologist, where someone had the same issue with TCP port 443 as I did, and they mentioned that you can find the oauth info in /etc/foreman/settings.yaml on the Foreman server. Once I added those to the original foreman-installer command, I started getting a different error, which was

[ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_host[foreman-proxy-fm-proxy01.mysite.com]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain) in get request to: https://foreman.mysite.com/api/v2/hosts?search=name%3D%22fm-proxy01.mysite.com%22

This error makes sense to me at least. So I need to figure out how to trust the certificates. Is there a non-Katello process for doing this? I’m not all that familiar with generating certs.

mgilbert · October 7, 2023, 1:41am

I was able to fumble my way through generating and applying self-signed certs using this guide: Foreman SSL explained - Partial Solutions.

Most everything in those instructions worked, with the exception of the --foreman-user-groups option, which no longer exists in version 3.7. I just left that bit out and set the ownership on the custom certs to puppet:puppet.

I was left with a working installation!