Internal dynflow checks wrong certificate serial

I had issues getting dynflow to work on my smart_proxies. I think that the smart proxy is using the build-in version of dynflow. The requests for the /dynflow api endpoint therefore come directly from my foreman host, not from the smart proxy. From the documentation I made the assumption that is how it used to work.

I disabled this line:
and things work correctly now.

Before this work-around, I tried to set :foreman_ssl_cert: in /etc/foreman-proxy/settings.yml to a copy of the cert from my foreman instance. This worked for submitting jobs, but the callback mechanism from dynflow failed, because :foreman_ssl_key: was not set. Therefore I found disabling the check a better option in my case.

Expected outcome:
The build-in dynflow being aware that is is called directly from foreman, not the proxy.

Foreman and Proxy versions:
foreman 2.1.0-1
foreman-proxy 2.1.0-1

Foreman and Proxy plugin versions:
ruby-foreman-remote-execution-core 1.3.0-1
ruby-foreman-tasks-core 0.3.4-1

Distribution and version:
Debian 10.4

Other relevant data:

:enabled: https

If true, external core will be used even if the core gem is available

If false, the feature will be disabled if the core gem is unavailable

If unset, the process will fallback to autodetection, using external core if the core gem is unavailable

:external_core: true

I replaced authorize_with_ssl_client with authorize_with_trusted_hosts. I copied some magic from foreman_proxy code. Although I wonder why this is not handled by the foreman_proxy itself I think checking for trusted_hosts makes more sense than checking the client cert in my case.

This doesn’t sound right. Could you post logs showing the errors you’re encountering?

The only log message related to this issue is in /var/log/foreman-proxy.log:
2020-07-27T17:24:33 4030f811 [I] Started GET /dynflow/tasks/count state=running
E, [2020-07-27T17:24:33.485917 #4136927] ERROR – : SSL certificate with unexpected serial supplied
2020-07-27T17:24:33 4030f811 [I] Finished GET /dynflow/tasks/count with 403 (0.58 ms)

Any news on this topic? Maybe I configured something wrong?

Possibly, see here, it might help you get moving