Internal dynflow checks wrong certificate serial

mdegouw · July 27, 2020, 8:48pm

Problem:
I had issues getting dynflow to work on my smart_proxies. I think that the smart proxy is using the build-in version of dynflow. The requests for the /dynflow api endpoint therefore come directly from my foreman host, not from the smart proxy. From the documentation I made the assumption that is how it used to work.

I disabled this line: https://github.com/theforeman/smart_proxy_dynflow/blob/master/lib/smart_proxy_dynflow_core/helpers.rb#L33
and things work correctly now.

Before this work-around, I tried to set :foreman_ssl_cert: in /etc/foreman-proxy/settings.yml to a copy of the cert from my foreman instance. This worked for submitting jobs, but the callback mechanism from dynflow failed, because :foreman_ssl_key: was not set. Therefore I found disabling the check a better option in my case.

Expected outcome:
The build-in dynflow being aware that is is called directly from foreman, not the proxy.

Foreman and Proxy versions:
foreman 2.1.0-1
foreman-proxy 2.1.0-1

Foreman and Proxy plugin versions:
ruby-foreman-remote-execution-core 1.3.0-1
ruby-foreman-tasks-core 0.3.4-1

Distribution and version:
Debian 10.4

Other relevant data:
/etc/foreman-proxy/settings.d/dynflow.yml:

:enabled: https
:database:
:core_url: https://lnxpupsrvdev01.bk.prodrive.nl:8008

If true, external core will be used even if the core gem is available

If false, the feature will be disabled if the core gem is unavailable

If unset, the process will fallback to autodetection, using external core if the core gem is unavailable

:external_core: true

mdegouw · July 28, 2020, 9:02am

I replaced authorize_with_ssl_client with authorize_with_trusted_hosts. I copied some magic from foreman_proxy code. Although I wonder why this is not handled by the foreman_proxy itself I think checking for trusted_hosts makes more sense than checking the client cert in my case.

aruzicka · July 28, 2020, 9:10am

This doesn’t sound right. Could you post logs showing the errors you’re encountering?

mdegouw · July 28, 2020, 10:14am

The only log message related to this issue is in /var/log/foreman-proxy.log:
2020-07-27T17:24:33 4030f811 [I] Started GET /dynflow/tasks/count state=running
E, [2020-07-27T17:24:33.485917 #4136927] ERROR – : SSL certificate with unexpected serial supplied
2020-07-27T17:24:33 4030f811 [I] Finished GET /dynflow/tasks/count with 403 (0.58 ms)

mdegouw · August 31, 2020, 1:02pm

Any news on this topic? Maybe I configured something wrong?

aruzicka · August 31, 2020, 5:58pm

Possibly, see here, it might help you get moving