Is the default configuration for smart-proxy when using the foreman-installer to put the smart-proxy behind https?
foreman-installer --enable-foreman-plugin-puppet --enable-foreman-cli-puppet --foreman-proxy-puppet true --foreman-proxy-puppetca true --foreman-proxy-content-puppet true --enable-puppet --puppet-server true
also should this and puppetserver running be enough to have an import classes button in foreman
Yes, https is default, only the template plugin enables both if I remember correctly.
Your installer options look correct, but the resulting proxy is missing Puppet, so an error should have occurred somewhere. The PuppetCA feature is only for certificate handling, Puppet is required for ENC and Import functionality.
So just curious do I attempt the foremain-installer again? I just tried that and see the same messages I saw before.
2022-10-06 09:01:40 [ERROR ] [configure] Proxy uabrl-fore02.olh.local has failed to load one or more features (Puppet), check /var/log/foreman-proxy/proxy.log for configuration errors
2022-10-06 09:01:40 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[uabrl-fore02.olh.local]/features: change from ["Logs", "Pulpcore", "Puppet CA"] to ["Logs", "Pulpcore", "Puppet", "Puppet CA"] failed: Proxy uabrl-fore02.olh.local has failed to load one or more features (Puppet), check /var/log/foreman-proxy/proxy.log for configuration errors
2022-10-06 09:01:43 [NOTICE] [configure] System configuration has finished.
There were errors detected during install.
Please address the errors and re-run the installer to ensure the system is properly configured.
Failing to do so is likely to result in broken functionality.
The full log is at /var/log/foreman-installer/katello.log
the proxy.log doesnt show any errors
katello.log shows the same error as above.
journalctl -xe shows this
Oct 06 09:01:08 uabrl-fore02 puppet-agent[22407]: Connection to https://uabrl-fore02.olh.local:8140/puppet/v3 failed, trying next rou
Oct 06 09:01:08 uabrl-fore02 puppet-agent[22407]: Wrapped exception:
Oct 06 09:01:08 uabrl-fore02 puppet-agent[22407]: Failed to open TCP connection to uabrl-fore02.olh.local:8140 (Connection refused -
Oct 06 09:01:08 uabrl-fore02 puppet-agent[22407]: Unable to fetch my node definition, but the agent run will continue:
Oct 06 09:01:08 uabrl-fore02 puppet-agent[22407]: No more routes to puppet
Oct 06 09:01:08 uabrl-fore02 puppet-agent[22407]: Connection to https://uabrl-fore02.olh.local:8140/puppet/v3 failed, trying next rou
Oct 06 09:01:08 uabrl-fore02 puppet-agent[22407]: Wrapped exception:
Oct 06 09:01:08 uabrl-fore02 puppet-agent[22407]: Failed to open TCP connection to uabrl-fore02.olh.local:8140 (Connection refused -
Oct 06 09:01:08 uabrl-fore02 puppet-agent[22407]: No more routes to fileserver
Oct 06 09:01:08 uabrl-fore02 puppet-agent[22407]: Connection to https://uabrl-fore02.olh.local:8140/puppet/v3 failed, trying next rou
Oct 06 09:01:08 uabrl-fore02 puppet-agent[22407]: Wrapped exception:
Oct 06 09:01:08 uabrl-fore02 puppet-agent[22407]: Failed to open TCP connection to uabrl-fore02.olh.local:8140 (Connection refused -
Oct 06 09:01:08 uabrl-fore02 puppet-agent[22407]: Could not retrieve catalog from remote server: No more routes to puppet
Oct 06 09:01:08 uabrl-fore02 puppet-agent[22407]: Could not retrieve catalog; skipping run
Oct 06 09:01:08 uabrl-fore02 puppet-agent[22407]: Connection to https://uabrl-fore02.olh.local:8140/puppet/v3 failed, trying next rou
Oct 06 09:01:08 uabrl-fore02 puppet-agent[22407]: Wrapped exception:
Oct 06 09:01:08 uabrl-fore02 puppet-agent[22407]: Failed to open TCP connection to uabrl-fore02.olh.local:8140 (Connection refused -
Oct 06 09:01:08 uabrl-fore02 puppet-agent[22407]: Could not send report: No more routes to report
i noticed the 8140 is a different port than the smart proxy port of 9090. Should these be the same? Any suggestions?
TCP port 8140 is the port of the puppet server. Is it running?
# systemctl status puppetserver
● puppetserver.service - puppetserver Service
Loaded: loaded (/usr/lib/systemd/system/puppetserver.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-10-04 17:23:46 CEST; 1 day 22h ago
Main PID: 24449 (java)
Tasks: 91 (limit: 4915)
CGroup: /system.slice/puppetserver.service
└─24449 /usr/bin/java -Xms2G -Xmx2G -Djruby.logger.class=com.puppe...
Oct 04 17:23:28 foreman.dkrz.de systemd[1]: Starting puppetserver Service...
Oct 04 17:23:46 foreman.dkrz.de systemd[1]: Started puppetserver Service.
# netstat -lntp | grep 24449
tcp6 0 0 :::8140 :::* LISTEN 24449/java
It appears like its running
[root@uabrl-fore02 lance_lyons]# systemctl status puppetserver
● puppetserver.service - puppetserver Service
Loaded: loaded (/usr/lib/systemd/system/puppetserver.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2022-10-06 09:01:32 CDT; 1h 0min ago
Process: 22528 ExecStart=/opt/puppetlabs/server/apps/puppetserver/bin/puppetserver start (code=exited, status=0/SUCCESS)
Main PID: 22556 (java)
Tasks: 70 (limit: 4915)
CGroup: /system.slice/puppetserver.service
└─22556 /usr/bin/java -Xms2G -Xmx2G -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger -XX:OnOutOfMemory...
Oct 06 09:01:19 uabrl-fore02 systemd[1]: Starting puppetserver Service...
Oct 06 09:01:22 uabrl-fore02 puppetserver[22528]: WARNING: abs already refers to: #'clojure.core/abs in namespace: medley.co...re/abs
Oct 06 09:01:32 uabrl-fore02 systemd[1]: Started puppetserver Service.
Hint: Some lines were ellipsized, use -l to show in full.
And what about the tcp port(s)?
Thats a good question. Is there some curl command that i can use to verify that?
If I just paste that url in the browser i get this. I am not sure if that is proper or not.
HTTP ERROR 404 Not Found
URI: /puppet/v3
STATUS: 404
MESSAGE: Not Found
SERVLET: -
For a start you can use netstat as I did above in my example.
If you run curl with the url on the server it also works?
# curl -v https://uabrl-fore02.olh.local:8140/puppet/v3/
Also check the puppetserver logs in /var/log/puppetlabs/puppetserver
thanks for the help. When I do the curl, I get this untrusted CA issuer as shown below. This shows the older foreman/puppet machine we had before. Im guessing when this machine was created those files where just copied across.
Any thoughts on how to change this? I did do a rmdir -f /etc/puppetlabs/puppet/ssl to remove some older certs and reran the process foreman-installer which was supposed to recreate these again.
[lance_lyons@uabrl-fore02 ~]$ curl -v https://uabrl-fore02.olh.local:8140/puppet/v3/
* About to connect() to uabrl-fore02.olh.local port 8140 (#0)
* Trying 172.29.99.67...
* Connected to uabrl-fore02.olh.local (172.29.99.67) port 8140 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=uabrl-fore02.olh.local
* start date: Oct 03 22:25:29 2022 GMT
* expire date: Oct 03 22:25:29 2027 GMT
* common name: uabrl-fore02.olh.local
* issuer: CN=Puppet CA: uabrl-fore01.olh.local
* NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
* Peer's certificate issuer has been marked as not trusted by the user.
* Closing connection 0
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
You have to add --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem to the curl command to point it to the puppet ca certificate for verification.
That way you have removed your puppetserver ca certificate. I doubt foreman-installer will fix everything after that because some certificates have already been issued…
And again: check the puppetserver logs for those failed access attempts from the puppet agent…
Ok with the --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem added, it gives me more info but i think im still in the same boat.
[lance_lyons@uabrl-fore02 etc]$ curl -v https://uabrl-fore02.olh.local:8140/puppet/v3/ --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem
* About to connect() to uabrl-fore02.olh.local port 8140 (#0)
* Trying 172.29.99.67...
* Connected to uabrl-fore02.olh.local (172.29.99.67) port 8140 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* Closing connection 0
curl: (77) Problem with the SSL CA cert (path? access rights?)
I believe the previous guy who set this up copied some things across from the older machine uabrl-fore01. I need to fix that issue so i issuer shows like this…
subject: CN=uabrl-fore02.olh.local
start date: Oct 03 22:25:29 2022 GMT
expire date: Oct 03 22:25:29 2027 GMT
common name: uabrl-fore02.olh.local
issuer: CN=Puppet CA: uabrl-fore02.olh.local
instead of uabrl-fore01.olh.local.
do you know if this CA issue is setup as part of the foreman-installer process or some other process? How might i change that so the issuer CA is my current machine. That other machine uabrl-fore01 has been decomissioned for some time.
Thanks in advance
Your user account doesn‘t have access rights to the file or the file is missing.
I did eventually get this working. I did try a number of things so I can be sure what allowed it to work. My assumption is when I did yum update all and then reran the foreman-installer with the correct parameters shown earlier, it completed the task.
thanks for your help gvde!!