I'm currently working on setting up a new prototype infrastructure with
Foreman and Puppet but I'm running into a snag.
When I try to register the Smart Proxy with the Foreman server I'm getting
an SSL ERROR
Unable to save
Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]:
Unable to detect features ([OpenSSL::SSL::SSLError]: SSL_connect returned=1
errno=0 state=SSLv3 read server session ticket A: sslv3 alert un…) for
proxy https://puppet.example.dev:8443/features
Please check the proxy is configured and running on the host.
Here is a little background on the boxes.
The Foreman Server:
- Is not running puppet
- Apache is installed and configured with foreman puppet module
Install/Configure Foreman UI
class { 'foreman':
configure_scl_repo => false,
configure_epel_repo => false,
custom_repo => true,
locations_enabled => true,
organizations_enabled => true,
server_ssl_ca => '/etc/pki/tls/certs/ca.crt',
server_ssl_chain => '/etc/pki/tls/certs/ca.crt',
server_ssl_cert => "/etc/pki/tls/certs/foreman.${::domain}.crt",
server_ssl_key => "/etc/pki/tls/private/foreman.${::domain}.key",
server_ssl_crl => '/etc/pki/tls/certs/crl.pem',
websockets_ssl_cert => "/etc/pki/tls/certs/foreman.${::domain}.crt",
websockets_ssl_key => "/etc/pki/tls/private/foreman.${::domain}.key",
admin_username => 'admin',
admin_password => 'password',
admin_email => 'smbambling@example.net',
initial_organization => 'ops',
initial_location => 'Chantilly_Core',
require => [ Class['postgresql::globals'], ],
}
file_line { 'foreman_ssl_ca_file':
path => '/etc/foreman/settings.yaml',
line => ':ssl_ca_file: /etc/pki/tls/certs/ca.crt',
before => $foreman_service,
}
file_line { 'foreman_ssl_certificate':
path => '/etc/foreman/settings.yaml',
line => ':ssl_certificate: /etc/pki/tls/certs/foreman.example.dev.crt',
before => $foreman_service,
}
file_line { 'foreman_ssl_priv_key':
path => '/etc/foreman/settings.yaml',
line => ':ssl_priv_key: /etc/pki/tls/private/foreman.example.dev.key',
before => $foreman_service,
}
- The same PKI Certificates are used for both Apache and Foreman (Web UI
and node.rb). These are signed by an internal only CA
The Puppet Server:
- Running PuppetServer (JVM version)
- Has the Smart Proxy Installed via the Foreman_Proxy puppet module
Install/Configure Foreman-Proxy
class { 'foreman_proxy':
custom_repo => true,
foreman_ssl_ca => '/etc/pki/tls/certs/ca.crt',
foreman_ssl_cert => "/etc/pki/tls/certs/puppet.${::domain}.crt",
foreman_ssl_key => "/etc/pki/tls/private/puppet.${::domain}.key",
manage_sudoersd => true,
tftp => false,
dhcp => false,
dns => false,
bmc => false,
register_in_foreman => false,
foreman_base_url => "https://foreman.${::domain}",
registered_proxy_url => "https://foreman.${::domain}:443",
oauth_consumer_key => 'osG83x9aG6jtJw6oJuAvUDejjQjJogxg',
oauth_consumer_secret => 'dkFMYDPqJaHcu5LmYaqYpijiXiHS3FPF',
}
- The PKI Certificates used for the Smart Proxy are signed by the same CA
as the Puppet certificates noted above - The Smart Proxy is set to use the internal signed certs.
if enabled, all communication would be verfied via SSL
NOTE that both certificates need to be signed by the same CA in order for
this to work
see SSL - Smart Proxy - Foreman for more
information
:ssl_ca_file: /etc/pki/tls/certs/ca.crt
:ssl_certificate: /etc/pki/tls/certs/puppet.example.dev.crt
:ssl_private_key: /etc/pki/tls/private/puppet.example.dev.key
the hosts which the proxy accepts connections from
commenting the following lines would mean every verified SSL connection
allowed
##:trusted_hosts:
- puppet.example.dev
- foreman.example.dev
Endpoint for reverse communication
:foreman_url: https://foreman.example.dev
SSL settings for client authentication against Foreman. If undefined, the
values
from general SSL options are used instead. Mainly useful when Foreman uses
different certificates for its web UI and for smart-proxy requests.
:foreman_ssl_ca: /etc/pki/tls/certs/ca.crt
:foreman_ssl_cert: /etc/pki/tls/certs/puppet.example.dev.crt
:foreman_ssl_key: /etc/pki/tls/private/puppet.example.dev.key
Trouble Shooting:
- I've verified that the :trusted_hosts: section in settings.yml for the
smart proxy is commented out to force SSL - I've uncommented the :trusted_hosts: section and added foreman.example
- I've verified that the PKI certs and CA are correct on the systems.
[root@puppet certs]# ssh foreman.example.dev cat
'/etc/pki/tls/certs/ca.crt' | diff -y --suppress-common-lines
/etc/pki/tls/certs/ca.crt -
root@foreman.example.dev's password:
[root@puppet certs]#
-
I've double check the provision settings for the foreman server
ssl_ca_file/etc/pki/tls/certs/ca.crtSSL CA file that Foreman will use to
communicate with its proxiesssl_certificate
/etc/pki/tls/certs/foreman.example.dev.crtSSL Certificate path that Foreman
would use to communicate with its proxiesssl_priv_key
/etc/pki/tls/private/foreman.example.dev.keySSL Private Key file that
Foreman will use to communicate with its proxies -
I've check that the PKI keys are valid and set for Extended Web Usage
X509v3 Extended Key Usage:
TLS Web Server Authentication
- Tested with curl …but its also giving me an error
[root@foreman ~]# curl -vvv --cert
/etc/pki/tls/certs/foreman.example.dev.crt --key
/etc/pki/tls/private/foreman.example.dev.key --cacert
/etc/pki/tls/certs/ca.crt https://puppet.example.dev:8443/features
-
About to connect() to puppet.example.dev port 8443 (#0)
-
Trying 10.10.10.10… connected
-
Connected to puppet.example.dev (10.10.10.10) port 8443 (#0)
-
Initializing NSS with certpath: sql:/etc/pki/nssdb
-
CAfile: /etc/pki/tls/certs/ca.crt
CApath: none
- NSS: client certificate from file
Ltd.,L=Dumfries,ST=Virginia,C=US
-
start date: Feb 21 11:22:54 2015 GMT
-
expire date: Feb 18 11:22:54 2025 GMT
-
common name: foreman.example.dev
-
issuer: E=sysadmin@fake.net,CN=Fake Ltd. CA,O=Fake Corp
Ltd.,L=Dumfries,ST=Virginia,C=US -
NSS error -12225
-
Closing connection #0
-
SSL connect error
curl: (35) SSL connect error
- I've tried certs from multiple CAs but both give the same error.
Any idea on fixes or trouble shooting are welcome!
Thanks,
STEVE