Issues getting Smart Proxy to register with Foreman

I'm currently working on setting up a new prototype infrastructure with
Foreman and Puppet but I'm running into a snag.

When I try to register the Smart Proxy with the Foreman server I'm getting
an SSL ERROR

Unable to save
Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]:
Unable to detect features ([OpenSSL::SSL::SSLError]: SSL_connect returned=1
errno=0 state=SSLv3 read server session ticket A: sslv3 alert un…) for
proxy https://puppet.example.dev:8443/features
Please check the proxy is configured and running on the host.

Here is a little background on the boxes.

The Foreman Server:

  • Is not running puppet
  • Apache is installed and configured with foreman puppet module

Install/Configure Foreman UI

class { 'foreman':
configure_scl_repo => false,
configure_epel_repo => false,
custom_repo => true,
locations_enabled => true,
organizations_enabled => true,
server_ssl_ca => '/etc/pki/tls/certs/ca.crt',
server_ssl_chain => '/etc/pki/tls/certs/ca.crt',
server_ssl_cert => "/etc/pki/tls/certs/foreman.${::domain}.crt",
server_ssl_key => "/etc/pki/tls/private/foreman.${::domain}.key",
server_ssl_crl => '/etc/pki/tls/certs/crl.pem',
websockets_ssl_cert => "/etc/pki/tls/certs/foreman.${::domain}.crt",
websockets_ssl_key => "/etc/pki/tls/private/foreman.${::domain}.key",
admin_username => 'admin',
admin_password => 'password',
admin_email => 'smbambling@example.net',
initial_organization => 'ops',
initial_location => 'Chantilly_Core',
require => [ Class['postgresql::globals'], ],
}

file_line { 'foreman_ssl_ca_file':
path => '/etc/foreman/settings.yaml',
line => ':ssl_ca_file: /etc/pki/tls/certs/ca.crt',
before => $foreman_service,
}
file_line { 'foreman_ssl_certificate':
path => '/etc/foreman/settings.yaml',
line => ':ssl_certificate: /etc/pki/tls/certs/foreman.example.dev.crt',
before => $foreman_service,
}
file_line { 'foreman_ssl_priv_key':
path => '/etc/foreman/settings.yaml',
line => ':ssl_priv_key: /etc/pki/tls/private/foreman.example.dev.key',
before => $foreman_service,
}

  • The same PKI Certificates are used for both Apache and Foreman (Web UI
    and node.rb). These are signed by an internal only CA

The Puppet Server:

  • Running PuppetServer (JVM version)
  • Has the Smart Proxy Installed via the Foreman_Proxy puppet module

Install/Configure Foreman-Proxy

class { 'foreman_proxy':
custom_repo => true,
foreman_ssl_ca => '/etc/pki/tls/certs/ca.crt',
foreman_ssl_cert => "/etc/pki/tls/certs/puppet.${::domain}.crt",
foreman_ssl_key => "/etc/pki/tls/private/puppet.${::domain}.key",
manage_sudoersd => true,
tftp => false,
dhcp => false,
dns => false,
bmc => false,
register_in_foreman => false,
foreman_base_url => "https://foreman.${::domain}",
registered_proxy_url => "https://foreman.${::domain}:443",
oauth_consumer_key => 'osG83x9aG6jtJw6oJuAvUDejjQjJogxg',
oauth_consumer_secret => 'dkFMYDPqJaHcu5LmYaqYpijiXiHS3FPF',
}

  • The PKI Certificates used for the Smart Proxy are signed by the same CA
    as the Puppet certificates noted above
  • The Smart Proxy is set to use the internal signed certs.

if enabled, all communication would be verfied via SSL

NOTE that both certificates need to be signed by the same CA in order for

this to work

see SSL - Smart Proxy - Foreman for more

information

:ssl_ca_file: /etc/pki/tls/certs/ca.crt

:ssl_certificate: /etc/pki/tls/certs/puppet.example.dev.crt

:ssl_private_key: /etc/pki/tls/private/puppet.example.dev.key

the hosts which the proxy accepts connections from

commenting the following lines would mean every verified SSL connection

allowed

##:trusted_hosts:

- puppet.example.dev

- foreman.example.dev

Endpoint for reverse communication

:foreman_url: https://foreman.example.dev

SSL settings for client authentication against Foreman. If undefined, the

values

from general SSL options are used instead. Mainly useful when Foreman uses

different certificates for its web UI and for smart-proxy requests.

:foreman_ssl_ca: /etc/pki/tls/certs/ca.crt

:foreman_ssl_cert: /etc/pki/tls/certs/puppet.example.dev.crt

:foreman_ssl_key: /etc/pki/tls/private/puppet.example.dev.key

Trouble Shooting:

  • I've verified that the :trusted_hosts: section in settings.yml for the
    smart proxy is commented out to force SSL
  • I've uncommented the :trusted_hosts: section and added foreman.example
  • I've verified that the PKI certs and CA are correct on the systems.

[root@puppet certs]# ssh foreman.example.dev cat
'/etc/pki/tls/certs/ca.crt' | diff -y --suppress-common-lines
/etc/pki/tls/certs/ca.crt -

root@foreman.example.dev's password:

[root@puppet certs]#

  • I've double check the provision settings for the foreman server
    ssl_ca_file/etc/pki/tls/certs/ca.crtSSL CA file that Foreman will use to
    communicate with its proxiesssl_certificate
    /etc/pki/tls/certs/foreman.example.dev.crtSSL Certificate path that Foreman
    would use to communicate with its proxiesssl_priv_key
    /etc/pki/tls/private/foreman.example.dev.keySSL Private Key file that
    Foreman will use to communicate with its proxies

  • I've check that the PKI keys are valid and set for Extended Web Usage

X509v3 Extended Key Usage:

            TLS Web Server Authentication
  • Tested with curl …but its also giving me an error

[root@foreman ~]# curl -vvv --cert
/etc/pki/tls/certs/foreman.example.dev.crt --key
/etc/pki/tls/private/foreman.example.dev.key --cacert
/etc/pki/tls/certs/ca.crt https://puppet.example.dev:8443/features

  • About to connect() to puppet.example.dev port 8443 (#0)

  • Trying 10.10.10.10… connected

  • Connected to puppet.example.dev (10.10.10.10) port 8443 (#0)

  • Initializing NSS with certpath: sql:/etc/pki/nssdb

  • CAfile: /etc/pki/tls/certs/ca.crt

CApath: none

  • NSS: client certificate from file

Ltd.,L=Dumfries,ST=Virginia,C=US

  • start date: Feb 21 11:22:54 2015 GMT

  • expire date: Feb 18 11:22:54 2025 GMT

  • common name: foreman.example.dev

  • issuer: E=sysadmin@fake.net,CN=Fake Ltd. CA,O=Fake Corp
    Ltd.,L=Dumfries,ST=Virginia,C=US

  • NSS error -12225

  • Closing connection #0

  • SSL connect error

curl: (35) SSL connect error

  • I've tried certs from multiple CAs but both give the same error.

Any idea on fixes or trouble shooting are welcome!

Thanks,

STEVE

··· * subject: E=sysadmin@fake.net,CN=foreman.example.dev,O=Fake Corp

Talking with mmoll in IRC I did some upgrade and downgrades but still get
the same error

    • Upgrade to foreman-proxy-1.8.0-0.develop.201502190906gita729746
    • Downgraded to foreman-proxy-1.6.3-1
    • Downgraded to foreman-proxy-1.6.2-1

still getting the same error.

··· On Saturday, February 21, 2015 at 10:05:09 AM UTC-5, Steve Bambling wrote: > > I'm currently working on setting up a new prototype infrastructure with > Foreman and Puppet but I'm running into a snag. > > When I try to register the Smart Proxy with the Foreman server I'm getting > an SSL ERROR > > Unable to save > Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException > ]: Unable to detect features ([OpenSSL::SSL::SSLError]: SSL_connect > returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert > un...) for proxy https://puppet.example.dev:8443/features > Please check the proxy is configured and running on the host. > > > Here is a little background on the boxes. > > *The Foreman Server:* > > - Is not running puppet > - Apache is installed and configured with foreman puppet module > ## Install/Configure Foreman UI > class { 'foreman': > configure_scl_repo => false, > configure_epel_repo => false, > custom_repo => true, > locations_enabled => true, > organizations_enabled => true, > server_ssl_ca => '/etc/pki/tls/certs/ca.crt', > server_ssl_chain => '/etc/pki/tls/certs/ca.crt', > server_ssl_cert => "/etc/pki/tls/certs/foreman.${::domain}.crt", > server_ssl_key => "/etc/pki/tls/private/foreman.${::domain}.key", > server_ssl_crl => '/etc/pki/tls/certs/crl.pem', > websockets_ssl_cert => "/etc/pki/tls/certs/foreman.${::domain}.crt", > websockets_ssl_key => "/etc/pki/tls/private/foreman.${::domain}.key", > admin_username => 'admin', > admin_password => 'password', > admin_email => 'smbambling@example.net', > initial_organization => 'ops', > initial_location => 'Chantilly_Core', > require => [ Class['postgresql::globals'], ], > } > > file_line { 'foreman_ssl_ca_file': > path => '/etc/foreman/settings.yaml', > line => ':ssl_ca_file: /etc/pki/tls/certs/ca.crt', > before => $foreman_service, > } > file_line { 'foreman_ssl_certificate': > path => '/etc/foreman/settings.yaml', > line => ':ssl_certificate: /etc/pki/tls/certs/foreman.example.dev.crt', > before => $foreman_service, > } > file_line { 'foreman_ssl_priv_key': > path => '/etc/foreman/settings.yaml', > line => ':ssl_priv_key: /etc/pki/tls/private/foreman.example.dev.key', > before => $foreman_service, > } > > - The same PKI Certificates are used for both Apache and Foreman (Web UI > and node.rb). These are signed by an internal only CA > > *The Puppet Server:* > > - Running PuppetServer (JVM version) > - Has the Smart Proxy Installed via the Foreman_Proxy puppet module > ## Install/Configure Foreman-Proxy > class { 'foreman_proxy': > custom_repo => true, > foreman_ssl_ca => '/etc/pki/tls/certs/ca.crt', > foreman_ssl_cert => "/etc/pki/tls/certs/puppet.${::domain}.crt", > foreman_ssl_key => "/etc/pki/tls/private/puppet.${::domain}.key", > manage_sudoersd => true, > tftp => false, > dhcp => false, > dns => false, > bmc => false, > register_in_foreman => false, > foreman_base_url => "https://foreman.${::domain}", > registered_proxy_url => "https://foreman.${::domain}:443", > oauth_consumer_key => 'osG83x9aG6jtJw6oJuAvUDejjQjJogxg', > oauth_consumer_secret => 'dkFMYDPqJaHcu5LmYaqYpijiXiHS3FPF', > } > > - The PKI Certificates used for the Smart Proxy are signed by the same CA > as the Puppet certificates noted above > - The Smart Proxy is set to use the internal signed certs. > > # if enabled, all communication would be verfied via SSL > > # NOTE that both certificates need to be signed by the same CA in order > for this to work > > # see http://theforeman.org/projects/smart-proxy/wiki/SSL for more > information > > :ssl_ca_file: /etc/pki/tls/certs/ca.crt > > :ssl_certificate: /etc/pki/tls/certs/puppet.example.dev.crt > > :ssl_private_key: /etc/pki/tls/private/puppet.example.dev.key > > > # the hosts which the proxy accepts connections from > > # commenting the following lines would mean every verified SSL connection > allowed > > ##:trusted_hosts: > > ## - puppet.example.dev > > ## - foreman.example.dev > > > # Endpoint for reverse communication > > :foreman_url: https://foreman.example.dev > > > # SSL settings for client authentication against Foreman. If undefined, > the values > > # from general SSL options are used instead. Mainly useful when Foreman > uses > > # different certificates for its web UI and for smart-proxy requests. > > :foreman_ssl_ca: /etc/pki/tls/certs/ca.crt > > :foreman_ssl_cert: /etc/pki/tls/certs/puppet.example.dev.crt > > :foreman_ssl_key: /etc/pki/tls/private/puppet.example.dev.key > > > *Trouble Shooting:* > > * I've verified that the *:trusted_hosts:* section in settings.yml for > the smart proxy is commented out to force SSL > * I've uncommented the *:trusted_hosts:* section and added > foreman.example > * I've verified that the PKI certs and CA are correct on the systems. > > [root@puppet certs]# ssh foreman.example.dev cat > '/etc/pki/tls/certs/ca.crt' | diff -y --suppress-common-lines > /etc/pki/tls/certs/ca.crt - > > root@foreman.example.dev's password: > > [root@puppet certs]# > > * I've double check the provision settings for the foreman server > ssl_ca_file/etc/pki/tls/certs/ca.crtSSL CA file that Foreman will use to > communicate with its proxiesssl_certificate > /etc/pki/tls/certs/foreman.example.dev.crtSSL Certificate path that > Foreman would use to communicate with its proxiesssl_priv_key > /etc/pki/tls/private/foreman.example.dev.keySSL Private Key file that > Foreman will use to communicate with its proxies > > * I've check that the PKI keys are valid and set for Extended Web Usage > > X509v3 Extended Key Usage: > > TLS Web Server Authentication > > * Tested with curl ..but its also giving me an error > > [root@foreman ~]# curl -vvv --cert > /etc/pki/tls/certs/foreman.example.dev.crt --key > /etc/pki/tls/private/foreman.example.dev.key --cacert > /etc/pki/tls/certs/ca.crt https://puppet.example.dev:8443/features > > * About to connect() to puppet.example.dev port 8443 (#0) > > * Trying 10.10.10.10... connected > > * Connected to puppet.example.dev (10.10.10.10) port 8443 (#0) > > * Initializing NSS with certpath: sql:/etc/pki/nssdb > > * CAfile: /etc/pki/tls/certs/ca.crt > > CApath: none > > * NSS: client certificate from file > > * subject: E=sysadmin@fake.net,CN=foreman.example.dev,O=Fake Corp > Ltd.,L=Dumfries,ST=Virginia,C=US > > * start date: Feb 21 11:22:54 2015 GMT > > * expire date: Feb 18 11:22:54 2025 GMT > > * common name: foreman.example.dev > > * issuer: E=sysadmin@fake.net,CN=Fake Ltd. CA,O=Fake Corp > Ltd.,L=Dumfries,ST=Virginia,C=US > > * NSS error -12225 > > * Closing connection #0 > > * SSL connect error > > curl: (35) SSL connect error > > * I've tried certs from multiple CAs but both give the same error. > > > Any idea on fixes or trouble shooting are welcome! > > Thanks, > > STEVE >

After a little more digging and trouble shooting with openssl I decided to
start the proxy and log to stdout. I was given a more detailed errors

sslv3 alert unsupported certificate:s3_pkt.c:1259:SSL alert number 43

and

SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported
certificate:s3_pkt.c:1259:SSL alert number 43

Taking a look back at the configuration and PKI certs that I had installed
via vagrant it turns out that I was using a server certificate where a
client certificate was expected thus it was really not sending a client
cert when attempting to talk to the foreman proxy.

··· On Saturday, February 21, 2015 at 7:22:06 PM UTC-5, Steve Bambling wrote: > > Talking with mmoll in IRC I did some upgrade and downgrades but still get > the same error > > * - Upgrade to foreman-proxy-1.8.0-0.develop.201502190906gita729746 > * - Downgraded to foreman-proxy-1.6.3-1 > * - Downgraded to foreman-proxy-1.6.2-1 > > still getting the same error. > > On Saturday, February 21, 2015 at 10:05:09 AM UTC-5, Steve Bambling wrote: >> >> I'm currently working on setting up a new prototype infrastructure with >> Foreman and Puppet but I'm running into a snag. >> >> When I try to register the Smart Proxy with the Foreman server I'm >> getting an SSL ERROR >> >> Unable to save >> Unable to communicate with the proxy: ERF12-2530 [ProxyAPI:: >> ProxyException]: Unable to detect features ([OpenSSL::SSL::SSLError]: >> SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: >> sslv3 alert un...) for proxy https://puppet.example.dev:8443/features >> Please check the proxy is configured and running on the host. >> >> >> Here is a little background on the boxes. >> >> *The Foreman Server:* >> >> - Is not running puppet >> - Apache is installed and configured with foreman puppet module >> ## Install/Configure Foreman UI >> class { 'foreman': >> configure_scl_repo => false, >> configure_epel_repo => false, >> custom_repo => true, >> locations_enabled => true, >> organizations_enabled => true, >> server_ssl_ca => '/etc/pki/tls/certs/ca.crt', >> server_ssl_chain => '/etc/pki/tls/certs/ca.crt', >> server_ssl_cert => "/etc/pki/tls/certs/foreman.${::domain}.crt", >> server_ssl_key => "/etc/pki/tls/private/foreman.${::domain}.key", >> server_ssl_crl => '/etc/pki/tls/certs/crl.pem', >> websockets_ssl_cert => "/etc/pki/tls/certs/foreman.${::domain}.crt", >> websockets_ssl_key => "/etc/pki/tls/private/foreman.${::domain}.key", >> admin_username => 'admin', >> admin_password => 'password', >> admin_email => 'smbambling@example.net', >> initial_organization => 'ops', >> initial_location => 'Chantilly_Core', >> require => [ Class['postgresql::globals'], ], >> } >> >> file_line { 'foreman_ssl_ca_file': >> path => '/etc/foreman/settings.yaml', >> line => ':ssl_ca_file: /etc/pki/tls/certs/ca.crt', >> before => $foreman_service, >> } >> file_line { 'foreman_ssl_certificate': >> path => '/etc/foreman/settings.yaml', >> line => ':ssl_certificate: >> /etc/pki/tls/certs/foreman.example.dev.crt', >> before => $foreman_service, >> } >> file_line { 'foreman_ssl_priv_key': >> path => '/etc/foreman/settings.yaml', >> line => ':ssl_priv_key: /etc/pki/tls/private/foreman.example.dev.key', >> before => $foreman_service, >> } >> >> - The same PKI Certificates are used for both Apache and Foreman (Web UI >> and node.rb). These are signed by an internal only CA >> >> *The Puppet Server:* >> >> - Running PuppetServer (JVM version) >> - Has the Smart Proxy Installed via the Foreman_Proxy puppet module >> ## Install/Configure Foreman-Proxy >> class { 'foreman_proxy': >> custom_repo => true, >> foreman_ssl_ca => '/etc/pki/tls/certs/ca.crt', >> foreman_ssl_cert => "/etc/pki/tls/certs/puppet.${::domain}.crt", >> foreman_ssl_key => "/etc/pki/tls/private/puppet.${::domain}.key", >> manage_sudoersd => true, >> tftp => false, >> dhcp => false, >> dns => false, >> bmc => false, >> register_in_foreman => false, >> foreman_base_url => "https://foreman.${::domain}", >> registered_proxy_url => "https://foreman.${::domain}:443", >> oauth_consumer_key => 'osG83x9aG6jtJw6oJuAvUDejjQjJogxg', >> oauth_consumer_secret => 'dkFMYDPqJaHcu5LmYaqYpijiXiHS3FPF', >> } >> >> - The PKI Certificates used for the Smart Proxy are signed by the same CA >> as the Puppet certificates noted above >> - The Smart Proxy is set to use the internal signed certs. >> >> # if enabled, all communication would be verfied via SSL >> >> # NOTE that both certificates need to be signed by the same CA in order >> for this to work >> >> # see http://theforeman.org/projects/smart-proxy/wiki/SSL for more >> information >> >> :ssl_ca_file: /etc/pki/tls/certs/ca.crt >> >> :ssl_certificate: /etc/pki/tls/certs/puppet.example.dev.crt >> >> :ssl_private_key: /etc/pki/tls/private/puppet.example.dev.key >> >> >> # the hosts which the proxy accepts connections from >> >> # commenting the following lines would mean every verified SSL connection >> allowed >> >> ##:trusted_hosts: >> >> ## - puppet.example.dev >> >> ## - foreman.example.dev >> >> >> # Endpoint for reverse communication >> >> :foreman_url: https://foreman.example.dev >> >> >> # SSL settings for client authentication against Foreman. If undefined, >> the values >> >> # from general SSL options are used instead. Mainly useful when Foreman >> uses >> >> # different certificates for its web UI and for smart-proxy requests. >> >> :foreman_ssl_ca: /etc/pki/tls/certs/ca.crt >> >> :foreman_ssl_cert: /etc/pki/tls/certs/puppet.example.dev.crt >> >> :foreman_ssl_key: /etc/pki/tls/private/puppet.example.dev.key >> >> >> *Trouble Shooting:* >> >> * I've verified that the *:trusted_hosts:* section in settings.yml for >> the smart proxy is commented out to force SSL >> * I've uncommented the *:trusted_hosts:* section and added >> foreman.example >> * I've verified that the PKI certs and CA are correct on the systems. >> >> [root@puppet certs]# ssh foreman.example.dev cat >> '/etc/pki/tls/certs/ca.crt' | diff -y --suppress-common-lines >> /etc/pki/tls/certs/ca.crt - >> >> root@foreman.example.dev's password: >> >> [root@puppet certs]# >> >> * I've double check the provision settings for the foreman server >> ssl_ca_file/etc/pki/tls/certs/ca.crtSSL CA file that Foreman will use to >> communicate with its proxiesssl_certificate >> /etc/pki/tls/certs/foreman.example.dev.crtSSL Certificate path that >> Foreman would use to communicate with its proxiesssl_priv_key >> /etc/pki/tls/private/foreman.example.dev.keySSL Private Key file that >> Foreman will use to communicate with its proxies >> >> * I've check that the PKI keys are valid and set for Extended Web Usage >> >> X509v3 Extended Key Usage: >> >> TLS Web Server Authentication >> >> * Tested with curl ..but its also giving me an error >> >> [root@foreman ~]# curl -vvv --cert >> /etc/pki/tls/certs/foreman.example.dev.crt --key >> /etc/pki/tls/private/foreman.example.dev.key --cacert >> /etc/pki/tls/certs/ca.crt https://puppet.example.dev:8443/features >> >> * About to connect() to puppet.example.dev port 8443 (#0) >> >> * Trying 10.10.10.10... connected >> >> * Connected to puppet.example.dev (10.10.10.10) port 8443 (#0) >> >> * Initializing NSS with certpath: sql:/etc/pki/nssdb >> >> * CAfile: /etc/pki/tls/certs/ca.crt >> >> CApath: none >> >> * NSS: client certificate from file >> >> * subject: E=sysadmin@fake.net,CN=foreman.example.dev,O=Fake Corp >> Ltd.,L=Dumfries,ST=Virginia,C=US >> >> * start date: Feb 21 11:22:54 2015 GMT >> >> * expire date: Feb 18 11:22:54 2025 GMT >> >> * common name: foreman.example.dev >> >> * issuer: E=sysadmin@fake.net,CN=Fake Ltd. CA,O=Fake Corp >> Ltd.,L=Dumfries,ST=Virginia,C=US >> >> * NSS error -12225 >> >> * Closing connection #0 >> >> * SSL connect error >> >> curl: (35) SSL connect error >> >> * I've tried certs from multiple CAs but both give the same error. >> >> >> Any idea on fixes or trouble shooting are welcome! >> >> Thanks, >> >> STEVE >> >
Hi Steve,

I'm facing a similar issue.
Can you elaborate on what changes you made ?

Was it on the smart proxy or on foreman.