Issues retrieving catalog for new node

Note I’m hoping to use Foreman for dashboarding purposes only. I’m manually defining nodes in /etc/puppetlabs/code/environments/production/manifests/.
I’ve been doing this for a number of other nodes (3) and it’s working OK and correctly detecting changes as I make them.

Running puppet agent --test on a node which I’ve just created and signed the cert for returns:
`Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Failed when searching for node FQDN: Failed to find FQDN via exec: Execution of ‘/etc/puppetlabs/puppet/node.rb FQDN’ returned 1

Expected outcome:
The catalog to be returned

Foreman and Proxy versions:
Foreman: 1.16.0
Proxy: 1.16.0

Other relevant data:

  • I’ve taken a look at and this is already configured correctly.
  • I’ve restarted services and the Puppet Master / Foreman host
  • Foreman Proxy appears to be collecting environment data correctly
  • I can’t see anything helpful in foreman.log
  • puppetserver.log reports that the 3 other hosts’ catalogs are being generated successfully
  • For the FQDN in question:
    2018-02-21 15:46:05,368 ERROR [qtp917889201-60] [puppetserver] Puppet Server Error: Failed to find testproxy.customerb.local via exec: Execution of '/etc/puppetlabs/puppet/node.rb testproxy.customerb.local' returned 1: Unable to read from Cache file: No such file or directory - /opt/puppetlabs/server/data/puppetserver/yaml/foreman/testproxy.customerb.local.yaml
  • The host in question shows up in the foreman web UI in an error state

I’ve just discovered the following in the puppetserver.log that seems to be part of the problem here:

`2018-02-21 17:41:00,384 WARN [qtp32707968-66] [c.p.p.ShellUtils] Executed an external process which logged to STDERR: During fact upload occured an exception: SSL_connect returned=1 errno=0 state=error: certificate verify failed

I’m using non-self-signed certs as per the documented here: Foreman :: Replacing Foreman’s web SSL certificate.

I’ve seen others report similar problems when using ‘real’ certs but haven’t been able to find a solution anywhere…

Did you happen to find a solutions for your issue?

No solution? I opened a request for help today, that appears to be similar, if not exactly the same issue here. I hate to give up on Foreman. It’s a great tool for monitoring puppet, but it broke puppet and I need puppet to work.

So, I found a workaround, but obviously not a solution. I changed 2 occurrences of this line, in node.rb:

http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

I closed out my question, as it’s more a puppetserver issue than a foreman problem.

Did you log a support request with Puppet directly? You’re correct as it sounds like it might be a puppet server (or even lower at an OpenSSL level) - and so perhaps we should move this thread to them.

So, I found a solution.

Not sure if I mentioned this before, but my Puppetserver predates my Foreman server by several months, so they are separate servers, and the node.rb version was something I downloaded from Git Hub while implementing the foreman-proxy. Also, I introduced a DigiCert certificate into the mix, so that Foreman would look legit.

With that said, at some point, whenever adding new agent nodes, I would experience this failure, which appears to be due to the fact that the Foreman certificate *.pem was signed by my puppetserver’s self-signed certificate ca.

This morning, I appended my Puppetserver’s /etc/puppetlabs/puppet/ssl/certs/ca.pem to
/etc/pki/tls/ca-bundle.crt. I restored the node.rb, so that it would verify the cert, and initial testing shows that this has fixed my issue.

Sadly, @vegaskid’s tip doesn’t seem to work for me :frowning: