[Katello 2.2.1] unable to communicate with the proxy:permission denied - did I break it?

I would be grateful for some assistance. My apologies in advanced if I
have missed the solution to this, but I have looked. I now fear I am going
round in circles. All was well, I think, until I updated my foreman UI
certificate (as follows):

$ katello-certs-check -c katello.cer -k katello.key -r katello.csr -b
RootAll.cer

Validating the certificate subject=
/C=GB/ST=County./L=Town/O=MyCompany/OU=Ops/CN=katello.mydomain
Check private key matches the certificate: [OK]
Check ca bundle verifies the cert file: [OK]
Validation succeeded.
<snip - shows next commands to run>

Install the certificates

$ katello-installer --certs-server-cert "katello.cer"
–certs-server-cert-req "katello.csr" --certs-server-key "katello.key"
–certs-server-ca-cert "RootAll.cer" --certs-update-server
–certs-update-server-ca

Marking certificate /root/ssl-build/katello.mydomain/katello.mydomain-apache
for update
Marking certificate /root/ssl-build/katello.mydomain/katello.mydomain-foreman-proxy
for update
Marking certificate /root/ssl-build/katello-server-ca for update
Preparing installation Done
Success!

  • Katello is running at https://katello.mydomain
    Initial credentials are admin / KxTYIJIUGMRJABKRw
  • Capsule is running at https://katello.mydomain:9090
  • To install additional capsule on separate machine continue by running:"
    capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar
    "~/$CAPSULE-certs.tar"
    The full log is at /var/log/katello-installer/katello-installer.log

The UI now shows a shiny padlock. But, Administer -> About -> Smart
Proxies reveals:

unable to communicate with the proxy:permission denied

followed by the path to the certificate I specified with Administer ->
Settings -> Provisioning -> ssl_certificate. I pointed this to the
katello.cer file I supplied to the katello-installer. Was that right? It
has the following permissions (after I blindly tried some suggestions I
found):

-rw-r–r--. 1 foreman-proxy root

When I run katello-services status:

qdrouterd (pid 1943) is running…
elasticsearch (pid 2041) is running…
celery init v10.0.
Using configuration: /etc/default/pulp_workers, /etc/default/pulp_celerybeat
pulp_celerybeat (pid 3380) is running.
celery init v10.0.
Using config script: /etc/default/pulp_resource_manager
node resource_manager (pid 3315) is running…
tomcat6 (pid 6213) is running… [ OK ]
foreman-proxy is stopped
mongod (pid 3127) is running…
celery init v10.0.
Using config script: /etc/default/pulp_workers
node reserved_resource_worker-0 (pid 3149) is running…
node reserved_resource_worker-1 (pid 3171) is running…
dynflow_executor is running.
dynflow_executor_monitor is running.
httpd (pid 2207) is running…
Some services failed: qpidd,foreman-proxy

/var/log/messages then tells me:

qpidd[2255]: 2015-07-21 15:29:00 [Security] error Rejected un-encrypted
connection.
qpidd[2255]: 2015-07-21 15:29:00 [Protocol] error Connection
qpid.127.0.0.1:5672-127.0.0.1:55495 closed by error: connection-forced:
Connection must be encrypted.(320)

Installed Packages
candlepin-0.9.45-1.el6.noarch
candlepin-common-1.0.22-1.el6.noarch
candlepin-selinux-0.9.45-1.el6.noarch
candlepin-tomcat6-0.9.45-1.el6.noarch
elasticsearch-0.90.10-7.el6.noarch
katello-2.2.1-0.el6.noarch
katello-certs-tools-2.0.1-1.el6.noarch
katello-common-2.2.1-0.el6.noarch
katello-debug-2.2.1-0.el6.noarch
katello-default-ca-1.0-1.noarch
katello-installer-2.2.2-1.el6.noarch
katello-installer-base-2.2.2-1.el6.noarch
katello-repos-2.2.1-1.el6.noarch
katello-selinux-2.2.1-1.el6.noarch
katello-server-ca-1.0-6.noarch
katello-service-2.2.1-0.el6.noarch
libqpid-dispatch-0.4-4.el6.x86_64
m2crypto-0.21.1.pulp-8.el6.x86_64
mod_wsgi-3.4-2.pulp.el6.x86_64
katello.mydomain-qpid-broker-1.0-1.noarch
katello.mydomain-qpid-client-cert-1.0-1.noarch
katello.mydomain-qpid-router-client-1.0-1.noarch
katello.mydomain-qpid-router-server-1.0-1.noarch
pulp-docker-plugins-0.2.2-1.el6.noarch
pulp-katello-0.4-1.el6.noarch
pulp-nodes-common-2.6.0-1.el6.noarch
pulp-nodes-parent-2.6.0-1.el6.noarch
pulp-puppet-plugins-2.6.0-1.el6.noarch
pulp-puppet-tools-2.6.0-1.el6.noarch
pulp-rpm-plugins-2.6.0-1.el6.noarch
pulp-selinux-2.6.0-1.el6.noarch
pulp-server-2.6.0-1.el6.noarch
python-gofer-qpid-2.5.3-1.el6.noarch
python-isodate-0.5.0-4.pulp.el6.noarch
python-kombu-3.0.24-5.pulp.el6.noarch
python-pulp-bindings-2.6.0-1.el6.noarch
python-pulp-common-2.6.0-1.el6.noarch
python-pulp-docker-common-0.2.2-1.el6.noarch
python-pulp-puppet-common-2.6.0-1.el6.noarch
python-pulp-rpm-common-2.6.0-1.el6.noarch
python-qpid-0.30-7.el6.noarch
python-qpid-qmf-0.30-5.el6.x86_64
python-rhsm-1.8.0-2.pulp.el6.x86_64
qpid-cpp-client-0.30-7.proton.0.9.el6.x86_64
qpid-cpp-client-devel-0.30-7.proton.0.9.el6.x86_64
qpid-cpp-server-0.30-7.proton.0.9.el6.x86_64
qpid-cpp-server-linearstore-0.30-7.proton.0.9.el6.x86_64
qpid-dispatch-router-0.4-4.el6.x86_64
qpid-proton-c-0.9-3.el6.x86_64
qpid-qmf-0.30-5.el6.x86_64
qpid-tools-0.30-4.el6.noarch
ruby193-rubygem-katello-2.2.2-2.el6.noarch
ruby193-rubygem-qpid_messaging-0.30.0-1.el6.x86_64
rubygem-hammer_cli_katello-0.0.14-1.el6.noarch
rubygem-smart_proxy_pulp-1.0.1-1.el6.noarch

Help?! Many thanks.

The qpid status error is a red herring, it will be running but there's a
bug in the init script that means the status command doesn't return
correctly - https://issues.apache.org/jira/browse/QPID-6549

Make this change to /etc/init.d/qpidd:

https://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/etc/qpidd.in?r1=1680550&r2=1680552&pathrev=1680552

Not sure about the foreman-proxy error, check the logs and that it's
listening on port 9090, and submit the output of foreman-debug.

FYI: These were the messages when I replaced /etc/init.d/qpidd with the
new version:

$ /etc/init.d/qpidd start
grep: @confdir@/qpidd.conf: No such file or directory
grep: @confdir@/qpidd.conf: No such file or directory
@sbindir@/qpidd not found or not executable

··· On Tuesday, 21 July 2015 15:47:47 UTC+1, JC wrote: > > I would be grateful for some assistance. My apologies in advanced if I > have missed the solution to this, but I have looked. I now fear I am going > round in circles. All was well, I think, until I updated my foreman UI > certificate (as follows): > > > *$ katello-certs-check -c katello.cer -k katello.key -r katello.csr -b > RootAll.cer* > Validating the certificate subject= > /C=GB/ST=County./L=Town/O=MyCompany/OU=Ops/CN=katello.mydomain > Check private key matches the certificate: [OK] > Check ca bundle verifies the cert file: [OK] > Validation succeeded. > > > # Install the certificates > *$ katello-installer --certs-server-cert "katello.cer" > --certs-server-cert-req "katello.csr" --certs-server-key "katello.key" > --certs-server-ca-cert "RootAll.cer" --certs-update-server > --certs-update-server-ca* > Marking certificate /root/ssl-build/katello.mydomain/katello.mydomain-apache > for update > Marking certificate /root/ssl-build/katello.mydomain/katello.mydomain-foreman-proxy > for update > Marking certificate /root/ssl-build/katello-server-ca for update > Preparing installation Done > Success! > * Katello is running at https://katello.mydomain > Initial credentials are admin / KxTYIJIUGMRJABKRw > * Capsule is running at https://katello.mydomain:9090 > * To install additional capsule on separate machine continue by running:" > capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar > "~/$CAPSULE-certs.tar" > The full log is at /var/log/katello-installer/katello-installer.log > > The UI now shows a shiny padlock. But, Administer -> About -> Smart > Proxies reveals: > > unable to communicate with the proxy:permission denied > > followed by the path to the certificate I specified with Administer -> > Settings -> Provisioning -> ssl_certificate. I pointed this to the > katello.cer file I supplied to the katello-installer. Was that right? It > has the following permissions (after I blindly tried some suggestions I > found): > > > *-rw-r--r--. 1 foreman-proxy root* > > When I run katello-services status: > > qdrouterd (pid 1943) is running... > elasticsearch (pid 2041) is running... > celery init v10.0. > Using configuration: /etc/default/pulp_workers, > /etc/default/pulp_celerybeat > pulp_celerybeat (pid 3380) is running. > celery init v10.0. > Using config script: /etc/default/pulp_resource_manager > node resource_manager (pid 3315) is running... > tomcat6 (pid 6213) is running... [ OK ] > *foreman-proxy is stopped* > mongod (pid 3127) is running... > celery init v10.0. > Using config script: /etc/default/pulp_workers > node reserved_resource_worker-0 (pid 3149) is running... > node reserved_resource_worker-1 (pid 3171) is running... > dynflow_executor is running. > dynflow_executor_monitor is running. > httpd (pid 2207) is running... > S*ome services failed: qpidd,foreman-proxy* > > /var/log/messages then tells me: > > qpidd[2255]: 2015-07-21 15:29:00 [Security] error Rejected un-encrypted > connection. > qpidd[2255]: 2015-07-21 15:29:00 [Protocol] error Connection > qpid.127.0.0.1:5672-127.0.0.1:55495 closed by error: connection-forced: > Connection must be encrypted.(320) > > *Installed Packages* > candlepin-0.9.45-1.el6.noarch > candlepin-common-1.0.22-1.el6.noarch > candlepin-selinux-0.9.45-1.el6.noarch > candlepin-tomcat6-0.9.45-1.el6.noarch > elasticsearch-0.90.10-7.el6.noarch > katello-2.2.1-0.el6.noarch > katello-certs-tools-2.0.1-1.el6.noarch > katello-common-2.2.1-0.el6.noarch > katello-debug-2.2.1-0.el6.noarch > katello-default-ca-1.0-1.noarch > katello-installer-2.2.2-1.el6.noarch > katello-installer-base-2.2.2-1.el6.noarch > katello-repos-2.2.1-1.el6.noarch > katello-selinux-2.2.1-1.el6.noarch > katello-server-ca-1.0-6.noarch > katello-service-2.2.1-0.el6.noarch > libqpid-dispatch-0.4-4.el6.x86_64 > m2crypto-0.21.1.pulp-8.el6.x86_64 > mod_wsgi-3.4-2.pulp.el6.x86_64 > katello.mydomain-qpid-broker-1.0-1.noarch > katello.mydomain-qpid-client-cert-1.0-1.noarch > katello.mydomain-qpid-router-client-1.0-1.noarch > katello.mydomain-qpid-router-server-1.0-1.noarch > pulp-docker-plugins-0.2.2-1.el6.noarch > pulp-katello-0.4-1.el6.noarch > pulp-nodes-common-2.6.0-1.el6.noarch > pulp-nodes-parent-2.6.0-1.el6.noarch > pulp-puppet-plugins-2.6.0-1.el6.noarch > pulp-puppet-tools-2.6.0-1.el6.noarch > pulp-rpm-plugins-2.6.0-1.el6.noarch > pulp-selinux-2.6.0-1.el6.noarch > pulp-server-2.6.0-1.el6.noarch > python-gofer-qpid-2.5.3-1.el6.noarch > python-isodate-0.5.0-4.pulp.el6.noarch > python-kombu-3.0.24-5.pulp.el6.noarch > python-pulp-bindings-2.6.0-1.el6.noarch > python-pulp-common-2.6.0-1.el6.noarch > python-pulp-docker-common-0.2.2-1.el6.noarch > python-pulp-puppet-common-2.6.0-1.el6.noarch > python-pulp-rpm-common-2.6.0-1.el6.noarch > python-qpid-0.30-7.el6.noarch > python-qpid-qmf-0.30-5.el6.x86_64 > python-rhsm-1.8.0-2.pulp.el6.x86_64 > qpid-cpp-client-0.30-7.proton.0.9.el6.x86_64 > qpid-cpp-client-devel-0.30-7.proton.0.9.el6.x86_64 > qpid-cpp-server-0.30-7.proton.0.9.el6.x86_64 > qpid-cpp-server-linearstore-0.30-7.proton.0.9.el6.x86_64 > qpid-dispatch-router-0.4-4.el6.x86_64 > qpid-proton-c-0.9-3.el6.x86_64 > qpid-qmf-0.30-5.el6.x86_64 > qpid-tools-0.30-4.el6.noarch > ruby193-rubygem-katello-2.2.2-2.el6.noarch > ruby193-rubygem-qpid_messaging-0.30.0-1.el6.x86_64 > rubygem-hammer_cli_katello-0.0.14-1.el6.noarch > rubygem-smart_proxy_pulp-1.0.1-1.el6.noarch > > Help?! Many thanks. >

Thanks for the qpid pointers Andrew (sorry for the delay, I've been away).

I tried replacing /etc/init.d/qpidd with
https://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/etc/qpidd.in?revision=1680552&view=co&pathrev=1680552
but hit some variable issues. As it happens, I'm going to rebuild the
Katello host, so I'll probably revisit this again shortly.

··· On 22 July 2015 at 10:20, Andrew Palmer wrote:

The qpid status error is a red herring, it will be running but there’s a
bug in the init script that means the status command doesn’t return
correctly - https://issues.apache.org/jira/browse/QPID-6549

Make this change to /etc/init.d/qpidd:

https://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/etc/qpidd.in?r1=1680550&r2=1680552&pathrev=1680552

Not sure about the foreman-proxy error, check the logs and that it’s
listening on port 9090, and submit the output of foreman-debug.


You received this message because you are subscribed to a topic in the
Google Groups “Foreman users” group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/foreman-users/SvDfg1IOZq8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.