Node.rb --pushfacts - certificate verify failure

Conzar · July 11, 2018, 1:29am

Problem:
Using the node.rb --push-facts script causes the following error.

During fact upload occured an exception: SSL_connect returned=1 errno=0 state=error: certificate verify failed
Could not send facts to Foreman: SSL_connect returned=1 errno=0 state=error: certificate verify failed

The foreman proxies all function correctly (puppet as there are multiple puppet servers).

The following configuration is on the mirror puppet server. The foreman-proxy works. push-facts does NOT.

/etc/foreman-proxy/settings.yaml

:ssl_ca_file: /opt/foreman_certs/foreman_ca.pem
:ssl_certificate: /etc/puppetlabs/puppet/ssl/certs/puppet-server-mirror.pem
:ssl_private_key: /etc/puppetlabs/puppet/ssl/private_keys/puppet-server-mirror.pem
:foreman_ssl_ca: /opt/foreman_certs/foreman_ca.pem
:foreman_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/puppet-server-mirror.pem
:foreman_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/puppet-server-mirror.pem

/etc/puppelabs/puppet/foreman.yaml

:ssl_ca:   "/opt/foreman_certs/foreman_ca.pem"
:ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/puppet-server-mirror.pem"
:ssl_key:  "/etc/puppetlabs/puppet/ssl/private_keys/puppet-server-mirror.pem"

The foreman server is controlled by the foreman puppet module. So all of the settings listed in the ssl document in apache are there. Here are the settings for reference:

SSLEngine on
SSLCertificateFile      "/etc/ssl/certs/WEB.pem"
SSLCertificateKeyFile   "/etc/ssl/private/WEB.key"
SSLCertificateChainFile "/etc/ssl/certs/WEB_chain.crt"
SSLVerifyClient         optional
SSLCACertificateFile    "/opt/foreman_certs/foreman_ca.pem"
SSLVerifyDepth          3
SSLOptions +StdEnvVars +ExportCertData

Expected outcome:

The ruby networking library should be able to connect to the foreman server without certificates failing.

Foreman and Proxy versions:

1.17.1

Foreman and Proxy plugin versions:

1.17.1

Thank you for your help!

Gwmngilfen · July 13, 2018, 9:07am

Conzar:

:ssl_ca: "/opt/foreman_certs/foreman_ca.pem"
:ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/puppet-server-mirror.pem"
:ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/puppet-server-mirror.pem"

Is this correct? It looks like you’re using a different CA for Foreman than the client certs - if so, it would be unsurprising that the proxy cannot verify the certificate of the Foreman server.

Conzar · July 15, 2018, 9:31pm

I don’t understand the question. Can you please post which parameters are different?

The foremen server’s apache config uses a verified ca (digicert). The foreman_ca.pem contains the digicert ca and the puppet server’s ca. As I stated before, the foreman server is able to connect with the foreman-proxies and vise versa. The only component that doesn’t work is the node.rb which is indeed surprising to me.

dLobatog · July 16, 2018, 8:24am

Conzar:

/etc/puppelabs/puppet/foreman.yaml

:ssl_ca:   "/opt/foreman_certs/foreman_ca.pem"
:ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/puppet-server-mirror.pem"
:ssl_key:  "/etc/puppetlabs/puppet/ssl/private_keys/puppet-server-mirror.pem"

Could you test changing ssl_cert and ssl_key to the values in the apache conf? Namely ‘"/etc/ssl/certs/WEB.pem"’ and “/etc/ssl/private/WEB.key”?

I think the problem could be that you’re making a POST request from node.rb without the right certificates, however the proxy could be working because it’s only using GET?

Conzar · July 16, 2018, 11:25pm

I get the same error when changing the certs to use the WEB cert

./node.rb --push-facts
During fact upload occured an exception: SSL_connect returned=1 errno=0 state=error: certificate verify failed
Could not send facts to Foreman: SSL_connect returned=1 errno=0 state=error: certificate verify failed

I tend to think there is an issue with the VERIFY_PEER mode or the way SSL is being configured in the ruby script.

  res.verify_mode = OpenSSL::SSL::VERIFY_PEER

crofti67 · March 22, 2019, 1:44pm

Hi - did you manage to get this working as I have what looks like a very similar problem ?

Conzar · June 6, 2019, 9:27pm

The only way I got this working was to comment out the ssl_ca. Its a pain because I use theforeman/puppet and theforeman/foreman_proxy puppet modules. I have to end up keeping the puppet agent ‘off’ on my puppet masters otherwise on the next puppet run, the ssl_ca will be re-enabled.

:url: "https://<FOREMAN_URL>"
#:ssl_ca: "<FULL_PATH>/ca_crt.pem"
:ssl_cert: "<WEB CERT>"
:ssl_key: "<WEB KEY>"
:user: ""
:password: ""
:puppetdir: "/opt/puppetlabs/server/data/puppetserver"
:puppetuser: "puppet"
:facts: true
:timeout: 60
:report_timeout: 60
:threads: null

Woefdram · March 30, 2020, 2:46am

Hi.

Thanks for this thread, your solution does the trick in my case.

Did you eventually find a proper solution? I seem to be struggling with the same issue, see https://community.theforeman.org/t/foreman-cant-connect-to-puppetdb/17979.

Are you doing this on Debian, by any chance?

Conzar · March 30, 2020, 8:18pm

Did you eventually find a proper solution?

No

Are you doing this on Debian, by any chance?

No. But I am using Ubuntu 16.04 for both the foreman server and puppet servers.

I also use puppet to manage foreman and the foreman proxies (not using the installer method). I use the theforeman puppet modules. This means that my puppet agents on both the foreman server and puppet servers need to be disabled as they will always revert the changes to the CA.