Node.rb --pushfacts - certificate verify failure

proxy

#1

Problem:
Using the node.rb --push-facts script causes the following error.

During fact upload occured an exception: SSL_connect returned=1 errno=0 state=error: certificate verify failed
Could not send facts to Foreman: SSL_connect returned=1 errno=0 state=error: certificate verify failed

The foreman proxies all function correctly (puppet as there are multiple puppet servers).

The following configuration is on the mirror puppet server. The foreman-proxy works. push-facts does NOT.

/etc/foreman-proxy/settings.yaml

:ssl_ca_file: /opt/foreman_certs/foreman_ca.pem
:ssl_certificate: /etc/puppetlabs/puppet/ssl/certs/puppet-server-mirror.pem
:ssl_private_key: /etc/puppetlabs/puppet/ssl/private_keys/puppet-server-mirror.pem
:foreman_ssl_ca: /opt/foreman_certs/foreman_ca.pem
:foreman_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/puppet-server-mirror.pem
:foreman_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/puppet-server-mirror.pem

/etc/puppelabs/puppet/foreman.yaml

:ssl_ca:   "/opt/foreman_certs/foreman_ca.pem"
:ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/puppet-server-mirror.pem"
:ssl_key:  "/etc/puppetlabs/puppet/ssl/private_keys/puppet-server-mirror.pem"

The foreman server is controlled by the foreman puppet module. So all of the settings listed in the ssl document in apache are there. Here are the settings for reference:

SSLEngine on
SSLCertificateFile      "/etc/ssl/certs/WEB.pem"
SSLCertificateKeyFile   "/etc/ssl/private/WEB.key"
SSLCertificateChainFile "/etc/ssl/certs/WEB_chain.crt"
SSLVerifyClient         optional
SSLCACertificateFile    "/opt/foreman_certs/foreman_ca.pem"
SSLVerifyDepth          3
SSLOptions +StdEnvVars +ExportCertData

Expected outcome:

The ruby networking library should be able to connect to the foreman server without certificates failing.

Foreman and Proxy versions:

1.17.1

Foreman and Proxy plugin versions:

1.17.1

Thank you for your help!


#2

Is this correct? It looks like you’re using a different CA for Foreman than the client certs - if so, it would be unsurprising that the proxy cannot verify the certificate of the Foreman server.


#3

I don’t understand the question. Can you please post which parameters are different?

The foremen server’s apache config uses a verified ca (digicert). The foreman_ca.pem contains the digicert ca and the puppet server’s ca. As I stated before, the foreman server is able to connect with the foreman-proxies and vise versa. The only component that doesn’t work is the node.rb which is indeed surprising to me.


#4

Could you test changing ssl_cert and ssl_key to the values in the apache conf? Namely ‘"/etc/ssl/certs/WEB.pem"’ and “/etc/ssl/private/WEB.key”?

I think the problem could be that you’re making a POST request from node.rb without the right certificates, however the proxy could be working because it’s only using GET?


#5

I get the same error when changing the certs to use the WEB cert

./node.rb --push-facts
During fact upload occured an exception: SSL_connect returned=1 errno=0 state=error: certificate verify failed
Could not send facts to Foreman: SSL_connect returned=1 errno=0 state=error: certificate verify failed

I tend to think there is an issue with the VERIFY_PEER mode or the way SSL is being configured in the ruby script.

  res.verify_mode = OpenSSL::SSL::VERIFY_PEER

#6

Hi - did you manage to get this working as I have what looks like a very similar problem ?


#7

The only way I got this working was to comment out the ssl_ca. Its a pain because I use theforeman/puppet and theforeman/foreman_proxy puppet modules. I have to end up keeping the puppet agent ‘off’ on my puppet masters otherwise on the next puppet run, the ssl_ca will be re-enabled.

:url: "https://<FOREMAN_URL>"
#:ssl_ca: "<FULL_PATH>/ca_crt.pem"
:ssl_cert: "<WEB CERT>"
:ssl_key: "<WEB KEY>"
:user: ""
:password: ""
:puppetdir: "/opt/puppetlabs/server/data/puppetserver"
:puppetuser: "puppet"
:facts: true
:timeout: 60
:report_timeout: 60
:threads: null