Hi all,
i was trying to produce a compliance report with openscap plugin.
But I seems to be having some problems with certs.
I tried search for similar topics, but all the solutions described didn’t work.
Below actual error.
[root@katello foreman-proxy]# foreman_scap_client 3
File /var/lib/openscap/content/e880f252752fbcaa1c12657e2f4706cfb93c72b7992ffa30c9b32b304b86d3c1.xml is missing. Downloading it from proxy.
Download SCAP content xml from: https://katello.internallab.lan:9090/compliance/policies/3/content/e880f252752fbcaa1c12657e2f4706cfb93c72b7992ffa30c9b32b304b86d3c1
SCAP content is missing and download failed with error: SSL_connect returned=1 errno=0 state=error: certificate verify failed
And the foreman_openscap_configuration:
# DO NOT EDIT THIS FILE MANUALLY
# IT IS MANAGED BY PUPPET
# Foreman proxy to which reports should be uploaded
:server: 'katello.internallab.lan'
:port: 9090
## SSL specific options ##
# Client CA file.
# It could be Puppet CA certificate (e.g., '/var/lib/puppet/ssl/certs/ca.pem')
# Or (recommended for client reporting to Katello) subscription manager CA file, (e.g., '/etc/rhsm/ca/katello-server-ca.pem')
:ca_file: '/etc/puppetlabs/puppet/ssl/certs/ca.pem'
# Client host certificate.
# It could be Puppet agent host certificate (e.g., '/var/lib/puppet/ssl/certs/myhost.example.com.pem')
# Or (recommended for client reporting to Katello) consumer certificate (e.g., '/etc/pki/consumer/cert.pem')
:host_certificate: '/etc/puppetlabs/puppet/ssl/certs/katello.internallab.lan.pem'
# Client private key
# It could be Puppet agent private key (e.g., '/var/lib/puppet/ssl/private_keys/myhost.example.com.pem')
# Or (recommended for client reporting to Katello) consumer private key (e.g., '/etc/pki/consumer/key.pem')
:host_private_key: '/etc/puppetlabs/puppet/ssl/private_keys/katello.internallab.lan.pem'
# policy (key is id as in Foreman)
3:
:profile: 'xccdf_org.ssgproject.content_profile_standard'
:content_path: '/var/lib/openscap/content/e880f252752fbcaa1c12657e2f4706cfb93c72b7992ffa30c9b32b304b86d3c1.xml'
# Download path
# A path to download SCAP content from proxy
:download_path: '/compliance/policies/3/content/e880f252752fbcaa1c12657e2f4706cfb93c72b7992ffa30c9b32b304b86d3c1'
:tailoring_path: ''
:tailoring_download_path: ''
Thanks
Stefano
Hi,
because you have Katello, consumer certificates are expected for host authentication. You need to subscribe your host, the easiest way is using activation keys imho. When your host is subscribed, run puppet. You should see that the :ca_file, :host_certificate and :host_private_key entries in config file changed.
Hope this helps,
O.
Hi Ondrej,
I’ve already subscribed 2 clients, and I’ve already created activation key too.
I runned puppet but configuration remained the same.
How can i solve?
Thanks
Stefano
I think I know what is going on now, I guess it is related to the other thread. You applied the puppet modules to your sever and are running the foreman_scap_client on your server am I correct?
If that is the case, you need to apply the modules to your clients, run puppet on them and then run foreman_scap_client from your clients.
You had previously problems assigning the puppet classes to your host, because they did not show in the selection. From the screenshots I see you have the classes in production puppet environment. You need to go to Hosts -> All Hosts -> Edit. In the Host tab, choose the production puppet environment, then the classes should show in Puppet Classes tab, assign them.
Next you need to ‘run puppet agent -t’ on your registered client, which should create the config with appropriate entries.
Hope this helps,
O.
Hi Ondrej,
yes you’re right.
I think the puppet environment is correctly assigned.
And the puppet classes should be correct too.
and puppet classes
When i try to run puppet on client
Any ideas?
Regars
Stefano
It seems like the puppet agent is not installed and configured on your client. It is best to do that as a part of installation with certain provisioning templates, check out the Katello Kickstart Default template, relevant are the puppetlabs_repo and puppet_setup snippets. You will need to pass a param to your host so that appropriate repo is enabled. I have on my testing setup for Puppet 4:
Hi
I installed puppet agent on my centos client.
Running belowed command the outcome is an error.
[root@centos6client /]# puppet agent --server katello.internallab.lan -t
Warning: Downgrading to PSON for future requests
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for centos6client.internallab.lan
Info: Applying configuration version '1521800865'
Error: Execution of '/usr/bin/yum -d 0 -e 0 -y install rubygem-foreman_scap_client' returned 1: Error: Nothing to do
Loaded plugins: fastestmirror, product-id
Error: /Stage[main]/Foreman_scap_client/Package[rubygem-foreman_scap_client]/ensure: change from 'purged' to 'present' failed: Execution of '/usr/bin/yum -d 0 -e 0 -y install rubygem-foreman_scap_client' returned 1: Error: Nothing to do
Loaded plugins: fastestmirror, product-id
Notice: /Stage[main]/Foreman_scap_client/File[foreman_scap_client]: Dependency Package[rubygem-foreman_scap_client] has failures: true
Warning: /Stage[main]/Foreman_scap_client/File[foreman_scap_client]: Skipping because of failed dependencies
Notice: Applied catalog in 1.49 seconds
Any ideas?
Thanks
Stefano
Hi,
Puppet cannot find rubygem-foreman_scap_client package for your client, you need to make it available by adding appropriate repository for your Foreman version.
O.
Hi,
I added repository to my product (Centos 6 Product) but I’m still getting same error:
What am I getting wrong?
Thanks
S.
Hi,
that means your client still cannot get the packages for some reason. I would recommend consulting the Katello docs to identify what step you missed. The common errors to look out for:
- repo is not properly synced
- repo is not in a content view your client is subscribed to
- new version of content view was not published after the repo was added to it
O.
Hi,
I followed all the steps written in katello.
Content view is updated (I guess)
as well as puppet repos inside same content view.
However, same error is still present.
Can you help me to solve it?
Regards
Thanks
Stefano
I haven’t read the whole thread, but the error is quite clear. The host doesn’t have access to the package. If you’re using Katello to manage host repositories, make sure the host is correctly registered, the repo that contains the package is assigned to the host through content view association. If you simply run yum install on the host, it must succeed.
Hi,
thanks a lot. I created again and updated repository and now error has changed.
Probably ruby(release) is required? Which is the cooresponding repo?
Thanks
Error: Execution of ‘/usr/bin/yum -d 0 -e 0 -y install rubygem-foreman_scap_client’ returned 1: Error: Package: rubygem-foreman_scap_client-0.3.0-1.el7.noarch (ConteOrg_Centos_6_Puppet_Rep)
Requires: ruby(release)
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
Loaded plugins: fastestmirror, product-id
Error: /Stage[main]/Foreman_scap_client/Package[rubygem-foreman_scap_client]/ensure: change from ‘purged’ to ‘present’ failed: Execution of ‘/usr/bin/yum -d 0 -e 0 -y install rubygem-foreman_scap_client’ returned 1: Error: Package: rubygem-foreman_scap_client-0.3.0-1.el7.noarch (ConteOrg_Centos_6_Puppet_Rep)
Requires: ruby(release)
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
Loaded plugins: fastestmirror, product-id
Hi,
you are correct, seems like ruby is not available for your client. The screenshot below shows what repo my client gets it from.
Hope this helps,
O.
Hi,
I think ruby is avaible from my client.
Moreover
And below my repos:
How can I get my client to your config?
Thanks
S.
Hi,
it strikes me as odd that your ruby version is 2.4 but you have 1.8.7 package from base installed. So where does the 2.4 come from? foreman_scap_client does not have requirements for specific version so it should just install if the dependency package is available, I’ll test on CentOS 6 to see if I can reproduce.
Because CentOS 6 is getting rather old, I would recommend moving to CentOS 7 if there is no reason that would prevent you to do that.
Hi,
unfortunately I have a lot of Centos 6 server to manage even if they’re getting old.
Thanks
