Hi all,
i was trying to produce a compliance report with openscap plugin.
But I seems to be having some problems with certs.
I tried search for similar topics, but all the solutions described didn’t work.
Below actual error.
[root@katello foreman-proxy]# foreman_scap_client 3
File /var/lib/openscap/content/e880f252752fbcaa1c12657e2f4706cfb93c72b7992ffa30c9b32b304b86d3c1.xml is missing. Downloading it from proxy.
Download SCAP content xml from: https://katello.internallab.lan:9090/compliance/policies/3/content/e880f252752fbcaa1c12657e2f4706cfb93c72b7992ffa30c9b32b304b86d3c1
SCAP content is missing and download failed with error: SSL_connect returned=1 errno=0 state=error: certificate verify failed
And the foreman_openscap_configuration:
# DO NOT EDIT THIS FILE MANUALLY
# IT IS MANAGED BY PUPPET
# Foreman proxy to which reports should be uploaded
:server: 'katello.internallab.lan'
:port: 9090
## SSL specific options ##
# Client CA file.
# It could be Puppet CA certificate (e.g., '/var/lib/puppet/ssl/certs/ca.pem')
# Or (recommended for client reporting to Katello) subscription manager CA file, (e.g., '/etc/rhsm/ca/katello-server-ca.pem')
:ca_file: '/etc/puppetlabs/puppet/ssl/certs/ca.pem'
# Client host certificate.
# It could be Puppet agent host certificate (e.g., '/var/lib/puppet/ssl/certs/myhost.example.com.pem')
# Or (recommended for client reporting to Katello) consumer certificate (e.g., '/etc/pki/consumer/cert.pem')
:host_certificate: '/etc/puppetlabs/puppet/ssl/certs/katello.internallab.lan.pem'
# Client private key
# It could be Puppet agent private key (e.g., '/var/lib/puppet/ssl/private_keys/myhost.example.com.pem')
# Or (recommended for client reporting to Katello) consumer private key (e.g., '/etc/pki/consumer/key.pem')
:host_private_key: '/etc/puppetlabs/puppet/ssl/private_keys/katello.internallab.lan.pem'
# policy (key is id as in Foreman)
3:
:profile: 'xccdf_org.ssgproject.content_profile_standard'
:content_path: '/var/lib/openscap/content/e880f252752fbcaa1c12657e2f4706cfb93c72b7992ffa30c9b32b304b86d3c1.xml'
# Download path
# A path to download SCAP content from proxy
:download_path: '/compliance/policies/3/content/e880f252752fbcaa1c12657e2f4706cfb93c72b7992ffa30c9b32b304b86d3c1'
:tailoring_path: ''
:tailoring_download_path: ''
Hi,
because you have Katello, consumer certificates are expected for host authentication. You need to subscribe your host, the easiest way is using activation keys imho. When your host is subscribed, run puppet. You should see that the :ca_file, :host_certificate and :host_private_key entries in config file changed.
I think I know what is going on now, I guess it is related to the other thread. You applied the puppet modules to your sever and are running the foreman_scap_client on your server am I correct?
If that is the case, you need to apply the modules to your clients, run puppet on them and then run foreman_scap_client from your clients.
You had previously problems assigning the puppet classes to your host, because they did not show in the selection. From the screenshots I see you have the classes in production puppet environment. You need to go to Hosts -> All Hosts -> Edit. In the Host tab, choose the production puppet environment, then the classes should show in Puppet Classes tab, assign them.
Next you need to ‘run puppet agent -t’ on your registered client, which should create the config with appropriate entries.
It seems like the puppet agent is not installed and configured on your client. It is best to do that as a part of installation with certain provisioning templates, check out the Katello Kickstart Default template, relevant are the puppetlabs_repo and puppet_setup snippets. You will need to pass a param to your host so that appropriate repo is enabled. I have on my testing setup for Puppet 4:
Hi,
Puppet cannot find rubygem-foreman_scap_client package for your client, you need to make it available by adding appropriate repository for your Foreman version.
Hi,
that means your client still cannot get the packages for some reason. I would recommend consulting the Katello docs to identify what step you missed. The common errors to look out for:
repo is not properly synced
repo is not in a content view your client is subscribed to
new version of content view was not published after the repo was added to it
I haven’t read the whole thread, but the error is quite clear. The host doesn’t have access to the package. If you’re using Katello to manage host repositories, make sure the host is correctly registered, the repo that contains the package is assigned to the host through content view association. If you simply run yum install on the host, it must succeed.
Hi,
thanks a lot. I created again and updated repository and now error has changed.
Probably ruby(release) is required? Which is the cooresponding repo?
Thanks
Error: Execution of ‘/usr/bin/yum -d 0 -e 0 -y install rubygem-foreman_scap_client’ returned 1: Error: Package: rubygem-foreman_scap_client-0.3.0-1.el7.noarch (ConteOrg_Centos_6_Puppet_Rep)
Requires: ruby(release)
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
Loaded plugins: fastestmirror, product-id
Error: /Stage[main]/Foreman_scap_client/Package[rubygem-foreman_scap_client]/ensure: change from ‘purged’ to ‘present’ failed: Execution of ‘/usr/bin/yum -d 0 -e 0 -y install rubygem-foreman_scap_client’ returned 1: Error: Package: rubygem-foreman_scap_client-0.3.0-1.el7.noarch (ConteOrg_Centos_6_Puppet_Rep)
Requires: ruby(release)
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
Loaded plugins: fastestmirror, product-id
Hi,
it strikes me as odd that your ruby version is 2.4 but you have 1.8.7 package from base installed. So where does the 2.4 come from? foreman_scap_client does not have requirements for specific version so it should just install if the dependency package is available, I’ll test on CentOS 6 to see if I can reproduce.
Because CentOS 6 is getting rather old, I would recommend moving to CentOS 7 if there is no reason that would prevent you to do that.
