Problem:
Foreman install without Katello on CentOS 7 together with OpenSCAP plugin/proxy. Running a scan completes successfully, report makes it from client to proxy but error received on report upload "Report not uploaded from proxy to Foreman server, cause: Failed to upload to Foreman, saving in spool. Failed with: 500 “Internal Server Error”.
Could use some pointers on what log files might assist tracking this down, nothing of note seen in /var/log/foreman/production.log or /var/log/foreman-proxy. Maybe I dont have the right debug values.
Policies configured correctly with SCAP content. Data accessible and downloaded correctly by client during puppet run together with configuration files.
Previous class configuration issues from here OpenSCAP plugin / puppet classes, what am I doing wrong or missing? overcome by “puppet module install” instead of rpm as described. Docs scrutinised accordingly and I belive all configured OK, classes show up correctly, can allocate to host group with settings etc and config files are propagated correctly to clients.
Report makes it from remote client to Foreman server but not ingested, kicked out to /var/spool/foreman-proxy/arf//… instead.
Seen previous issue on “Error 500” with a workaround of creating a second organisation and location, this does not appear to work in this instance.
For me, a little confused from OpenSCAP document but I feel I have the correct configuration. Most of the documentation refers to using the Katello proxy and port (9090) which utilises the Katello consumer certs not puppet certs. As Katello isnt in use I believe the cert chains utilised would be from the Puppet CA which I think are configured correctly. I understand the correct proxy port to use without Katello would be 8443 (tried the puppet proxy port 8140, didnt work)
Example version is 2.1, this behaviour seems to display on 2.0 as well.
Expected outcome:
I believe that the Foreman server should successfully process the report, ingest accordingly and present for viewing in the console.
Foreman and Proxy versions:
rpm -qa | grep foreman | sort
foreman-2.1.0-0.22.rc3.el7.noarch
foreman-cli-2.1.0-0.22.rc3.el7.noarch
foreman-client-release-2.1.0-0.4.rc3.el7.noarch
foreman-debug-2.1.0-0.22.rc3.el7.noarch
foreman-dynflow-sidekiq-2.1.0-0.22.rc3.el7.noarch
foreman-installer-2.1.0-0.3.rc3.el7.noarch
foreman-postgresql-2.1.0-0.22.rc3.el7.noarch
foreman-proxy-2.1.0-0.2.rc3.el7.noarch
foreman-release-2.1.0-0.4.rc3.el7.noarch
foreman-release-scl-7-3.el7.noarch
foreman-selinux-2.1.0-0.2.rc3.el7.noarch
foreman-service-2.1.0-0.22.rc3.el7.noarch
foreman-vmware-2.1.0-0.22.rc3.el7.noarch
puppet-foreman_scap_client-0.4.0-1.el7.noarch
rubygem-foreman_maintain-0.6.5-1.el7.noarch
rubygem-foreman_scap_client-0.4.6-2.el7.noarch
tfm-rubygem-foreman_fog_proxmox-0.10.2-1.fm2_1.el7.noarch
tfm-rubygem-foreman_openscap-3.0.0-1.fm2_1.el7.noarch
tfm-rubygem-foreman_remote_execution-3.3.2-1.fm2_1.el7.noarch
tfm-rubygem-foreman_remote_execution_core-1.3.0-1.el7.noarch
tfm-rubygem-foreman-tasks-2.0.1-1.fm2_1.el7.noarch
tfm-rubygem-foreman-tasks-core-0.3.4-1.fm2_1.el7.noarch
tfm-rubygem-hammer_cli_foreman-2.1.1-1.el7.noarch
rpm -qa | grep scap | sort
openscap-1.2.17-9.el7.x86_64
openscap-scanner-1.2.17-9.el7.x86_64
perl-Pod-Escapes-1.04-295.el7.noarch
puppet-foreman_scap_client-0.4.0-1.el7.noarch
rubygem-foreman_scap_client-0.4.6-2.el7.noarch
scap-security-guide-0.1.46-11.el7.centos.noarch
tfm-rubygem-foreman_openscap-3.0.0-1.fm2_1.el7.noarch
tfm-rubygem-openscap-0.4.9-3.el7.noarch
tfm-rubygem-smart_proxy_openscap-0.7.2-6.fm2_1.el7.noarch
Distribution and version:
CentOS 7.8.2003
Other relevant data:
foreman_scap_client classes overrides applied as follows:
fetch remote resources = true
port = 8443
server = <myforemanserver.fqdn>
Generated /etc/foreman_scap_client/config.yml on example client.
DO NOT EDIT THIS FILE MANUALLY
IT IS MANAGED BY PUPPET
Foreman proxy to which reports should be uploaded
:server: ‘myforemanserver.fqdn’
:port: 8443
Timeout for sending reports to proxy
:timeout: 60
Should --fetch-remote-resources be added to oscap xccdf eval
command
:fetch_remote_resources: true
HTTP proxy server for downloading remote resources
:http_proxy_server:
:http_proxy_port:
SSL specific options
Client CA file.
It could be Puppet CA certificate (e.g., ‘/var/lib/puppet/ssl/certs/ca.pem’)
Or (recommended for client reporting to Katello) subscription manager CA file, (e.g., ‘/etc/rhsm/ca/katello-server-ca.pem’)
:ca_file: ‘/etc/puppetlabs/puppet/ssl/certs/ca.pem’
Client host certificate.
It could be Puppet agent host certificate (e.g., ‘/var/lib/puppet/ssl/certs/myhost.example.com.pem’)
Or (recommended for client reporting to Katello) consumer certificate (e.g., ‘/etc/pki/consumer/cert.pem’)
:host_certificate: ‘/etc/puppetlabs/puppet/ssl/certs/.pem’
Client private key
It could be Puppet agent private key (e.g., ‘/var/lib/puppet/ssl/private_keys/myhost.example.com.pem’)
Or (recommended for client reporting to Katello) consumer private key (e.g., ‘/etc/pki/consumer/key.pem’)
:host_private_key: ‘/etc/puppetlabs/puppet/ssl/private_keys/.pem’
policy (key is id as in Foreman)
1:
:profile: ‘xccdf_org.ssgproject.content_profile_standard’
:content_path: ‘/var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml’
Download path
A path to download SCAP content from proxy
:download_path: ‘/compliance/policies/1/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e’
:tailoring_path: ‘’
:tailoring_download_path: ‘’