OpenSCAP Upload failed: 500

Support
1

Hi

Please can someone assist.

[root@foreman foreman]# /usr/bin/foreman_scap_client 1
DEBUG: running: oscap xccdf eval --profile
xccdf_org.ssgproject.content_profile_standard --results-arf
/tmp/d20170712-3398-r7bvwl/results.xml
/var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml
WARNING: Skipping
http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml
file which is referenced from XCCDF content
DEBUG: running: /usr/bin/bzip2 /tmp/d20170712-3398-r7bvwl/results.xml
Uploading results to https://foreman.qualica.com:9090/compliance/arf/1

Upload failed: 500 "Internal Server Error "

[root@foreman foreman]# rpm -qa | grep scap
openscap-scanner-1.2.10-3.el7_3.x86_64
tfm-rubygem-foreman_openscap-0.7.4-1.fm1_15.el7.noarch
rubygem-foreman_scap_client-0.3.0-1.el7.noarch
perl-Pod-Escapes-1.04-291.el7.noarch
rubygem-smart_proxy_openscap-0.6.4-1.el7.noarch
rubygem-openscap-0.4.7-1.el7.noarch
openscap-1.2.10-3.el7_3.x86_64
scap-security-guide-0.1.30-5.el7.centos.noarch

[root@foreman foreman]# cat /etc/foreman_scap_client/config.yaml

DO NOT EDIT THIS FILE MANUALLY

IT IS MANAGED BY PUPPET

Foreman proxy to which reports should be uploaded

:server: 'foreman.qualica.com'
:port: 9090

SSL specific options

Client CA file.

It could be Puppet CA certificate (e.g.,

'/var/lib/puppet/ssl/certs/ca.pem')

Or (recommended for client reporting to Katello) subscription manager CA

file, (e.g., '/etc/rhsm/ca/katello-server-ca.pem')
:ca_file: '/etc/foreman/proxy_ca.pem'

Client host certificate.

It could be Puppet agent host certificate (e.g.,

'/var/lib/puppet/ssl/certs/myhost.example.com.pem')

Or (recommended for client reporting to Katello) consumer certificate

(e.g., '/etc/pki/consumer/cert.pem')
:host_certificate: '/etc/foreman/client_cert.pem'

Client private key

It could be Puppet agent private key (e.g.,

'/var/lib/puppet/ssl/private_keys/myhost.example.com.pem')

Or (recommended for client reporting to Katello) consumer private key

(e.g., '/etc/pki/consumer/key.pem')
:host_private_key: '/etc/foreman/client_key.pem'

policy (key is id as in Foreman)

1:
:profile: 'xccdf_org.ssgproject.content_profile_standard'
:content_path:
'/var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml'

Download path

A path to download SCAP content from proxy

:download_path:
'/compliance/policies/1/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e'
:tailoring_path: ''
:tailoring_download_path: ''

Kind Regards
Phillip Smith

2

More output information.

https://pastebin.com/eJrCD6tB

··· On Wednesday, 12 July 2017 11:32:14 UTC+2, Phillip Smith wrote: > > Hi > > Please can someone assist. > > [root@foreman foreman]# /usr/bin/foreman_scap_client 1 > DEBUG: running: oscap xccdf eval --profile > xccdf_org.ssgproject.content_profile_standard --results-arf > /tmp/d20170712-3398-r7bvwl/results.xml > /var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml > WARNING: Skipping > http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml > file which is referenced from XCCDF content > DEBUG: running: /usr/bin/bzip2 /tmp/d20170712-3398-r7bvwl/results.xml > Uploading results to https://foreman.qualica.com:9090/compliance/arf/1 > > Upload failed: 500 "Internal Server Error " > > > [root@foreman foreman]# rpm -qa | grep scap > openscap-scanner-1.2.10-3.el7_3.x86_64 > tfm-rubygem-foreman_openscap-0.7.4-1.fm1_15.el7.noarch > rubygem-foreman_scap_client-0.3.0-1.el7.noarch > perl-Pod-Escapes-1.04-291.el7.noarch > rubygem-smart_proxy_openscap-0.6.4-1.el7.noarch > rubygem-openscap-0.4.7-1.el7.noarch > openscap-1.2.10-3.el7_3.x86_64 > scap-security-guide-0.1.30-5.el7.centos.noarch > > [root@foreman foreman]# cat /etc/foreman_scap_client/config.yaml > # DO NOT EDIT THIS FILE MANUALLY > # IT IS MANAGED BY PUPPET > > # Foreman proxy to which reports should be uploaded > :server: 'foreman.qualica.com' > :port: 9090 > > ## SSL specific options ## > # Client CA file. > # It could be Puppet CA certificate (e.g., > '/var/lib/puppet/ssl/certs/ca.pem') > # Or (recommended for client reporting to Katello) subscription manager CA > file, (e.g., '/etc/rhsm/ca/katello-server-ca.pem') > :ca_file: '/etc/foreman/proxy_ca.pem' > # Client host certificate. > # It could be Puppet agent host certificate (e.g., > '/var/lib/puppet/ssl/certs/myhost.example.com.pem') > # Or (recommended for client reporting to Katello) consumer certificate > (e.g., '/etc/pki/consumer/cert.pem') > :host_certificate: '/etc/foreman/client_cert.pem' > # Client private key > # It could be Puppet agent private key (e.g., > '/var/lib/puppet/ssl/private_keys/myhost.example.com.pem') > # Or (recommended for client reporting to Katello) consumer private key > (e.g., '/etc/pki/consumer/key.pem') > :host_private_key: '/etc/foreman/client_key.pem' > > # policy (key is id as in Foreman) > > 1: > :profile: 'xccdf_org.ssgproject.content_profile_standard' > :content_path: > '/var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml' > # Download path > # A path to download SCAP content from proxy > :download_path: > '/compliance/policies/1/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e' > :tailoring_path: '' > :tailoring_download_path: '' > > > Kind Regards > Phillip Smith >
3

I know it's not much, but here is some more information about the problem:

  1. The error from pastebin is OpenSSL::SSL::SSLError at /compliance/arf/1
  2. It comes from
    /usr/share/gems/gems/smart_proxy_openscap-0.6.4/lib/smart_proxy_openscap/foreman_forwarder.rb
    send_request method

It looks like a misconfiguration of foreman and proxy certificates,
although I don't know the exact reason for this.

··· On Thursday, July 13, 2017 at 11:23:08 AM UTC+3, Phillip Smith wrote: > > More output information. > > https://pastebin.com/eJrCD6tB > > On Wednesday, 12 July 2017 11:32:14 UTC+2, Phillip Smith wrote: >> >> Hi >> >> Please can someone assist. >> >> [root@foreman foreman]# /usr/bin/foreman_scap_client 1 >> DEBUG: running: oscap xccdf eval --profile >> xccdf_org.ssgproject.content_profile_standard --results-arf >> /tmp/d20170712-3398-r7bvwl/results.xml >> /var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml >> WARNING: Skipping >> http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml >> file which is referenced from XCCDF content >> DEBUG: running: /usr/bin/bzip2 /tmp/d20170712-3398-r7bvwl/results.xml >> Uploading results to https://foreman.qualica.com:9090/compliance/arf/1 >> >> Upload failed: 500 "Internal Server Error " >> >> >> [root@foreman foreman]# rpm -qa | grep scap >> openscap-scanner-1.2.10-3.el7_3.x86_64 >> tfm-rubygem-foreman_openscap-0.7.4-1.fm1_15.el7.noarch >> rubygem-foreman_scap_client-0.3.0-1.el7.noarch >> perl-Pod-Escapes-1.04-291.el7.noarch >> rubygem-smart_proxy_openscap-0.6.4-1.el7.noarch >> rubygem-openscap-0.4.7-1.el7.noarch >> openscap-1.2.10-3.el7_3.x86_64 >> scap-security-guide-0.1.30-5.el7.centos.noarch >> >> [root@foreman foreman]# cat /etc/foreman_scap_client/config.yaml >> # DO NOT EDIT THIS FILE MANUALLY >> # IT IS MANAGED BY PUPPET >> >> # Foreman proxy to which reports should be uploaded >> :server: 'foreman.qualica.com' >> :port: 9090 >> >> ## SSL specific options ## >> # Client CA file. >> # It could be Puppet CA certificate (e.g., >> '/var/lib/puppet/ssl/certs/ca.pem') >> # Or (recommended for client reporting to Katello) subscription manager >> CA file, (e.g., '/etc/rhsm/ca/katello-server-ca.pem') >> :ca_file: '/etc/foreman/proxy_ca.pem' >> # Client host certificate. >> # It could be Puppet agent host certificate (e.g., >> '/var/lib/puppet/ssl/certs/myhost.example.com.pem') >> # Or (recommended for client reporting to Katello) consumer certificate >> (e.g., '/etc/pki/consumer/cert.pem') >> :host_certificate: '/etc/foreman/client_cert.pem' >> # Client private key >> # It could be Puppet agent private key (e.g., >> '/var/lib/puppet/ssl/private_keys/myhost.example.com.pem') >> # Or (recommended for client reporting to Katello) consumer private key >> (e.g., '/etc/pki/consumer/key.pem') >> :host_private_key: '/etc/foreman/client_key.pem' >> >> # policy (key is id as in Foreman) >> >> 1: >> :profile: 'xccdf_org.ssgproject.content_profile_standard' >> :content_path: >> '/var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml' >> # Download path >> # A path to download SCAP content from proxy >> :download_path: >> '/compliance/policies/1/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e' >> :tailoring_path: '' >> :tailoring_download_path: '' >> >> >> Kind Regards >> Phillip Smith >> >
4

Thanks for for clearing that up, it was a cert miss-match issue, it is
working now :slight_smile:

··· On Thursday, 13 July 2017 14:19:30 UTC+2, ssh...@redhat.com wrote: > > > I know it's not much, but here is some more information about the problem: > > 1. The error from pastebin is OpenSSL::SSL::SSLError at /compliance/arf/1 > 2. It comes from > /usr/share/gems/gems/smart_proxy_openscap-0.6.4/lib/smart_proxy_openscap/foreman_forwarder.rb > send_request method > > It looks like a misconfiguration of foreman and proxy certificates, > although I don't know the exact reason for this. > > > > On Thursday, July 13, 2017 at 11:23:08 AM UTC+3, Phillip Smith wrote: >> >> More output information. >> >> https://pastebin.com/eJrCD6tB >> >> On Wednesday, 12 July 2017 11:32:14 UTC+2, Phillip Smith wrote: >>> >>> Hi >>> >>> Please can someone assist. >>> >>> [root@foreman foreman]# /usr/bin/foreman_scap_client 1 >>> DEBUG: running: oscap xccdf eval --profile >>> xccdf_org.ssgproject.content_profile_standard --results-arf >>> /tmp/d20170712-3398-r7bvwl/results.xml >>> /var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml >>> WARNING: Skipping >>> http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml >>> file which is referenced from XCCDF content >>> DEBUG: running: /usr/bin/bzip2 /tmp/d20170712-3398-r7bvwl/results.xml >>> Uploading results to https://foreman.qualica.com:9090/compliance/arf/1 >>> >>> Upload failed: 500 "Internal Server Error " >>> >>> >>> [root@foreman foreman]# rpm -qa | grep scap >>> openscap-scanner-1.2.10-3.el7_3.x86_64 >>> tfm-rubygem-foreman_openscap-0.7.4-1.fm1_15.el7.noarch >>> rubygem-foreman_scap_client-0.3.0-1.el7.noarch >>> perl-Pod-Escapes-1.04-291.el7.noarch >>> rubygem-smart_proxy_openscap-0.6.4-1.el7.noarch >>> rubygem-openscap-0.4.7-1.el7.noarch >>> openscap-1.2.10-3.el7_3.x86_64 >>> scap-security-guide-0.1.30-5.el7.centos.noarch >>> >>> [root@foreman foreman]# cat /etc/foreman_scap_client/config.yaml >>> # DO NOT EDIT THIS FILE MANUALLY >>> # IT IS MANAGED BY PUPPET >>> >>> # Foreman proxy to which reports should be uploaded >>> :server: 'foreman.qualica.com' >>> :port: 9090 >>> >>> ## SSL specific options ## >>> # Client CA file. >>> # It could be Puppet CA certificate (e.g., >>> '/var/lib/puppet/ssl/certs/ca.pem') >>> # Or (recommended for client reporting to Katello) subscription manager >>> CA file, (e.g., '/etc/rhsm/ca/katello-server-ca.pem') >>> :ca_file: '/etc/foreman/proxy_ca.pem' >>> # Client host certificate. >>> # It could be Puppet agent host certificate (e.g., >>> '/var/lib/puppet/ssl/certs/myhost.example.com.pem') >>> # Or (recommended for client reporting to Katello) consumer certificate >>> (e.g., '/etc/pki/consumer/cert.pem') >>> :host_certificate: '/etc/foreman/client_cert.pem' >>> # Client private key >>> # It could be Puppet agent private key (e.g., >>> '/var/lib/puppet/ssl/private_keys/myhost.example.com.pem') >>> # Or (recommended for client reporting to Katello) consumer private key >>> (e.g., '/etc/pki/consumer/key.pem') >>> :host_private_key: '/etc/foreman/client_key.pem' >>> >>> # policy (key is id as in Foreman) >>> >>> 1: >>> :profile: 'xccdf_org.ssgproject.content_profile_standard' >>> :content_path: >>> '/var/lib/openscap/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e.xml' >>> # Download path >>> # A path to download SCAP content from proxy >>> :download_path: >>> '/compliance/policies/1/content/3e1654fd14a5352d65294db555710bfda5cad1a942209e2d787ea7940035616e' >>> :tailoring_path: '' >>> :tailoring_download_path: '' >>> >>> >>> Kind Regards >>> Phillip Smith >>> >>