Hi all,
All hosts have Out of sync at once since 2 days ago!
Expected outcome:
Foreman and Proxy versions:
3.0.1
Distribution and version:
Ubuntu 20.04
What can I do here or check ?
Thanks in advance
Neeloj
Contact your Foreman administrator! 
The internet.
1 Like
thanks for your answer @lzap
I think below topic make the issue:
and when I type:
# hammer host list --search âlast_report < â35 minutes agoâ and status.enabled = trueâ
SSL certificate verification failed
Make sure you configured the correct URL and have the serverâs CA certificate installed on your system.
The following configuration option were used for the SSL connection:
ssl_ca_file = /etc/letsencrypt/live/foreman.local/chain.pem
Make sure the location contains an unexpired and valid CA certificate for https://foreman.local.
What you describe is a different problem, create one thread per problem.
The out of sync can be fixed either by letting your hosts to report, or configuring the out of sync interval in settings, see our docs.
they are related to eachother, when I disable the SSL the reports works again!
I check the docs and the old topics here too which habe out of sync but it doesnt help!
Administer â settings â General & Puppet Tabs I change the interval for both it doesnt help!
You asked for out of sync, I suggest you to create a new topic describing exactly what you did (disable SSL whatâs that?)
Thats right because I get :
And for me when I activate Letsencrypt Reports doent work!
anyway thanks for your answer.
I would check /var/log/puppetlabs/puppetserver and whatâs in the logs there
I ran into:
You can verify this by using openssl s_client -connect $HOSTNAME:$PORT. It should some something like:
Certificate chain
0 s:/CN=$HOSTNAME
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
If you see another part at the end of the chain thatâs X3, you run into the problem. I tried certbot renew --force-renewal --preferred-chain "ISRG Root X1" but that didnât work. For me the solution was to remove the last certificate from /etc/letsencrypt/live/$DOMAIN/chain.pem. I may run into a problem again when itâs renewed in a few months.
1 Like
thansk for your answer @ekohl
You are right, I found this Error in the Log file:
2021-10-07T13:20:45.207+02:00 INFO [qtp1660961896-34] [puppetserver] Puppet Computing checksum on string
2021-10-07T13:20:45.281+02:00 INFO [qtp1660961896-2291] [puppetserver] Puppet Compiled catalog for svm-visusmain01.ad.kklbo.de in environment production in 0.12 seconds
2021-10-07T13:20:46.190+02:00 ERROR [qtp1660961896-34] [puppetserver] Puppet Report processor failed: Could not send report to Foreman at https://foreman.local/api/config_reports: certificate verify failed
["uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/net/http.rb:1002:in `connect'", "uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/net/http.rb:924:in `do_start'", "uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/net/http.rb:913:in `start'", "uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/net/htt
p.rb:1465:in `request'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/reports/foreman.rb:69:in `process'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/report/processor.rb:37:in `block in process'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/report/processor.rb:54:in `blo
ck in processors'", "org/jruby/RubyArray.java:1809:in `each'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/report/processor.rb:51:in `processors'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/report/processor.rb:30:in `process'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/pupp
et/indirector/report/processor.rb:14:in `save'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:316:in `save'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/api/indirected_routes.rb:199:in `do_save'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/
api/indirected_routes.rb:54:in `block in call'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:62:in `override'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:314:in `override'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/api/indirected_routes.rb:53:in `call'", "/opt/
puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/route.rb:82:in `block in process'", "org/jruby/RubyArray.java:1809:in `each'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/route.rb:81:in `process'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/route.rb:88:in `proces
s'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/route.rb:88:in `process'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:87:in `block in process'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:70:in `block in with_request_profiling'",
"/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler/around_profiler.rb:58:in `profile'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler.rb:51:in `profile'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:66:in `with_request_profiling'", "/opt/puppetlabs/
puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:86:in `block in process'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:93:in `respond_to_errors'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:85:in `process'", "uri:classloader:/puppetserver-li
b/puppet/server/master.rb:65:in `block in handleRequest'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:62:in `override'", "/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:314:in `override'", "uri:classloader:/puppetserver-lib/puppet/server/master.rb:64:in `handleRequest'"]
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/reports/foreman.rb:75:in `process'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/report/processor.rb:37:in `block in process'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/report/processor.rb:54:in `block in processors'
org/jruby/RubyArray.java:1809:in `each'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/report/processor.rb:51:in `processors'
---
Certificate chain
0 s:CN = foreman.local
i:CN = Puppet CA: foreman.local
1 s:CN = Puppet CA: foreman.local
i:CN = Puppet CA: foreman.local
I dont have that at the end, but why I see the error!!!
@ekohl You mean I should modify the chain.pem and remove last certificate right ?
Yes. However, it appears to be serving the Puppet CA certificate, not the Letâs Encrypt certificate. Was the configuration somehow reverted?
1 Like
Ok I have there two Iâll remove the last one.
No an and thats why Im confused why this happens!
As you can see above I dont have X3 or so!
Iâll test your suggestion and then Ill try with renew too! and give my feedback here
This work for me too. But Ill try with renew too
I had the same problem posted here: Puppet reports suddenly stopped at same time for all hosts - #6 by damonmaria
In the end I added --preferred-chain="ISRG Root X1" to my letsencrypt certbot renew command.
1 Like
thanks for your answer @damonmaria, I read your post too.
So all I have to do is to install python3-certbot-apache and run sudo certbot renew --force-renewal --preferred-chain="ISRG Root X1" right?
Unfortunately python3-certbot (at least on Ubuntu 18.04 which I was on) is several versions behind and does not support that parameter. I had to install the the snap version of certbot. But then yes, that parameter will do it. Obviously update whichever âcronâ or similar process you use to renew as well.
1 Like
very usefull informations I have also 18.04 so if that parameter doesnt support I have to install/upgrade it.
thank you so much @damonmaria