Problem:
Im setting up smart proxy with default SSL certificate using the following documentation Configuring Smart Proxy server with a default SSL certificate.
After setting up the server and registering it to foreman, I go to the foreman server and generate the cert bundle then scp this to the new smart proxy:
foreman-proxy-certs-generate --foreman-proxy-fqdn smart-proxy-01 \
--certs-tar /root/smart-proxy_cert/smartproxy.example.com-certs.tar
Then i run foreman-installer on the proxy:
foreman-installer --scenario foreman-proxy-content \
--certs-tar-file "/root/smartproxy.example.com-certs.tar" \
--foreman-proxy-register-in-foreman "true" \
--foreman-proxy-foreman-base-url "https://foreman-01" \
--foreman-proxy-trusted-hosts "foreman-01" \
--foreman-proxy-trusted-hosts "smart-proxy-01" \
--foreman-proxy-oauth-consumer-key "asdf" \
--foreman-proxy-oauth-consumer-secret "1234"
Resulting in error:
Error 1: Puppet Foreman_smartproxy resource 'smart-proxy-01' failed. Logs:
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[smart-proxy-01]
Adding autorequire relationship with Anchor[foreman::providers::oauth]
Starting to evaluate the resource (1064 of 1077)
Evaluated in 0.24 seconds
Foreman_smartproxy[smart-proxy-01](provider=rest_v3)
Making get request to https://foreman-01/api/v2/smart_proxies?search=name%3D%22smart-proxy-01%22
Received response 200 from request to https://foreman-01/api/v2/smart_proxies?search=name%3D%22smart-proxy-01%22
Making post request to https://foreman-01/api/v2/smart_proxies
Received response 422 from request to https://foreman-01/api/v2/smart_proxies
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[smart-proxy-01]/ensure
change from 'absent' to 'present' failed: Error making POST request to Foreman at https://foreman-01/api/v2/smart_proxies: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self-signed certificate in certificate chain)) for proxy https://smart-proxy-01:9090/v2/features Please check the proxy is configured and running on the host.
1 error was detected during installation.
Please address the errors and re-run the installer to ensure the system is properly configured.
Failing to do so is likely to result in broken functionality.
My Foreman (w/Katello) is set up to use custom SSL certificate. I found the install in my notes:
foreman-installer --scenario katello --certs-server-cert "/root/certs/wildcard.abcd.net.crt" --certs-server-key "/root/certs/wildcard.abcd.net.key" --certs-server-ca-cert "/root/certs/ca.crt" --certs-update-server --certs-update-server-ca
Im taking a guess at whats wrong:
Since im using custom certificate for katello it is trying to use the CA for this to validate the cert on the smart proxy when it tries to connect back to foreman?
I can see that /etc/foreman/proxy_ca.pem contains digicert CA chain and not something self signed.
Im a bit confused as to what is used where now, so i figured id ask here how to resolve this and get the smart proxy running without manually trying to fix this and potentially mess something up.
Expected outcome:
That the proxy and communication between proxy and foreman would use a self-signed certificate (ie. non-custom certificate) and foreman should use the correct CA to verify this.
Foreman and Proxy versions:
3.13.1-1.el9
Foreman and Proxy plugin versions:
# foreman-rake plugin:list
Collecting plugin information
Foreman plugin: foreman-tasks, 10.0.1, Ivan Nečas, The goal of this plugin is to unify the way of showing task statuses across the Foreman instance.
It defines Task model for keeping the information about the tasks and Lock for assigning the tasks
to resources. The locking allows dealing with preventing multiple colliding tasks to be run on the
same resource. It also optionally provides Dynflow infrastructure for using it for managing the tasks.
Foreman plugin: foreman_ansible, 15.0.1, Daniel Lobato Garcia, Ansible integration with Foreman
Foreman plugin: foreman_openscap, 10.0.1, slukasik@redhat.com, Foreman plug-in for managing security compliance reports
Foreman plugin: foreman_puppet, 8.0.0, Ondřej Ezr and Shira Maximov, Allow assigning Puppet environments and classes to the Foreman Hosts.
Foreman plugin: foreman_remote_execution, 14.0.2, Foreman Remote Execution team, A plugin bringing remote execution to the Foreman, completing the config management functionality with remote management functionality.
Foreman plugin: katello, 4.15.1, N/A, Katello adds Content and Subscription Management to Foreman. For this it relies on Candlepin and Pulp.
Distribution and version:
RHEL9.6
Other relevant data:
I probably read through a dozen times and that sentence never registered in my brain…