I have a Foreman server hosting a CA with an SSL certificate “srv-msc-foreman.msc.so”.
I have also a Foreman Proxy with Ansible installed. The proxy hash an SSL certificate “srv-preprod-ansible-01.msc.so” which has been generated with the same CA than the Foreman Server.
When I try to execute an ansible Job on the Proxy, I get the following error on the proxy.log :
E, [2018-09-07T09:59:46.189184 #6009] ERROR -- : SSL certificate with unexpected serial supplied
[2018-09-07 09:59:46.194 #6009] INFO -- 10.254.251.8 - - [07/Sep/2018:09:59:46 +0200] "GET /dynflow/tasks/count?state=running HTTP/1.1" 403 59 0.0053
After some check, it seems that Foreman is connecting to the Proxy and trying to authenticate with its own certificate (srv-msc-foreman.msc.so) where the proxy is expecting its own certificate (srv-preprod-ansible-01.msc.so), which seems weird to me.
In the following file /usr/lib/ruby/vendor_ruby/smart_proxy_dynflow_core/core.rb I can see this comment :
@world = create_world
cert_file = Settings.instance.foreman_ssl_cert || Settings.instance.ssl_certificate
client_cert = File.read(cert_file)
# we trust only requests using the same certificate as we are
# (in other words the local proxy only)
@accepted_cert_serial = OpenSSL::X509::Certificate.new(client_cert).serial
So it means that only the proxy is able to connect to itself ? Maybe is there something wrong in my configuration ?
Please help on this…
there is a “hidden” service called
smart_proxy_dynflow_core which could be considered a
smart-proxy's sidekick. We want to enforce that both
smart-proxy and its companion
smart_proxy_dynflow_core run on the same machine a do that by requiring the same certificate to be used.
When you run a job,
smart-proxy which in turn asks
Foreman's cert (
srv-msc-foreman.msc.so) is used, when
smart-proxy talks to
smart_proxy_dynflow_core the proxy’s cert is used. The error tells you
smart_proxy_dynflow_core are using different certs.
My bet would be on misconfiguration of
smart_proxy_dynflow_core. Take a look at ssl related settings in
I don’t have any « /etc/smart_proxy_dynflow_core » directory.
Is there something I forgot to install ? I installed the proxy with foreman-installer.
Responsable de la Direction Technique des Services Opérés
Direction des Opérations
T : +33 4 26 20 76 23 ― M : +33 6 27 27 28 57
Standard : +33 8 20 56 39 27 ― Fax : +33 4 72 43 00 67
Agence de Lyon : 13 B avenue Albert Einstein - CS90217 - 69623 Villeurbanne Cedex
email : email@example.com:firstname.lastname@example.org
web : www.exaprobe.comhttp://www.exaprobe.com/ / www.econocom.comhttp://www.econocom.com/
[cid:image003.gif@01CB0719.BB08BD00] Avant d’imprimer cet email, pensez à l’environnement
Ah, I missed you’re running on debian, the situation there is a bit different. What I wrote in the previous response applies to EL-derivatives only. Actually on debian this could be a bit easier to solve.
Could you post the output of
grep ssl /etc/foreman-proxy/settings.yml? It would help if we could see how are things configured on your end.
Here is the result of the requested command :
#:ssl_disabled_ciphers: [CIPHER-SUITE-1, CIPHER-SUITE-2]
# ssl_certificate, ssl_ca_file, and ssl_private_key correspondingly