I have a Foreman server hosting a CA with an SSL certificate “srv-msc-foreman.msc.so”.
I have also a Foreman Proxy with Ansible installed. The proxy hash an SSL certificate “srv-preprod-ansible-01.msc.so” which has been generated with the same CA than the Foreman Server.
When I try to execute an ansible Job on the Proxy, I get the following error on the proxy.log :
E, [2018-09-07T09:59:46.189184 #6009] ERROR -- : SSL certificate with unexpected serial supplied
[2018-09-07 09:59:46.194 #6009] INFO -- 10.254.251.8 - - [07/Sep/2018:09:59:46 +0200] "GET /dynflow/tasks/count?state=running HTTP/1.1" 403 59 0.0053
After some check, it seems that Foreman is connecting to the Proxy and trying to authenticate with its own certificate (srv-msc-foreman.msc.so) where the proxy is expecting its own certificate (srv-preprod-ansible-01.msc.so), which seems weird to me.
In the following file /usr/lib/ruby/vendor_ruby/smart_proxy_dynflow_core/core.rb I can see this comment :
def initialize
@world = create_world
cert_file = Settings.instance.foreman_ssl_cert || Settings.instance.ssl_certificate
if cert_file
client_cert = File.read(cert_file)
# we trust only requests using the same certificate as we are
# (in other words the local proxy only)
@accepted_cert_serial = OpenSSL::X509::Certificate.new(client_cert).serial
end
end
So it means that only the proxy is able to connect to itself ? Maybe is there something wrong in my configuration ?
Please help on this…
Regards,
Thomas
Hi,
there is a “hidden” service called smart_proxy_dynflow_core which could be considered a smart-proxy's sidekick. We want to enforce that both smart-proxy and its companion smart_proxy_dynflow_core run on the same machine a do that by requiring the same certificate to be used.
When you run a job, Foreman asks smart-proxy which in turn asks smart_proxy_dynflow_core. When Foreman asks smart-proxy, Foreman's cert (srv-msc-foreman.msc.so) is used, when smart-proxy talks to smart_proxy_dynflow_core the proxy’s cert is used. The error tells you smart-proxy and smart_proxy_dynflow_core are using different certs.
My bet would be on misconfiguration of smart-proxy or smart_proxy_dynflow_core. Take a look at ssl related settings in /etc/foreman-proxy/settings.yml and /etc/smart_proxy_dynflow_core/settings.yml.
Hello,
I don’t have any « /etc/smart_proxy_dynflow_core » directory.
Is there something I forgot to install ? I installed the proxy with foreman-installer.
Regards,
Thomas Castelle
Responsable de la Direction Technique des Services Opérés
Direction des Opérations
T : +33 4 26 20 76 23 ― M : +33 6 27 27 28 57
Standard : +33 8 20 56 39 27 ― Fax : +33 4 72 43 00 67
Exaprobe
Agence de Lyon : 13 B avenue Albert Einstein - CS90217 - 69623 Villeurbanne Cedex
email : tcastelle@exaprobe.commailto:tcastelle@exaprobe.com
web : www.exaprobe.comhttp://www.exaprobe.com/ / www.econocom.comhttp://www.econocom.com/
[LOGO_EXAPROBE_BLUE_RVB_BD]
[cid:image003.gif@01CB0719.BB08BD00] Avant d’imprimer cet email, pensez à l’environnement
Ah, I missed you’re running on debian, the situation there is a bit different. What I wrote in the previous response applies to EL-derivatives only. Actually on debian this could be a bit easier to solve.
Could you post the output of grep ssl /etc/foreman-proxy/settings.yml? It would help if we could see how are things configured on your end.
Hello,
Here is the result of the requested command :
:ssl_ca_file: /etc/puppetlabs/puppet/ssl/certs/ca.pem
:ssl_certificate: /etc/puppetlabs/puppet/ssl/certs/srv-preprod-ansible-01.msc.so.pem
:ssl_private_key: /etc/puppetlabs/puppet/ssl/private_keys/srv-preprod-ansible-01.msc.so.pem
# https://www.openssl.org/docs/manmaster/man1/ciphers.html#CIPHER-SUITE-NAMES
#:ssl_disabled_ciphers: [CIPHER-SUITE-1, CIPHER-SUITE-2]
:foreman_ssl_ca: /etc/puppetlabs/puppet/ssl/certs/ca.pem
:foreman_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/srv-preprod-ansible-01.msc.so.pem
:foreman_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/srv-preprod-ansible-01.msc.so.pem
# ssl_certificate, ssl_ca_file, and ssl_private_key correspondingly
Regards,
Thomas
