Problem with Ansible job execution

I have a Foreman server hosting a CA with an SSL certificate “”.
I have also a Foreman Proxy with Ansible installed. The proxy hash an SSL certificate “” which has been generated with the same CA than the Foreman Server.

When I try to execute an ansible Job on the Proxy, I get the following error on the proxy.log :

E, [2018-09-07T09:59:46.189184 #6009] ERROR -- : SSL certificate with unexpected serial supplied
[2018-09-07 09:59:46.194 #6009]  INFO -- - - [07/Sep/2018:09:59:46 +0200] "GET /dynflow/tasks/count?state=running HTTP/1.1" 403 59 0.0053

After some check, it seems that Foreman is connecting to the Proxy and trying to authenticate with its own certificate ( where the proxy is expecting its own certificate (, which seems weird to me.

In the following file /usr/lib/ruby/vendor_ruby/smart_proxy_dynflow_core/core.rb I can see this comment :

def initialize
  @world = create_world
  cert_file = Settings.instance.foreman_ssl_cert || Settings.instance.ssl_certificate
  if cert_file
    client_cert =
    # we trust only requests using the same certificate as we are
    # (in other words the local proxy only)
    @accepted_cert_serial =

So it means that only the proxy is able to connect to itself ? Maybe is there something wrong in my configuration ?

Please help on this…



there is a “hidden” service called smart_proxy_dynflow_core which could be considered a smart-proxy's sidekick. We want to enforce that both smart-proxy and its companion smart_proxy_dynflow_core run on the same machine a do that by requiring the same certificate to be used.

When you run a job, Foreman asks smart-proxy which in turn asks smart_proxy_dynflow_core. When Foreman asks smart-proxy, Foreman's cert ( is used, when smart-proxy talks to smart_proxy_dynflow_core the proxy’s cert is used. The error tells you smart-proxy and smart_proxy_dynflow_core are using different certs.

My bet would be on misconfiguration of smart-proxy or smart_proxy_dynflow_core. Take a look at ssl related settings in /etc/foreman-proxy/settings.yml and /etc/smart_proxy_dynflow_core/settings.yml.


I don’t have any « /etc/smart_proxy_dynflow_core » directory.
Is there something I forgot to install ? I installed the proxy with foreman-installer.


Thomas Castelle
Responsable de la Direction Technique des Services Opérés
Direction des Opérations

T : +33 4 26 20 76 23 ― M : +33 6 27 27 28 57
Standard : +33 8 20 56 39 27 ― Fax : +33 4 72 43 00 67

Agence de Lyon : 13 B avenue Albert Einstein - CS90217 - 69623 Villeurbanne Cedex
email :
web : www.exaprobe.com / www.econocom.com

[cid:image003.gif@01CB0719.BB08BD00] Avant d’imprimer cet email, pensez à l’environnement

Ah, I missed you’re running on debian, the situation there is a bit different. What I wrote in the previous response applies to EL-derivatives only. Actually on debian this could be a bit easier to solve.

Could you post the output of grep ssl /etc/foreman-proxy/settings.yml? It would help if we could see how are things configured on your end.


Here is the result of the requested command :

:ssl_ca_file: /etc/puppetlabs/puppet/ssl/certs/ca.pem
:ssl_certificate: /etc/puppetlabs/puppet/ssl/certs/
:ssl_private_key: /etc/puppetlabs/puppet/ssl/private_keys/
#:ssl_disabled_ciphers: [CIPHER-SUITE-1, CIPHER-SUITE-2]
:foreman_ssl_ca: /etc/puppetlabs/puppet/ssl/certs/ca.pem
:foreman_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/
:foreman_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/
# ssl_certificate, ssl_ca_file, and ssl_private_key correspondingly