Problem with setting up new realm proxy

buddyjoe · March 6, 2018, 4:08pm

Hello Everyone,

Problem:
I can’t add the Realm Smart Proxy for the FreeIPA server.

Whenever I tried to add the Smart Proxy via the “foreman-installer”, i got the information:

Proxy ipa01.my.domain cannot be registered: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed) for proxy https://ipa01.my.domain:8443/features Please check the proxy is configured and running on the host.
..
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[ipa01.my.domain]/ensure: change from 'absent' to 'present' failed: Proxy ipa01.my.domain cannot be registered: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([RestClient::SSLCertificateNotVerified]: SSL_connect returned=1 errno=0 state=error: certificate verify failed) for proxy https://ipa01.my.domain:8443/features Please check the proxy is configured and running on the host.

The command I use looks as follows:

foreman-installer -v \
--no-enable-foreman \
--no-enable-foreman-cli \
--no-enable-foreman-plugin-bootdisk \
--no-enable-foreman-plugin-setup \
--no-enable-puppet \
--enable-foreman-proxy \
--foreman-proxy-log-level=DEBUG \
--foreman-proxy-foreman-ssl-ca=/etc/ssl/certs/proxy_ca.pem \
--foreman-proxy-ssl=true \
--foreman-proxy-ssl-ca=/var/lib/puppet/ssl/certs/ca.pem \
--foreman-proxy-ssl-cert=/var/lib/puppet/ssl/certs/ipa01.my.domain.pem \
--foreman-proxy-ssl-key=/var/lib/puppet/ssl/private_keys/ipa01.my.domain.pem \
--foreman-proxy-puppet=false \
--foreman-proxy-puppetca=false \
--foreman-proxy-tftp=false \
--foreman-proxy-dhcp=false \
--foreman-proxy-dns=false \
--foreman-proxy-realm=true \
--foreman-proxy-realm-keytab=/etc/foreman-proxy/freeipa.keytab \
--foreman-proxy-realm-listen-on=https \
--foreman-proxy-realm-principal=realm-proxy@MY.DOMAIN \
--foreman-proxy-foreman-base-url=https://foreman.server.com \
--foreman-proxy-trusted-hosts=foreman.server.com \
--foreman-proxy-oauth-consumer-key=Y8R42BMTgu8035HklSms1sJMjon \
--foreman-proxy-oauth-consumer-secret=g4vi84GO2nDkJpsGbAnmVe8sa98W2 \
--foreman-proxy-registered-proxy-url=https://ipa01.my.domain:8443

I am trying to setup the smart proxy on the FreeIPA server, hope this is not a problem.

The keys for the FreeIPA server were generated by Puppet and the connection between puppet server (which is in my case the Foreman Server) and the FreeIPA server works perfect.

What could be the problem here?

Below the content of the proxy.log:

I, [2018-03-06T16:35:55.143192 ]  INFO -- : Successfully initialized 'foreman_proxy'
I, [2018-03-06T16:35:55.143299 ]  INFO -- : Successfully initialized 'realm_freeipa'
I, [2018-03-06T16:35:55.143365 ]  INFO -- : Successfully initialized 'realm'
D, [2018-03-06T16:35:55.143447 ] DEBUG -- : Log buffer API initialized, available capacity: 2000/1000
I, [2018-03-06T16:35:55.143500 ]  INFO -- : Successfully initialized 'logs'
I, [2018-03-06T16:35:55.152696 ]  INFO -- : WEBrick 1.3.1
I, [2018-03-06T16:35:55.152790 ]  INFO -- : ruby 2.0.0 (2015-12-16) [x86_64-linux]
D, [2018-03-06T16:35:55.153883 ] DEBUG -- : TCPServer.new(0.0.0.0, 8443)
W, [2018-03-06T16:35:55.154587 ]  WARN -- : TCPServer Error: Address already in use - bind(2)
D, [2018-03-06T16:35:55.154650 ] DEBUG -- : TCPServer.new(::, 8443)
W, [2018-03-06T16:35:55.154745 ]  WARN -- : TCPServer Error: Address already in use - bind(2)
E, [2018-03-06T16:35:55.154870 ] ERROR -- : Error during startup, terminating. Address already in use - bind(2)
D, [2018-03-06T16:35:55.154912 ] DEBUG -- : ["/usr/share/ruby/webrick/utils.rb:85:in `initialize'", "/usr/share/ruby/webrick/utils.rb:85:in `new'", "/usr/share/ruby/webrick/utils.rb:85:in `block in create_listeners'", "/usr/share/ruby/webrick/utils.rb:82:in `each'", "/usr/share/ruby/webrick/utils.rb:82:in `create_listeners'", "/usr/share/ruby/webrick/ssl.rb:152:in `listen'", "/usr/share/foreman-proxy/lib/launcher.rb:123:in `block in webrick_server'", "/usr/share/foreman-proxy/lib/launcher.rb:123:in `each'", "/usr/share/foreman-proxy/lib/launcher.rb:123:in `webrick_server'", "/usr/share/foreman-proxy/lib/launcher.rb:142:in `block in launch'"]


netstat -tulpan | grep 8443
tcp6       0      0 :::8443                 :::*                    LISTEN      1738/java

ps -ef | grep 1738

pkiuser   1738     1  0 16:25 ?        00:00:18 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy org.apache.catalina.startup.Bootstrap start

My Foreman version is 1.15.

Thanks and regards!

Dmitri_Dolguikh · March 6, 2018, 6:11pm

It appears that something is already using port 8443. It also looks like that port 8443 has been configured for both http and https.

akofink · March 6, 2018, 8:43pm

Candlepin uses 8443.

GET https://katello-devel:8443/candlepin/status
{
    "mode": "NORMAL",
    "modeReason": "STARTUP",
    "modeChangeTime": "2018-03-05T20:49:26+0000",
    "result": true,
    "version": "2.1.12",
    "rulesVersion": "5.26",
    "release": "1",
    "standalone": true,
    "timeUTC": "2018-03-06T20:41:55+0000",
    "rulesSource": "DEFAULT",
    "managerCapabilities": [
        "instance_multiplier",
        "derived_product",
        "vcpu",
        "cert_v3",
        "remove_by_pool_id",
        "storage_band",
        "cores",
        "hypervisors_async",
        "org_level_content_access",
        "guest_limit",
        "ram",
        "batch_bind"
    ]
}

buddyjoe · March 7, 2018, 9:35am

Ok,

I chose the other node where there is no FreeIPA server installed and port 8443 is free.
Installer did not complain about this fact anymore, but I’m still getting the same error:

[ERROR 2018-03-07 10:24:43 verbose] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[client01.my.domain]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed in get request to: https://staging-foreman-katello.my.domain/api/v2/smart_proxies?search=name="client01.my.domain"

In foreman-proxy.log I got the following info:

E, [2018-03-07T10:26:14.377555 ] ERROR – : OpenSSL::SSL::SSLError: SSL_accept SYSCALL returned=5 errno=0 state=SSLv2/v3 read client hello A
/usr/share/ruby/openssl/ssl.rb:280:in `accept’

E, [2018-03-07T10:26:14.378468 ] ERROR – : OpenSSL::SSL::SSLError: SSL_accept SYSCALL returned=5 errno=0 state=SSLv3 read client certificate A
/usr/share/ruby/openssl/ssl.rb:280:in `accept’

Any ideas?

akofink · March 7, 2018, 1:34pm

I could be missing something, but I think that’s just IPv4 and IPv6.

akofink · March 7, 2018, 1:39pm

You might verify your certificate steps with this forklift role which sets up a Foreman proxy against a Foreman server. Namely, you didn’t mention ever running foreman-proxy-certs-generate. Is this a new proxy (needs the cert steps) that you’re setting up FreeIPA on, or an existing proxy (shouldn’t need the cert steps afaik)?

buddyjoe · March 7, 2018, 3:34pm

Hello akofink,

Seems that you might be right with the missing certs.

To be honest I had no idea that this kind of command exists and should be performed when adding the Smart Proxy.

Problem is with the lack of documentation here, I was trying to find a decent how-to for the Smart Proxy installation but as you can see, I failed. Any chance you provide me with the one you were using?
So far I managed to find this one (Foreman :: Plugin Manuals). Unfortunately the methods described there are not working for me, I am getting the:

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:615:infail_on_duplicate_type_and_title'

And in the log:

[ERROR 2018-03-07 16:25:21 main]  Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: File[/etc/puppetlabs/puppet/ssl/private_keys] is already declared at (file: /usr/share/fore
man-installer/modules/foreman_proxy/manifests/config.pp, line: 145); cannot redeclare (file: /usr/share/foreman-installer/modules/puppet/manifests/server/config.pp, line: 140) (file: /usr/share/foreman-installer
/modules/puppet/manifests/server/config.pp, line: 140, column: 3) on node client01.my.domain

Thanks!

akofink · March 7, 2018, 4:19pm

Sorry, I should have given you the docs link rather than an Ansible role

These Katello 3.4 docs cover the same process. Make sure to look at the version of documentation that you are trying to install (3.4).

If you’re still seeing issues, could you please provide us the output for rpm -qa | grep "katello\|foreman"?

buddyjoe · March 8, 2018, 8:00am

Thank you for the link,

as you could have noticed, I used this link in the previous post Again, with no luck:

foreman-installer --scenario foreman-proxy-content --foreman-proxy-content-parent-fqdn  "staging-foreman-katello.my.domain" --foreman-proxy-register-in-foreman "true" --foreman-proxy-foreman-base-url              "https://staging-foreman-katello.my.domain" --foreman-proxy-trusted-hosts  "staging-foreman-katello.my.domain" --foreman-proxy-trusted-hosts "client01.my2.domain" --foreman-proxy-oauth-consumer-key            "AyJ4aslfkoegjwEPHq2PJMjon"    --foreman-proxy-oauth-consumer-secret         "hd435737347kJpsGbAnmVe8ybGqZeG"  --foreman-proxy-content-pulp-oauth-secret     "fdher474hHoJp8rYxzaDBT8nVtNbqu75RBF"  --foreman-proxy-content-certs-tar             "/tmp/client01.my2.domain.tar"  --puppet-server-foreman-url  "https://staging-foreman-katello.my.domain";
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:615:in `fail_on_duplicate_type_and_title'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:142:in `add_one_resource'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:128:in `block in add_resource'

The question here is, do I always have to reserve a node with 8GB of RAM even if I want to have there only REALM Proxy?

Funny thing is that I tried to install it wit the other command, w/o foreman “–scenario” option and it worked:

foreman-installer -v \
--no-enable-foreman \
--no-enable-foreman-cli \
--no-enable-foreman-plugin-bootdisk \
--no-enable-foreman-plugin-setup \
--no-enable-puppet \
--enable-foreman-proxy \
--foreman-proxy-puppet=false \
--foreman-proxy-puppetca=false \
--foreman-proxy-tftp=false \
--foreman-proxy-dhcp=false \
--foreman-proxy-dns=false \
--foreman-proxy-logs=false \
--foreman-proxy-realm=true \
--foreman-proxy-realm-listen-on=http \
--foreman-proxy-realm-keytab=/etc/foreman-proxy/freeipa.keytab \
--foreman-proxy-realm-principal=realm-proxy@MY2.DOMAIN\
--foreman-proxy-foreman-base-url=https://staging-foreman-katello.my.domain \
--foreman-proxy-trusted-hosts=staging-foreman-katello.my.domain \
--foreman-proxy-oauth-consumer-key=gsR43Hbn4EA89pEPHq2PJMjon \
--foreman-proxy-oauth-consumer-secret=odYSmkGmlO35psGbAnmVe8ybGqZeG

Do you maybe have some docs regarding just “REALM Smart Proxy installation” ??? I don’t want any other proxy roles, only REALM.

Thanks!!!