Problem:
We can no longer see clients certificates using Foreman Web GUI after upgrading to puppetserver 6.0
Failure: ERF50-5345 [Foreman::WrappedException]: Unable to connect ([ProxyAPI::ProxyException]: ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates ([RestClient::NotAcceptable]: 406 Not Acceptable) for proxy https://techops02.dev.int.luminoso.com:8443/puppet/ca)
Expected outcome:
We are expecting to see the list of all puppet certs using foreman Web GUI
Foreman and Proxy versions:
1.20.0
Foreman and Proxy plugin versions:
1.20.0
Other relevant data:
It seems like i can see the root of the issue but i can’t find the place to fix it. Puppetserver version 6.0 replaced puppet command to list the certificates from /opt/puppetlabs/bin/puppet cert to /opt/puppetlabs/bin/puppetserver ca. However, the logs from /var/log/foreman-proxy/proxy.log have the following:
2018-11-29T14:46:02 f9403b09 [D] Found puppetca at /opt/puppetlabs/bin/puppet
2018-11-29T14:46:02 f9403b09 [D] Found sudo at /usr/bin/sudo
2018-11-29T14:46:02 f9403b09 [D] Executing /usr/bin/sudo -S /opt/puppetlabs/bin/puppet cert --ssldir /etc/puppetlabs/puppet/ssl --list --all
2018-11-29T14:46:02 f9403b09 [W] Failed to run puppetca:
2018-11-29T14:46:02 f9403b09 [E] Failed to list certificates: Execution of puppetca failed, check log files
2018-11-29T14:46:02 f9403b09 [D] Failed to list certificates: Execution of puppetca failed, check log files
2018-11-29T14:46:02 f9403b09 [I] Finished GET with 406 (65.12 ms)
That tells me foreman-proxy didn’t switch to a new command. I can’t find any place to fix it. I also modified /etc/sudoers.d/foreman-proxy file to respect new puppetserver ca command but it didn’t solve the issue:
foreman-proxy ALL = (root) NOPASSWD : /opt/puppetlabs/bin/puppetserver ca *
Defaults:foreman-proxy !requiretty
That smart-proxy PR is looking in good shape, most of the installer support is there so I hope we can add support in 1.21 which is planned for early next year (early February).
Hello,
I’m having the same issue with puppetserver-2.8.1-1. Since upgrading to Foreman 1.20 the Foreman GUI Fails to communicate with the puppetca. Upgrading to Foreman 1.21 has not changed the behavior.
The error schown in the GUI is:
Failure: ERF50-5345 [Foreman::WrappedException]: Unable to connect ([ProxyAPI::ProxyException]: ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates ([RestClient::NotAcceptable]: 406 Not Acceptable) for proxy https://spch9180.zrh.local:8443/puppet/ca)
DEBUG mode does not Show any specifics in proxy.log:
2019-03-11T08:51:35 82a0912f [W] Failed to run puppetca:
2019-03-11T08:51:35 82a0912f [E] Failed to list certificates: Execution of puppetca failed, check log files
Sudo Right are set as per documentation:
cat /etc/sudoers.d/foreman-proxy
foreman-proxy ALL = (root) NOPASSWD : /opt/puppetlabs/bin/puppet cert *
Defaults:foreman-proxy !requiretty
Are you sure the proxy is in debug log level? It should have a line Executing #{command} which should tell us which exact command is used. I’d then try to run that manually to see what the output is.
The config in /etc/foreman-proxy/settings.yml is:
:log_level: DEBUG
The host fqdn is listted under :trusted_hosts:
The log Shows a command to list certificates:
Executing /usr/bin/sudo -S /opt/puppetlabs/bin/puppet cert --ssldir /etc/puppetlabs/puppet/ssl --list --all
Executing the command as user foreman-proxy (after adding /bin/bash to /etc/passwd instead of /bin/false) fails with “sudo: PAM account management error: Permission denied”, executing the command without sudo (/opt/puppetlabs/bin/puppet cert --ssldir /etc/puppetlabs/puppet/ssl --list --all) works!
Yes! Found the error. For reference:
The Pam System was lacking inclusion of the local sudo rules. This means on the RHEL system running Foreman the File /etc/security/access.conf needs to include:
“+ : ALL : LOCAL”
Hello - I am running into and issue with similar characteristics on a foreman server. I have updated to Foreman 1.23.1 ~ puppet --version 5.5.17 ~ puppetserver version: 5.3.10.
If I execute the command that find in the logs from a command line - I get the following:
[root@foreman01 ca]# /usr/bin/sudo -S /opt/puppetlabs/bin/puppet cert --ssldir /etc/puppetlabs/puppet/ssl --list --all
Warning: puppet cert is deprecated and will be removed in a future release.
(location: /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:370:in `run’) Error: header too long
Which based on my reading should point to stale files in the requests folder. However, I have no files in the ca/requests folder that need to be removed. That folder is blank.
The puppet ca does start and run, but it can not pull in the certificates and I have verified that they are in /etc/puppetlabs/puppet/ssl/
Also have verified that this is not a permissions issue in the secure log - not finding any permission denied errors.