Puppet CA error in foreman WEB UI

Problem:
We can no longer see clients certificates using Foreman Web GUI after upgrading to puppetserver 6.0

Failure: ERF50-5345 [Foreman::WrappedException]: Unable to connect ([ProxyAPI::ProxyException]: ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates ([RestClient::NotAcceptable]: 406 Not Acceptable) for proxy https://techops02.dev.int.luminoso.com:8443/puppet/ca)

Expected outcome:
We are expecting to see the list of all puppet certs using foreman Web GUI

Foreman and Proxy versions:
1.20.0

Foreman and Proxy plugin versions:
1.20.0

Other relevant data:
It seems like i can see the root of the issue but i can’t find the place to fix it. Puppetserver version 6.0 replaced puppet command to list the certificates from /opt/puppetlabs/bin/puppet cert to /opt/puppetlabs/bin/puppetserver ca. However, the logs from /var/log/foreman-proxy/proxy.log have the following:

2018-11-29T14:46:02 f9403b09 [D] Found puppetca at /opt/puppetlabs/bin/puppet
2018-11-29T14:46:02 f9403b09 [D] Found sudo at /usr/bin/sudo
2018-11-29T14:46:02 f9403b09 [D] Executing /usr/bin/sudo -S /opt/puppetlabs/bin/puppet cert --ssldir /etc/puppetlabs/puppet/ssl --list --all
2018-11-29T14:46:02 f9403b09 [W] Failed to run puppetca:
2018-11-29T14:46:02 f9403b09 [E] Failed to list certificates: Execution of puppetca failed, check log files
2018-11-29T14:46:02 f9403b09 [D] Failed to list certificates: Execution of puppetca failed, check log files
2018-11-29T14:46:02 f9403b09 [I] Finished GET with 406 (65.12 ms)

That tells me foreman-proxy didn’t switch to a new command. I can’t find any place to fix it. I also modified /etc/sudoers.d/foreman-proxy file to respect new puppetserver ca command but it didn’t solve the issue:

foreman-proxy ALL = (root) NOPASSWD : /opt/puppetlabs/bin/puppetserver ca *
Defaults:foreman-proxy !requiretty

Thank you very much in advance.

At the moment Puppetserver 6.0 isn’t supported. There is an open PR to use the REST API which I’d recommend to take a look at.

https://github.com/theforeman/smart-proxy/pull/615

Thank you very much for the response. Do you know by any chance if it is something that will be supported in future foreman releases or no?

That smart-proxy PR is looking in good shape, most of the installer support is there so I hope we can add support in 1.21 which is planned for early next year (early February).

Thank you very much for information and clarification.

Hello,
I’m having the same issue with puppetserver-2.8.1-1. Since upgrading to Foreman 1.20 the Foreman GUI Fails to communicate with the puppetca. Upgrading to Foreman 1.21 has not changed the behavior.

The error schown in the GUI is:
Failure: ERF50-5345 [Foreman::WrappedException]: Unable to connect ([ProxyAPI::ProxyException]: ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates ([RestClient::NotAcceptable]: 406 Not Acceptable) for proxy https://spch9180.zrh.local:8443/puppet/ca)

DEBUG mode does not Show any specifics in proxy.log:
2019-03-11T08:51:35 82a0912f [W] Failed to run puppetca:
2019-03-11T08:51:35 82a0912f [E] Failed to list certificates: Execution of puppetca failed, check log files

Sudo Right are set as per documentation:
cat /etc/sudoers.d/foreman-proxy
foreman-proxy ALL = (root) NOPASSWD : /opt/puppetlabs/bin/puppet cert *
Defaults:foreman-proxy !requiretty

Any help is appreciated.

Are you sure the proxy is in debug log level? It should have a line Executing #{command} which should tell us which exact command is used. I’d then try to run that manually to see what the output is.

The config in /etc/foreman-proxy/settings.yml is:
:log_level: DEBUG
The host fqdn is listted under :trusted_hosts:

The log Shows a command to list certificates:
Executing /usr/bin/sudo -S /opt/puppetlabs/bin/puppet cert --ssldir /etc/puppetlabs/puppet/ssl --list --all

Executing the command as user foreman-proxy (after adding /bin/bash to /etc/passwd instead of /bin/false) fails with “sudo: PAM account management error: Permission denied”, executing the command without sudo (/opt/puppetlabs/bin/puppet cert --ssldir /etc/puppetlabs/puppet/ssl --list --all) works!

Yes! Found the error. For reference:
The Pam System was lacking inclusion of the local sudo rules. This means on the RHEL system running Foreman the File /etc/security/access.conf needs to include:
“+ : ALL : LOCAL”

Found a description from March 4 at https://access.redhat.com/solutions/3679241

Care to update the documentation accordingly? the source for the manual can be found at https://github.com/theforeman/theforeman.org/

Sure, if I can figure out how the documentation is organised

The file you are looking for would likely be under _includes/manual/nightly/$section Thanks!

Thanks for the hint. It’s my first contribution to the site (possibly not the last). I’ll do it as soon as possible.

Pull request is created.

Hello - I am running into and issue with similar characteristics on a foreman server. I have updated to Foreman 1.23.1 ~ puppet --version 5.5.17 ~ puppetserver version: 5.3.10.

If I execute the command that find in the logs from a command line - I get the following:

[root@foreman01 ca]# /usr/bin/sudo -S /opt/puppetlabs/bin/puppet cert --ssldir /etc/puppetlabs/puppet/ssl --list --all
Warning: puppet cert is deprecated and will be removed in a future release.
(location: /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:370:in `run’)
Error: header too long

Which based on my reading should point to stale files in the requests folder. However, I have no files in the ca/requests folder that need to be removed. That folder is blank.

The puppet ca does start and run, but it can not pull in the certificates and I have verified that they are in /etc/puppetlabs/puppet/ssl/

Also have verified that this is not a permissions issue in the secure log - not finding any permission denied errors.