PuppetCA SmartProxy Question

Hi Foreman Users,

I have a few questions regarding puppetCA smartproxy.

#1. It is my understanding that puppetCA smartproxy can be used to
autosign certificate requests for hosts that are provisioned by
unattended installation. After the host comes up and tells foreman
it's alive, foreman informs the smartproxy to sign certificate
requests for this host, as a more secure way of running autosign so
that the puppetmaster doesn't automatically sign for every host (and
only signs for hosts via the smartproxy). Is my understanding of the
functionality that puppetCA smartproxy provides correct?

#2. I get the following error message with smart proxy "out of the
box", I am using a IPv4 stack (without ipv6 enabled) and the port
number I've configured in settings.yml is not being used. Can't
understand why I would get this error -

WARN TCPServer Error: Address family not supported by protocol -
socket(2)

> Hi Foreman Users,
>
> I have a few questions regarding puppetCA smartproxy.
>
> #1. It is my understanding that puppetCA smartproxy can be used to
> autosign certificate requests for hosts that are provisioned by
> unattended installation. After the host comes up and tells foreman
> it's alive, foreman informs the smartproxy to sign certificate
> requests for this host, as a more secure way of running autosign so
> that the puppetmaster doesn't automatically sign for every host (and
> only signs for hosts via the smartproxy). Is my understanding of the
> functionality that puppetCA smartproxy provides correct?
>
sounds right
> #2. I get the following error message with smart proxy "out of the
> box", I am using a IPv4 stack (without ipv6 enabled) and the port
> number I've configured in settings.yml is not being used. Can't
> understand why I would get this error -
>
> WARN TCPServer Error: Address family not supported by protocol -
> socket(2)
>
how does your config file looks like? sound like a misconfiguration somewhere.

Ohad

> —
> # SSL Setup
>
> # if enabled, all communication would be verfied via SSL
> # NOTE that both certificates need to be signed by the same CA in
> order for this to work
> # see SSL - Smart Proxy - Foreman for more
> information
> #:ssl_certificate: ssl/certs/fqdn.pem
> #:ssl_ca_file: ssl/certs/ca.pem
> #:ssl_private_key: ssl/private_keys/fqdn.key
> # the hosts which the proxy accepts connections from
> # commenting the following lines would mean every verified SSL
> connection allowed
> :trusted_hosts:
> - localhost
>
> # enable the daemon to run in the background
> :daemon: false
> :daemon_pid: /var/run/foreman-proxy/foreman-proxy.pid
>
> # port used by the proxy
> :port: 8081
>
> # Enable TFTP management
> :tftp: false
> #:tftproot: /var/lib/tftpboot
> # Defines the TFTP Servername to use, overrides the name in the subnet
> declaration
> #:tftp_servername: tftp.domain.com
>
>
> # Enable DNS management
> :dns: false
> #:dns_key: /etc/rndc.key
> # use this setting if you are managing a dns server which is not
> localhost though this proxy
> #:dns_server: dns.domain.com
>
> # Enable DHCP management
> :dhcp: false
> # The vendor can be either isc or native_ms
> :dhcp_vendor: isc
> # Settings for Ubuntu ISC
> #:dhcp_config: /etc/dhcp3/dhcpd.conf
> #:dhcp_leases: /var/lib/dhcp3/dhcpd.leases
> # Settings for Redhat ISC
> #:dhcp_config: /etc/dhcpd.conf
> #:dhcp_leases: /var/lib/dhcpd/dhcpd.leases
> #:dhcp_key_name: secret_key_name
> #:dhcp_key_secret: secret_key
>
> # enable PuppetCA management
> :puppetca: true
>
> # enable Puppet management
> :puppet: false
>
> # Where our proxy log files are stored
> # filename or STDOUT
> :log_file: /tmp/proxy.log
> # valid options are
> # WARN, DEBUG, Error, Fatal, INFO, UNKNOWN
> #:log_level: DEBUG

In many lines above they are breaking into two lines, is that copy
paste mistake? fixing those lines everything seems to be working
correctly.

Ohad