Remote smart proxy issue

Support
1

Hi, we have issue to "Run Job" from Foreman GUI.
What we get on remote "Smart proxy":
D, [2016-10-28T16:33:41.869376 #143273] DEBUG – : Rack::Handler::WEBrick
is mounted on /.
I, [2016-10-28T16:33:41.869464 #143273] INFO – :
WEBrick::HTTPServer#start: pid=143273 port=8443
D, [2016-10-28T16:33:45.559566 #143273] DEBUG – : accept:
176.227.208.106:45102
D, [2016-10-28T16:33:45.617026 #143273] DEBUG – : Rack::Handler::WEBrick
is invoked.
E, [2016-10-28T16:33:45.731145 #143273] ERROR – : SSL certificate with
unexpected serial supplied
[2016-10-28 16:33:45.732 #143273] INFO – 176.227.208.106 - - [28/Oct/2016
16:33:45] "GET /dynflow/tasks/count?state=running HTTP/1.1" 403 59 0.0018

We have tried to disable: require_ssl_smart_proxies, but no luck.

Could you help us?

2

Hi i am having the same issue, did anyone ever reply to you or did you
manage to resolve it?

··· On Saturday, October 29, 2016 at 9:20:49 AM UTC+1, Vitaly Volodenkov wrote: > > Hi, we have issue to "Run Job" from Foreman GUI. > What we get on remote "Smart proxy": > D, [2016-10-28T16:33:41.869376 #143273] DEBUG -- : Rack::Handler::WEBrick > is mounted on /. > I, [2016-10-28T16:33:41.869464 #143273] INFO -- : > WEBrick::HTTPServer#start: pid=143273 port=8443 > D, [2016-10-28T16:33:45.559566 #143273] DEBUG -- : accept: > 176.227.208.106:45102 > D, [2016-10-28T16:33:45.617026 #143273] DEBUG -- : Rack::Handler::WEBrick > is invoked. > E, [2016-10-28T16:33:45.731145 #143273] ERROR -- : SSL certificate with > unexpected serial supplied > [2016-10-28 16:33:45.732 #143273] INFO -- 176.227.208.106 - - > [28/Oct/2016 16:33:45] "GET /dynflow/tasks/count?state=running HTTP/1.1" > 403 59 0.0018 > > We have tried to disable: require_ssl_smart_proxies, but no luck. > > Could you help us? >
3

The SSL on your proxy has to be generated from the same key. For exemple, I
have 2 puppet masters, and I wanted to bind both of them on the same
foreman. I generated SSL on the 1st (he also has foreman, so in the
settings.yaml I configured it to use puppet SSL) and on the 2nd master, I
put the SSL CA for my 1st master and he generated his own SSL certs.

On the 1st :

puppet cert generate puppetmaster01.test.ca --allow-dns-alt-names --dns_alt_names=puppetmaster01.test.ca,puppetmaster02.test.ca

On the 2nd : I took the content of /etc/puppetlabs/puppet/ssl/ca and I
installed it at the same place on the 2nd. After that I just run this
command to generate the SSL :
puppet cert generate puppetmaster02.test.ca

Conclusion : The SSL of your 2nd proxy has to be generated from the same CA
as your foreman server

I hope it can help you

··· Le samedi 29 octobre 2016 04:20:49 UTC-4, Vitaly Volodenkov a écrit :

Hi, we have issue to “Run Job” from Foreman GUI.
What we get on remote “Smart proxy”:
D, [2016-10-28T16:33:41.869376 #143273] DEBUG – : Rack::Handler::WEBrick
is mounted on /.
I, [2016-10-28T16:33:41.869464 #143273] INFO – :
WEBrick::HTTPServer#start: pid=143273 port=8443
D, [2016-10-28T16:33:45.559566 #143273] DEBUG – : accept:
176.227.208.106:45102
D, [2016-10-28T16:33:45.617026 #143273] DEBUG – : Rack::Handler::WEBrick
is invoked.
E, [2016-10-28T16:33:45.731145 #143273] ERROR – : SSL certificate with
unexpected serial supplied
[2016-10-28 16:33:45.732 #143273] INFO – 176.227.208.106 - -
[28/Oct/2016 16:33:45] "GET /dynflow/tasks/count?state=running HTTP/1.1"
403 59 0.0018

We have tried to disable: require_ssl_smart_proxies, but no luck.

Could you help us?

4

Hi James,
this error basically means a wrong client SSL certificate was supplied.
This can happen in two places, one of those is when Foreman talks to Smart
Proxy, other one is when Smart Proxy talks to Smart Proxy Dynflow Core.
Please check /etc/foreman-proxy/settings.yaml and
/etc/smart_proxy_dynflow_core/settings.yaml for possible misconfiguration.

– Adam

··· On Fri, Sep 15, 2017 at 12:06 PM, James Denton wrote:

Hi i am having the same issue, did anyone ever reply to you or did you
manage to resolve it?

On Saturday, October 29, 2016 at 9:20:49 AM UTC+1, Vitaly Volodenkov wrote:

Hi, we have issue to “Run Job” from Foreman GUI.
What we get on remote “Smart proxy”:
D, [2016-10-28T16:33:41.869376 #143273] DEBUG – : Rack::Handler::WEBrick
is mounted on /.
I, [2016-10-28T16:33:41.869464 #143273] INFO – :
WEBrick::HTTPServer#start: pid=143273 port=8443
D, [2016-10-28T16:33:45.559566 #143273] DEBUG – : accept:
176.227.208.106:45102
D, [2016-10-28T16:33:45.617026 #143273] DEBUG – : Rack::Handler::WEBrick
is invoked.
E, [2016-10-28T16:33:45.731145 #143273] ERROR – : SSL certificate with
unexpected serial supplied
[2016-10-28 16:33:45.732 #143273] INFO – 176.227.208.106 - -
[28/Oct/2016 16:33:45] "GET /dynflow/tasks/count?state=running HTTP/1.1"
403 59 0.0018

We have tried to disable: require_ssl_smart_proxies, but no luck.

Could you help us?


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

5

Hi Adam

Thanks for your help (apologies I didnt respond sooner i was away last
week). The settings in the .yaml files you mention appear correct as far as
I know. Just so you know i am attempting to run a remote job from our
Foreman master server to a client via a smart-proxy running on a seperate
server in isolation. Therefore with the 2 files you mention do you mean on
our Foreman master server or the seperate Proxy. This is from the error log
on the foreman-proxy server running seperate from Foreman master:

D, [2017-09-25T11:24:58.230191 ] DEBUG – : accept: 10.10.240.195:46416
D, [2017-09-25T11:24:58.232804 ] DEBUG – : Rack::Handler::WEBrick is
invoked.
[2017-09-25 11:24:58.331 #59264] ERROR – invalid worlds found
{"8f03b9ac-d048-41a1-b25b-49b24d5e2594"=>:invalidated}
E, [2017-09-25T11:24:58.358327 #59264] ERROR – : SSL certificate with
unexpected serial supplied
[2017-09-25 11:24:58.361 #59264] INFO – 10.10.240.195 - -
[25/Sep/2017:11:24:58 +0100] "GET /dynflow/tasks/count?state=running
HTTP/1.1" 403 59 0.0037

[2017-09-25 11:24:58.403 #59264] DEBUG – close: 10.10.240.195:46416

10.10.240.195 is the IP of the Foreman Master.

Thanks!

James

6

Hi James,
the files should be set properly on the host where the separate proxy runs.

I asked around and found out the foreman-proxy and smart_proxy_dynflow_core
have to be configured to use the same certificate to talk to each other,
however weird it may sound. If they use different SSL certificates (even if
they are signed by the same CA), you will get the unexpected serial error.
Are you by any chance having them use different certs?

– Adam

··· On Mon, Sep 25, 2017 at 12:31 PM, James Denton wrote:

Hi Adam

Thanks for your help (apologies I didnt respond sooner i was away last
week). The settings in the .yaml files you mention appear correct as far as
I know. Just so you know i am attempting to run a remote job from our
Foreman master server to a client via a smart-proxy running on a seperate
server in isolation. Therefore with the 2 files you mention do you mean on
our Foreman master server or the seperate Proxy. This is from the error log
on the foreman-proxy server running seperate from Foreman master:

D, [2017-09-25T11:24:58.230191 ] DEBUG – : accept: 10.10.240.195:46416
D, [2017-09-25T11:24:58.232804 ] DEBUG – : Rack::Handler::WEBrick is
invoked.
[2017-09-25 11:24:58.331 #59264] ERROR – invalid worlds found
{“8f03b9ac-d048-41a1-b25b-49b24d5e2594”=>:invalidated}
E, [2017-09-25T11:24:58.358327 #59264] ERROR – : SSL certificate with
unexpected serial supplied
[2017-09-25 11:24:58.361 #59264] INFO – 10.10.240.195 - -
[25/Sep/2017:11:24:58 +0100] “GET /dynflow/tasks/count?state=running
HTTP/1.1” 403 59 0.0037

[2017-09-25 11:24:58.403 #59264] DEBUG – close: 10.10.240.195:46416

10.10.240.195 is the IP of the Foreman Master.

Thanks!

James


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

7

Hi Adam,

Thankyou for your continuing help. I am using the same SSL certs for both
the remote_proxy_dynflow_core and foreman-proxy (on the remote server)
however the error still persits. I have pasted below the output for the 2
config files on the remote-proxy that you mentioned:

[root@remoteproxy settings.d]# cat /etc/foreman-proxy/settings.yml

··· --- :settings_directory: /etc/foreman-proxy/settings.d :ssl_certificate: /var/lib/puppet/ssl/certs/remoteproxy.xyz.dmz.pem :ssl_ca_file: /var/lib/puppet/ssl/certs/ca.pem :ssl_private_key: /var/lib/puppet/ssl/private_keys/remoteproxy.xyz.dmz.pem

SSL settings for client authentication against foreman.

#:foreman_ssl_ca: /var/lib/puppet/ssl/certs/ca.pem
#:foreman_ssl_certificate: /var/lib/puppet/ssl/certs/foreman.xyz.com.pem
#:foreman_ssl_private_key:
/var/lib/puppet/ssl/private_keys/foreman.xyz.com.pem

:trusted_hosts:

  • foreman-master.xyz.com
  • remoteproxy.xyz.dmz
    :foreman_url: https://foreman-master.xyz.com
    :daemon: true
    :daemon_pid: /var/run/foreman-proxy/foreman-proxy.pid
    :bind_host: ‘*’
    #:http_port: 8000
    :https_port: 8443
    :log_file: /var/log/foreman-proxy/proxy.log
    :log_level: DEBUG

[root@remoteproxy settings.d]# cat
/etc/smart_proxy_dynflow_core/settings.yml

Path to dynflow database, leave blank for in-memory non-persistent

database
:database: /var/lib/foreman-proxy/dynflow/dynflow.sqlite
:console_auth: true

URL of the foreman, used for reporting back

:foreman_url: https://foreman-master.xyz.com

SSL settings for client authentication against foreman.

#:foreman_ssl_ca: /var/lib/puppet/ssl/certs/ca.pem
#:foreman_ssl_certificate: /var/lib/puppet/ssl/certs/foreman.xyz.com.pem
#:foreman_ssl_private_key:
/var/lib/puppet/ssl/private_keys/foreman.xyz.com.pem

Listen on address

:listen: 0.0.0.0

Listen on port

:port: 8008

:use_https: true
:ssl_ca_file: /var/lib/puppet/ssl/certs/ca.pem
:ssl_certificate: /var/lib/puppet/ssl/certs/remoteproxy.xyz.dmz.pem
:ssl_private_key: /var/lib/puppet/ssl/private_keys/remoteproxy.xyz.dmz.pem

File to log to, leave empty for logging to STDOUT

:log_file: /var/log/foreman-proxy/smart_proxy_dynflow_core.log

Log level, one of UNKNOWN, FATAL, ERROR, WARN, INFO, DEBUG

:log_level: DEBUG

Also when i execute a job on the Foreman-master i see that it makes a
connection to the remote-proxy (where i receive the ERROR – : SSL
certificate with unexpected serial supplied) error. Could you please let me
know which SSL cert is being provided to the remote-proxy from the
foreman-master?