Report processor failed: Could not send report to Foreman

Nathan_Peters · April 13, 2015, 6:29pm

I am getting some errors trying to send reports to my foreman server from
an existing puppetmaster.

I have followed the directions here :
http://theforeman.org/manuals/1.7/index.html#3.5.4PuppetReports

My setup is as follows:

1 katello server installed according to default settings (puppet and puppet
CA installed).
1 existing puppetmaster (pm3), also with a puppet CA installed.

I have a file called foreman.rb at
/usr/lib/ruby/site_ruby/1.8/puppet/reports/ (CentOS 6.5)

I've also created the foreman.yaml file at /etc/puppet

The top couple lines read

Update for your Foreman and Puppet master hostname(s)

:url: "https://katello.mydomain.net"
:ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem"
:ssl_cert: "/var/lib/puppet/ssl/certs/pm3.mydomain.net.pem"
:ssl_key: "/var/lib/puppet/ssl/private_keys/pm3.mydomain.net.pem"

When I run puppet agent on any node that is connected to the existing
puppetmaster, I find these lines in my log

Apr 13 18:09:31 pm3 puppet-master[5271]:
(//puppetclient.mydomain.net/Puppet) Finished catalog run in 5.88 seconds
Apr 13 18:09:31 pm3 puppet-master[5271]: Report processor failed: Could not
send report to Foreman at https://katello.mydomain.net/api/reports:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed

Is there some step missing in the manual?

I feel like I haven't trusted my katello root CA

Nathan_Peters · April 13, 2015, 10:02pm

I was able to make a little bit of progress. The manual says nothing about
the actual process to make this happen.

Running in /etc/pki/ca-trust/source/anchors
[root@pm3 anchors]# wget
https://katello.mydomain.net/pub/katello-default-ca.crt
–no-check-certificate

downloads the katello certificate.

Then I ran

[root@pm3-ops-int-van anchors]# update-ca-trust extract
[root@pm3-ops-int-van anchors]# update-ca-trust

That got me to the point where the error message changed when submitting
the report

Apr 13 21:56:38 pm3 puppet-master[8458]: Report processor failed: Could not
send report to Foreman at https://katello.mydomain.net/api/reports:
SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A:
tlsv1 alert unknown ca

I don't understand this error though. Didn't the update-ca-trust make it
so I trust that ca? It obviously fixed something because the error is now
different and refers to unknown ca rather than failed verification.

stbenjam · April 14, 2015, 9:55am

> I was able to make a little bit of progress. The manual says nothing about
> the actual process to make this happen.
>
> Running in /etc/pki/ca-trust/source/anchors
> [root@pm3 anchors]# wget
> https://katello.mydomain.net/pub/katello-default-ca.crt
> --no-check-certificate
>
> downloads the katello certificate.
>
> Then I ran
>
> [root@pm3-ops-int-van anchors]# update-ca-trust extract
> [root@pm3-ops-int-van anchors]# update-ca-trust
>
> That got me to the point where the error message changed when submitting
> the report
>
> Apr 13 21:56:38 pm3 puppet-master[8458]: Report processor failed: Could not
> send report to Foreman at https://katello.mydomain.net/api/reports:
> SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A:
> tlsv1 alert unknown ca
>
> I don't understand this error though. Didn't the update-ca-trust make it
> so I trust that ca? It obviously fixed something because the error is now
> different and refers to unknown ca rather than failed verification.

Katello doesn't use the Puppet certificates like Foreman does. I haven't
tried these steps, but this should work:

On your Katello do this:

capsule-certs-generate --capsule-fqdn "mycapsule.example.com"\

                      --certs-tar &quot;~/mycapsule.example.com-certs.tar&quot;

Where mycapsule.example.com is your other Puppetmaster.

Unpack that tarball and copy over the "puppet-client" certificate RPM to
your puppetmaster, and install it
Copy some files around:

cp /etc/pki/katello-certs-tools/certs/*-puppet-client.crt /etc/puppet/foreman.crt

cp /etc/pki/katello-certs-tools/private/*-puppet-client.key /etc/puppet/foreman.key

cd /etc/puppet

wget https://katello.mydomain.net/pub/katello-default-ca.crt

chown puppet /etc/puppet/foreman.{crt,key} /etc/puppet/katello*

Configure your /etc/puppet/foreman.yaml like this:

:url: "https://katello.mydomain.net"
:ssl_ca: "/etc/puppet/katello-default-ca.crt"
:ssl_cert: "/etc/puppet/foreman.crt"
:ssl_key: "/etc/puppet/foreman.key"

That should hopefully do it.

···

On Mon, Apr 13, 2015 at 03:02:03PM -0700, Nathan Peters wrote:

–
You received this message because you are subscribed to the Google Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
Best Regards,

Stephen Benjamin
Red Hat Engineering

Nathan_Peters · April 14, 2015, 4:20pm

That totally worked, thanks!

That did seem like quite a long series of steps though. Was I not able to
find that anywhere in the manual because the assumptions is that a katello
server will have puppetmasters use it's certificate and they haven't
already been running with their own CA and clients?

Also, one more question I had:

When I turned on ENC functionality on the puppetmaster, it would no longer
provide a catalog to agents that were in the puppetmaster's site.pp file.
It seemed to be an all or nothing thing where it wanted to provide only for
hosts that were registered in katello or only for hosts in it's own site.pp
files.

Is there a way to have a puppetmaster first look for the agent definitions
in katello, and then locally if that fails?

The reason I ask is because we have several hundred hosts already attached
to this puppetmaster. Although I can import class and environment
definitions using the puppet smart proxy I can't seem to figure out a way
to import what classes belong to a particular host.

This means I would have to run puppet on the host, wait for its host record
to be auto-created in katello, then manually apply all the classes to that
host that are in the site.pp.

I would have to do this for every host on the puppetmaster manually before
I could turn on the ENC or katello would not provide proper definitions.

Am I going about this the wrong way or is that the only way to accomplish
using the ENC on an existing puppetmaster?

Nathan_Peters · April 14, 2015, 4:30pm

Also, when hosts show up in Katello after having their reports forwarded by
the puppetmaster, they have no organization or location assigned.

When I edit the host, the ability to change organization or location is
grayed out. The only option seems to be to mass assign organization or
location through the Administer menu.

Is this a bug or expected behavior that I can't assign these by editing the
host.

stbenjam · April 14, 2015, 4:55pm

You can go into the Settings and set default_organization and
default_location. You can also provide a fact on the host called (by
default, but changeable) location_fact and organization_fact.

The actual behavior of having to use the bulk tool is known to change
org/location though, there's some reason behind that but I'm not sure
exactly why…

···

On Tue, Apr 14, 2015 at 09:30:13AM -0700, Nathan Peters wrote: > Also, when hosts show up in Katello after having their reports forwarded by > the puppetmaster, they have no organization or location assigned. > > When I edit the host, the ability to change organization or location is > grayed out. The only option seems to be to mass assign organization or > location through the Administer menu. > > Is this a bug or expected behavior that I can't assign these by editing the > host.