Reports and Facts tab

hi all,

I cannot see the Reports and Facts tab in Host details, Reports are not working.

Does anyone know why?

thanks in advance

In puppetserver log:

[puppetserver] Puppet Report processor failed: Could not send report to Foreman at https://foreman.local/api/config_reports: certificate verify failed


the reports and facts tabs only show up after at least one report has been processed for the host, so that is expected behaviour.
There is obviously a problem with the SSL setup on your Foreman server or smartproxy.
Do you use a separate Puppet smart-proxy server or are you using the automatically installed one on your Foreman server?
Have you changed the HTTPS certificates of your Foreman server after installation of the smart-proxy?

You can check which certificates Puppet uses to try to verify your Foreman server. The configuration file should be at /etc/puppetlabs/puppet/foreman.yaml, there the values “ssl_ca”, “ssl_cert” and “ssl_key” are the certificates that are used for report and fact uploading. If you followed the installation documentation and did not temper with the certificates by hand, the installer should take care of that by itself, but it does not hurt to check if these values match and the certificates are correct.


thanks for your answer @areyus

No Puppetserver and Foreman are on one server.

No I dont change anything.

cat /etc/puppetlabs/puppet/foreman.yaml
“ssl_cert” and

Are correct!

You can try calling /etc/puppetlabs/puppet/node.rb (The script that handles both ENC and fact/report uploading) directly from the cli. If you just give it a hostname as argument, it should print the ENC output to your terminal.
You could also try checking if the certificates match via openssl, like openssl s_client -cert <certfile> -key <keyfile> -CAfile <cafile> -connect <foreman hostname>:443 filling in your files from foreman.yaml. Maybe that can give some more information on what the problem might be.


:# /etc/puppetlabs/puppet/node.rb
  hostname: test
  hostgroup: myshostgruup
  foreman_subnets: []
  - ip: x.x.x.x
environment: production

When I run it:

s_client: -connect argument or target parameter malformed or ambiguous
openssl --help | grep connect I dont get result

OK, the ENC part working is a good thing to start with.

The openssl command should look something like this:

openssl s_client -cert /etc/pki/katello/puppet/puppet_client.crt -key /etc/pki/katello/puppet/puppet_client.key -CAfile /etc/pki/katello/puppet/puppet_client_ca.crt -connect foreman.local:443

This is from a Katello installation, if you use Foreman without Katello your paths will likely be different. You can get the help for that command with openssl s_client -help. Of course you also need to replace “foreman.local” with the fqdn of your Foreman server (ideally you copy-paste this from foreman.yaml, along with the paths for the key/cert/ca files).

1 Like

you are right my command had https://foreman.local and it should be foreman.local

the resutlt:

Certificate chain
 0 s:CN = foreman.local
   i:CN = Puppet CA: foreman.local
 1 s:CN = Puppet CA: foreman.local
   i:CN = Puppet Root CA: f3ac3c621d0b95
 2 s:CN = Puppet Root CA: f3ac3c621d0b95
   i:CN = Puppet Root CA: f3ac3c621d0b95
Server certificate
subject=CN = foreman.local

issuer=CN = Puppet CA: foreman.local

Acceptable client certificate CA names
CN = Puppet CA: foreman.local
CN = Puppet Root CA: f3ac3c621d0b95
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:...
Shared Requested Signature Algorithms: ECDSA+SHA256:...
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
SSL handshake has read 5201 bytes and written 3790 bytes
Verification: OK
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Post-Handshake New Session Ticket arrived:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: F092A037D9BEFF53AC12C558061FD3E996CF9A2A76B430F7F800F717498C6C48
    Resumption PSK: 00FED603362A50CB61F2A3B799CA339F9AE03D584C62DB7FB4141311E7D5E0758FC9F76231D7E979BDB0C6E85E5E09CD
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 74 d7 92 56 4d ce 38 52-71 b0 e3 38 df a6 7f 84   t..VM.8Rq..8....
    0340 - cc 10 6d cb d6 0b 66 2f-02 6f 03 03 2e e7 63 97   ..m...f/.o....c.
    Start Time: 1642602637
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
read R BLOCK

Hm, okay, indeed looks like your SSL setup is working. The only thing I can think of the puppet user (that usually runs the puppetserver service) does not have access to your certificate files. Could you check if the user running the service has read access to the files in foreman.yaml?

1 Like

Yes the user has read access to the file

-rw-r----- 1 root puppet 358 Jan 27  2021 foreman.yaml

Sorry, I might have been a little unclear here.
What I meant was: Does the user have access to all the certificate files that are listed in foreman.yaml (key, cert, ca)?

1 Like

dont be sorry, thank you for your help.

yes the user have access to all certificates

OK, could you try running sudo -u puppet /etc/puppetlabs/puppet/node.rb --push-facts and see if that gets you any error messages? If not I might be out of ideas what’s going wrong.

1 Like

It doest print any errors, it works, exit code 0:

:# sudo -u puppet /etc/puppetlabs/puppet/node.rb --push-facts
:# echo $?

so no one know why it doesnt work?