hi all,
I cannot see the Reports and Facts tab in Host details, Reports are not working.
Does anyone know why?
thanks in advance
In puppetserver log:
[puppetserver] Puppet Report processor failed: Could not send report to Foreman at https://foreman.local/api/config_reports: certificate verify failed
Hi,
the reports and facts tabs only show up after at least one report has been processed for the host, so that is expected behaviour.
There is obviously a problem with the SSL setup on your Foreman server or smartproxy.
Do you use a separate Puppet smart-proxy server or are you using the automatically installed one on your Foreman server?
Have you changed the HTTPS certificates of your Foreman server after installation of the smart-proxy?
You can check which certificates Puppet uses to try to verify your Foreman server. The configuration file should be at /etc/puppetlabs/puppet/foreman.yaml, there the values “ssl_ca”, “ssl_cert” and “ssl_key” are the certificates that are used for report and fact uploading. If you followed the installation documentation and did not temper with the certificates by hand, the installer should take care of that by itself, but it does not hurt to check if these values match and the certificates are correct.
2 Likes
thanks for your answer @areyus
No Puppetserver and Foreman are on one server.
No I dont change anything.
cat /etc/puppetlabs/puppet/foreman.yaml
“ssl_ca”
“ssl_cert” and
“ssl_key”
Are correct!
You can try calling /etc/puppetlabs/puppet/node.rb (The script that handles both ENC and fact/report uploading) directly from the cli. If you just give it a hostname as argument, it should print the ENC output to your terminal.
You could also try checking if the certificates match via openssl, like openssl s_client -cert <certfile> -key <keyfile> -CAfile <cafile> -connect <foreman hostname>:443 filling in your files from foreman.yaml. Maybe that can give some more information on what the problem might be.
2 Likes
:# /etc/puppetlabs/puppet/node.rb test.domainTEST.com
---
parameters:
hostname: test
fqdn: test.domainTEST.com
hostgroup: myshostgruup
foreman_subnets: []
foreman_interfaces:
- ip: x.x.x.x
ip6:
name: test.domainTEST.com
environment: production
When I run it:
s_client: -connect argument or target parameter malformed or ambiguous
openssl --help | grep connect I dont get result
OK, the ENC part working is a good thing to start with.
The openssl command should look something like this:
openssl s_client -cert /etc/pki/katello/puppet/puppet_client.crt -key /etc/pki/katello/puppet/puppet_client.key -CAfile /etc/pki/katello/puppet/puppet_client_ca.crt -connect foreman.local:443
This is from a Katello installation, if you use Foreman without Katello your paths will likely be different. You can get the help for that command with openssl s_client -help. Of course you also need to replace “foreman.local” with the fqdn of your Foreman server (ideally you copy-paste this from foreman.yaml, along with the paths for the key/cert/ca files).
1 Like
you are right my command had https://foreman.local and it should be foreman.local
the resutlt:
CONNECTED(00000005)
---
Certificate chain
0 s:CN = foreman.local
i:CN = Puppet CA: foreman.local
1 s:CN = Puppet CA: foreman.local
i:CN = Puppet Root CA: f3ac3c621d0b95
2 s:CN = Puppet Root CA: f3ac3c621d0b95
i:CN = Puppet Root CA: f3ac3c621d0b95
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFpjCCA46gAwIBAgIBATANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDDBhQdXBw
.....
x0c+eKaOKf4E2Q==
-----END CERTIFICATE-----
subject=CN = foreman.local
issuer=CN = Puppet CA: foreman.local
---
Acceptable client certificate CA names
CN = Puppet CA: foreman.local
CN = Puppet Root CA: f3ac3c621d0b95
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:...
Shared Requested Signature Algorithms: ECDSA+SHA256:...
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5201 bytes and written 3790 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: F092A037D9BEFF53AC12C558061FD3E996CF9A2A76B430F7F800F717498C6C48
Session-ID-ctx:
Resumption PSK: 00FED603362A50CB61F2A3B799CA339F9AE03D584C62DB7FB4141311E7D5E0758FC9F76231D7E979BDB0C6E85E5E09CD
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 74 d7 92 56 4d ce 38 52-71 b0 e3 38 df a6 7f 84 t..VM.8Rq..8....
...
0340 - cc 10 6d cb d6 0b 66 2f-02 6f 03 03 2e e7 63 97 ..m...f/.o....c.
Start Time: 1642602637
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
closed
Hm, okay, indeed looks like your SSL setup is working. The only thing I can think of the puppet user (that usually runs the puppetserver service) does not have access to your certificate files. Could you check if the user running the service has read access to the files in foreman.yaml?
1 Like
Yes the user has read access to the file
-rw-r----- 1 root puppet 358 Jan 27 2021 foreman.yaml
Sorry, I might have been a little unclear here.
What I meant was: Does the user have access to all the certificate files that are listed in foreman.yaml (key, cert, ca)?
1 Like
dont be sorry, thank you for your help.
yes the user have access to all certificates
OK, could you try running sudo -u puppet /etc/puppetlabs/puppet/node.rb --push-facts and see if that gets you any error messages? If not I might be out of ideas what’s going wrong.
1 Like
It doest print any errors, it works, exit code 0:
:# sudo -u puppet /etc/puppetlabs/puppet/node.rb --push-facts
:# echo $?
0
so no one know why it doesnt work?