Salt-cron.log -> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

Hi,

I see on my salt-master with installed and "obviously" working smartproxy
incl salt-api some errors in the

==> /var/log/foreman-proxy/salt-cron.log

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:581)
Traceback (most recent call last):
File "/usr/sbin/upload-salt-reports", line 137, in <module>
upload(jobs_to_upload())
File "/usr/sbin/upload-salt-reports", line 112, in upload
json.dumps(job), headers)
File "/usr/lib/python2.7/httplib.py", line 1001, in request
self._send_request(method, url, body, headers)
File "/usr/lib/python2.7/httplib.py", line 1035, in _send_request
self.endheaders(body)
File "/usr/lib/python2.7/httplib.py", line 997, in endheaders
self._send_output(message_body)
File "/usr/lib/python2.7/httplib.py", line 850, in _send_output
self.send(msg)
File "/usr/lib/python2.7/httplib.py", line 812, in send
self.connect()
File "/usr/lib/python2.7/httplib.py", line 1212, in connect
server_hostname=server_hostname)
File "/usr/lib/python2.7/ssl.py", line 350, in wrap_socket
_context=self)
File "/usr/lib/python2.7/ssl.py", line 566, in init
self.do_handshake()
File "/usr/lib/python2.7/ssl.py", line 788, in do_handshake
self._sslobj.do_handshake()
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:581)

But I don't find out which SSL Setting is wrong or which certs I have
forgotten.
The registration of the SmartProxy works fine, even also the import of some
salt states.
I think this will be the problem why I receive no reports from my minions.
Am I right?

my forman.yaml

:proto: https
:host: vmg-utf-foreman-000.to3.zone.loc
:port: 443
:ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem"
:ssl_cert: "/var/lib/puppet/ssl/certs/vmg-utf-foreman-000.to3.zone.loc.pem"
:ssl_key:
"/var/lib/puppet/ssl/private_keys/vmg-utf-foreman-000.to3.zone.loc.pem"
:timeout: 10
:salt: /usr/bin/salt
:upload_grains: true

and my settings in salt-masters conf

external_auth:
pam:
saltuser:
- .*
- '@runner'
- '@wheel'
- '@jobs'

rest_cherrypy:
port: 9191
host: 0.0.0.0
ssl_key:
/var/lib/puppet/ssl/private_keys/vmg-utf-foreman-000.to3.zone.loc.pem
ssl_crt: /var/lib/puppet/ssl/certs/vmg-utf-foreman-000.to3.zone.loc.pem

Also the other settings in master config from

http://theforeman.org/plugins/foreman_salt/4.0/index.html#2.1.2SaltMasterConfiguration

On my way to find out whats going wrong or what's missing, I found on my
saltmaster another exception but in the

==> /var/log/foreman/dynflow_executor.output <==
Exiting
/usr/lib/ruby/vendor_ruby/bundler/rubygems_integration.rb:256:in block in replace_gem': Please install the sqlite3 adapter:gem install
activerecord-sqlite3-adapter(sqlite3 is not part of the bundle. Add it to Gemfile.) (LoadError) from /usr/share/foreman/vendor/ruby/2.1.0/gems/activerecord-3.2.21/lib/active_record/connection_adapters/sqlite3_adapter.rb:3:in<top (required)>'
from
/usr/share/foreman/vendor/ruby/2.1.0/gems/activesupport-3.2.21/lib/active_support/dependencies.rb:251:in
require' from /usr/share/foreman/vendor/ruby/2.1.0/gems/activesupport-3.2.21/lib/active_support/dependencies.rb:251:inblock in require'
from
/usr/share/foreman/vendor/ruby/2.1.0/gems/activesupport-3.2.21/lib/active_support/dependencies.rb:236:in
load_dependency' from /usr/share/foreman/vendor/ruby/2.1.0/gems/activesupport-3.2.21/lib/active_support/dependencies.rb:251:inrequire'
from
/usr/share/foreman/vendor/ruby/2.1.0/gems/activerecord-3.2.21/lib/active_record/connection_adapters/abstract/connection_specification.rb:50:in
resolve_hash_connection' from /usr/share/foreman/vendor/ruby/2.1.0/gems/activerecord-3.2.21/lib/active_record/connection_adapters/abstract/connection_specification.rb:41:inresolve_string_connection'
from
/usr/share/foreman/vendor/ruby/2.1.0/gems/activerecord-3.2.21/lib/active_record/connection_adapters/abstract/connection_specification.rb:25:in
spec' from /usr/share/foreman/vendor/ruby/2.1.0/gems/activerecord-3.2.21/lib/active_record/connection_adapters/abstract/connection_specification.rb:130:inestablish_connection'
from
/usr/share/foreman/vendor/ruby/2.1.0/gems/activerecord-3.2.21/lib/active_record/railtie.rb:88:in
block (2 levels) in <class:Railtie>' from /usr/share/foreman/vendor/ruby/2.1.0/gems/activesupport-3.2.21/lib/active_support/lazy_load_hooks.rb:36:ininstance_eval'

==> /var/log/foreman/production.log <==
2016-02-22T15:51:59 [app] [I] Connecting to database specified by
database.yml

I thought foreman itself is not needed, so what is there logging. Is this
activerecord-sqlite3-adapter mandatory?

– Tom (aka Jon Snow… knows nothing…)

If added some print "" in
/usr/sbin/upload-salt-reports

to see what/where the call goes out.

The Result seems ok for the settings.

Host vmg-utf-foreman-000.to3.zone.loc
Port 8443
Key /var/lib/puppet/ssl/private_keys/vmg-utf-foreman-000.to3.zone.loc.pem
Cert /var/lib/puppet/ssl/certs/vmg-utf-foreman-000.to3.zone.loc.pem

But what is going wrong thats in the End

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:581)

comes.

have fixed the port in foreman.yaml

to 8443 instead of 443.

But same result

In the documentation is written I should use following for saltmaster
configurtion

http://theforeman.org/plugins/foreman_salt/4.0/index.html#2.1.2SaltMasterConfiguration

:ssl_ca: /var/lib/puppet/ssl/certs/ca.pem

If I take a look at my foreman / puppet server in the foreman.yaml

:ssl_ca: "/var/lib/puppet/ssl/ca/ca_crt.pem"

Is the differents ok? Or is the Documentation wrong or the foreman.yaml on
my foreman/puppet server.

Hm, what about that

http://theforeman.org/manuals/1.10/index.html#3.2.3InstallationScenarios

"Other systems require certificates to be generated on the central Puppet
CA host, then distributed to them before running foreman-installer (else it
may generate a second CA). To prepare these, on the host acting as Puppet
CA, run:…"

Thought that was the idea…

> Hi,
>
> I see on my salt-master with installed and "obviously" working smartproxy
> incl salt-api some errors in the
>
> ==> /var/log/foreman-proxy/salt-cron.log
>
> SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
> (_ssl.c:581)
> Traceback (most recent call last):
> File "/usr/sbin/upload-salt-reports", line 137, in <module>
> upload(jobs_to_upload())
> File "/usr/sbin/upload-salt-reports", line 112, in upload
> json.dumps(job), headers)
> File "/usr/lib/python2.7/httplib.py", line 1001, in request
> self._send_request(method, url, body, headers)
> File "/usr/lib/python2.7/httplib.py", line 1035, in _send_request
> self.endheaders(body)
> File "/usr/lib/python2.7/httplib.py", line 997, in endheaders
> self._send_output(message_body)
> File "/usr/lib/python2.7/httplib.py", line 850, in _send_output
> self.send(msg)
> File "/usr/lib/python2.7/httplib.py", line 812, in send
> self.connect()
> File "/usr/lib/python2.7/httplib.py", line 1212, in connect
> server_hostname=server_hostname)
> File "/usr/lib/python2.7/ssl.py", line 350, in wrap_socket
> _context=self)
> File "/usr/lib/python2.7/ssl.py", line 566, in init
> self.do_handshake()
> File "/usr/lib/python2.7/ssl.py", line 788, in do_handshake
> self._sslobj.do_handshake()
> SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
> (_ssl.c:581)
>
>
>
> But I don't find out which SSL Setting is wrong or which certs I have
> forgotten.
> The registration of the SmartProxy works fine, even also the import of some
> salt states.
> I think this will be the problem why I receive no reports from my minions.
> Am I right?
>
> my forman.yaml
>
> :proto: https
> :host: vmg-utf-foreman-000.to3.zone.loc
> :port: 443
> :ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem"
> :ssl_cert: "/var/lib/puppet/ssl/certs/vmg-utf-foreman-000.to3.zone.loc.pem"
> :ssl_key:
> "/var/lib/puppet/ssl/private_keys/vmg-utf-foreman-000.to3.zone.loc.pem"
> :timeout: 10
> :salt: /usr/bin/salt
> :upload_grains: true

Do you have a Foreman and then a separate proxy? What are the host names
of both? It's using client SSL authentication, the certs on your proxy
need to be issued by the Foreman server.

Based on your comment on the end of this message, it sounds like you
installed 2 Foreman servers not a Foreman and separate proxy.

The easiest case is to have everything on 1 server. If you don't want
this, you're really on your own to configure the certificates, Foreman
doesn't do this for you. Most users make the proxy a puppet client and
use those certs, there's some limited info burried in the foreman manual.

> have fixed the port in foreman.yaml
>
> to 8443 instead of 443.
>
> But same result

443 is the correct port. foreman.yaml points to Foreman (443), not a
Smart Proxy (8443).

> In the documentation is written I should use following for saltmaster
> configurtion
>
> Foreman :: Plugin Manuals
>
> :ssl_ca: /var/lib/puppet/ssl/certs/ca.pem
>
>
>
> If I take a look at my foreman / puppet server in the foreman.yaml
>
> :ssl_ca: "/var/lib/puppet/ssl/ca/ca_crt.pem"

The former path exists for me on my master. Can you please clarify
details about what your environment is? Is this a separate smart proxy?

>
> Is the differents ok? Or is the Documentation wrong or the foreman.yaml on
> my foreman/puppet server.

AFAIK, the documentation is correct for the only case I've tested which
is integrated on the same box foreman/smart proxy/saltmaster. It'd be
great if someone who wants this would come along and open a PR to
document other cases, but no one has.

Do you not have the ca.pem on your smart proxy?

> From: "Tom K." <tn@to3.de>
> To: "Foreman users" <foreman-users@googlegroups.com>
> Sent: Monday, February 22, 2016 1:57:14 PM
> Subject: [foreman-users] Re: salt-cron.log -> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
>
> Hm, what about that
>
> Foreman :: Manual
>
> "Other systems require certificates to be generated on the central Puppet
> CA host, then distributed to them before running foreman-installer (else it
> may generate a second CA). To prepare these, on the host acting as Puppet
> CA, run:…"
>
> Thought that was the idea…

Yes, that's using the puppet cert tool to generate certificates for the other host. Making the
smart proxy a puppet client gets you this for free as the certs would be generated and signed.
You can use these instructions as well, but from the looks of it, you copied the certificates
belonging to the Foreman, not creating a new one (why is the foreman hostname in the certificates
on the smart proxy?)

Hi,

I want to test foreman and salt-master

So I've three systems

1. Foreman default Setup (with its puppet und own forman-proxy)
2. salt-master, as smartproxy with salt-api
3. salt-minion

The hostnames

1. vmg-utf-foreman-000.to3.zone.loc
2. vmg-utf-saltmaster-000.to3.zone.loc
3. vmg-utf-saltminion-001.to3.zone.loc

For the setup of the SmartProxy (salt-api) I've created the Certs on die
Puppet on the vmg-foreman… which acts as the master Puppet CA
Then copied the created files, depending on the path in the docs, from
vmg-foreman to vmg-saltmaster

the path :ssl_ca: /var/lib/puppet/ssl/certs/ca.pem I've from the
documentation and copied the file from vmg-foreman also to vmg-saltmaster

My intension is to separate saltmaster from the same machine as foreman
server. Will try at last step to set the a smartproxy setup about the
production (existing) salt-master.

> Hi,
>
> I want to test foreman and salt-master
>
> So I've three systems
>
> 1) Foreman default Setup (with its puppet und own forman-proxy)
> 2) salt-master, as smartproxy with salt-api
> 3) salt-minion
>
> The hostnames
>
> 1) vmg-utf-foreman-000.to3.zone.loc
> 2) vmg-utf-saltmaster-000.to3.zone.loc
> 3) vmg-utf-saltminion-001.to3.zone.loc
>
>
> For the setup of the SmartProxy (salt-api) I've created the Certs on die
> Puppet on the vmg-foreman… which acts as the master Puppet CA
> Then copied the created files, depending on the path in the docs, from
> vmg-foreman to vmg-saltmaster
>
> the path :ssl_ca: /var/lib/puppet/ssl/certs/ca.pem I've from the
> documentation and copied the file from vmg-foreman also to vmg-saltmaster
>
> My intension is to separate saltmaster from the same machine as foreman
> server. Will try at last step to set the a smartproxy setup about the
> production (existing) salt-master.

This will not work, certificates and private keys aren't something to be
copied around as they've got hostname information in them and it's
generally not a good security practice either. You should generate
certificates for the saltmaster's Smart Proxy to use. Generally, this
is done by making the saltmaster a puppet client.

This is the information in the manual I was referring to:
Foreman :: Manual

Hi,

hm, no. I've generated them on the foreman itself.

<https://lh3.googleusercontent.com/-PXVW2qwvcuk/VswFxd80TeI/AAAAAAAAOic/-XDFtbkJKFw/s1600/FullSizeRender.jpg>

And I used this forman-installer "setup"

foreman-installer --no-enable-foreman
–no-enable-foreman-cli
–no-enable-foreman-plugin-bootdisk
–no-enable-foreman-plugin-setup
–no-enable-puppet
–enable-foreman-proxy
–foreman-proxy-tftp=false
–foreman-proxy-foreman-base-url=https://vmg-utf-foreman-000.to3.zone.loc
–foreman-proxy-trusted-hosts=vmg-utf-foreman-000.to3.zone.loc
–foreman-proxy-oauth-consumer-key=KEY
–foreman-proxy-oauth-consumer-secret=SECRET
–enable-foreman-proxy-plugin-salt