Hi guys,
I can't seem to get this to work. I have a smart proxy that I want to
configure to serve the kickstart files for some remote networks behind
firewalls.
I have it configured in Foreman and the templates feature is recognized. I
am stuck on retrieving the kickstart files though as the proxy is asking
for a client certificate.
I would only like to secure communications between Foreman and the proxy.
Host to proxy can be clear text if it needs to be.
This is what i get in proxy.log:
I, [2015-01-27T14:01:53.455401 #31269] INFO – : Enumerated hosts on
x.x.x.x
D, [2015-01-27T14:01:53.455509 #31269] DEBUG – : Lazy loaded
x.x.x.x/255.255.255.0 records
10.238.17.21 - - [27/Jan/2015 14:01:53] "GET /10.214.7.0/10.214.7.155
HTTP/1.1" 200 174 0.0081
10.238.17.21 - - [27/Jan/2015 14:01:53] "GET /templateServer HTTP/1.1" 200
61 0.0039
I, [2015-01-27T14:01:54.187054 #31269] INFO – : TFTP: entry for
00:50:56:bc:4b:b4 created successfully
10.238.17.21 - - [27/Jan/2015 14:01:54] "POST /syslinux/00:50:56:bc:4b:b4
HTTP/1.1" 200 - 0.0056
D, [2015-01-27T14:01:54.472604 #31269] DEBUG – : Starting task:
/usr/bin/wget --timeout=10 --tries=3 --no-check-certificate -nv -c
"foo/pxeboot/vmlinuz" -O "foo vmlinuz"
10.238.17.21 - - [27/Jan/2015 14:01:54] "POST /fetch_boot_file HTTP/1.1"
200 - 0.0117
D, [2015-01-27T14:01:54.755184 #31269] DEBUG – : Starting task:
/usr/bin/wget --timeout=10 --tries=3 --no-check-certificate -nv -c
"foo/pxeboot/initrd.img" -O "foo initrd.img"
10.238.17.21 - - [27/Jan/2015 14:01:54] "POST /fetch_boot_file HTTP/1.1"
200 - 0.0119
E, [2015-01-27T14:03:26.131266 #31269] ERROR – : No client SSL
certificate supplied
10.214.7.155 - - [27/Jan/2015 14:03:26] "GET
/provision?token=356d4215-52da-4781-825a-cd7b56c01c37 HTTP/1.1" 403 34
0.0013
What is the correct way to set this up ?
Thanks in advance.
Cristian
> Hi guys,
>
> I can't seem to get this to work. I have a smart proxy that I want to
> configure to serve the kickstart files for some remote networks behind
> firewalls.
> I have it configured in Foreman and the templates feature is recognized. I
> am stuck on retrieving the kickstart files though as the proxy is asking
> for a client certificate.
> I would only like to secure communications between Foreman and the proxy.
> Host to proxy can be clear text if it needs to be.
Indeed, you want the :template_url in templates.yml to be HTTP, and of
course the smart proxy listening on an HTTP port (uncomment
settings.yml).
You probably want to change ":enabled: true" to ":enabled: https" for
EVERY service except for templates (leave it as true - so it is
serving on both http and https).
And then it should work 
Foreman 1.8 installer will handle the templates module better.
···
On Tue, Jan 27, 2015 at 06:13:45AM -0800, Cristian Radu wrote:
This is what i get in proxy.log:
I, [2015-01-27T14:01:53.455401 #31269] INFO – : Enumerated hosts on
x.x.x.x
D, [2015-01-27T14:01:53.455509 #31269] DEBUG – : Lazy loaded
x.x.x.x/255.255.255.0 records
10.238.17.21 - - [27/Jan/2015 14:01:53] “GET /10.214.7.0/10.214.7.155
HTTP/1.1” 200 174 0.0081
10.238.17.21 - - [27/Jan/2015 14:01:53] “GET /templateServer HTTP/1.1” 200
61 0.0039
I, [2015-01-27T14:01:54.187054 #31269] INFO – : TFTP: entry for
00:50:56:bc:4b:b4 created successfully
10.238.17.21 - - [27/Jan/2015 14:01:54] “POST /syslinux/00:50:56:bc:4b:b4
HTTP/1.1” 200 - 0.0056
D, [2015-01-27T14:01:54.472604 #31269] DEBUG – : Starting task:
/usr/bin/wget --timeout=10 --tries=3 --no-check-certificate -nv -c
"foo/pxeboot/vmlinuz" -O "foo vmlinuz"
10.238.17.21 - - [27/Jan/2015 14:01:54] “POST /fetch_boot_file HTTP/1.1"
200 - 0.0117
D, [2015-01-27T14:01:54.755184 #31269] DEBUG – : Starting task:
/usr/bin/wget --timeout=10 --tries=3 --no-check-certificate -nv -c
"foo/pxeboot/initrd.img” -O "foo initrd.img"
10.238.17.21 - - [27/Jan/2015 14:01:54] "POST /fetch_boot_file HTTP/1.1"
200 - 0.0119
E, [2015-01-27T14:03:26.131266 #31269] ERROR – : No client SSL
certificate supplied
10.214.7.155 - - [27/Jan/2015 14:03:26] “GET
/provision?token=356d4215-52da-4781-825a-cd7b56c01c37 HTTP/1.1” 403 34
0.0013
What is the correct way to set this up ?
Thanks in advance.
Cristian
–
You received this message because you are subscribed to the Google Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
–
Best Regards,
Stephen Benjamin
Red Hat Engineering
Thank you Stephen!
I've done a bit more work on this and following your advice has made the
proxy listen on both http and https now which is great.
I am waiting to get an port opened (443 back to foreman). I am expecting
templates will work after that.
Cristian
···
On Tue, Jan 27, 2015 at 2:29 PM, Stephen Benjamin wrote:
On Tue, Jan 27, 2015 at 06:13:45AM -0800, Cristian Radu wrote:
Hi guys,
I can’t seem to get this to work. I have a smart proxy that I want to
configure to serve the kickstart files for some remote networks behind
firewalls.
I have it configured in Foreman and the templates feature is recognized.
I
am stuck on retrieving the kickstart files though as the proxy is asking
for a client certificate.
I would only like to secure communications between Foreman and the proxy.
Host to proxy can be clear text if it needs to be.
Indeed, you want the :template_url in templates.yml to be HTTP, and of
course the smart proxy listening on an HTTP port (uncomment
settings.yml).
You probably want to change “:enabled: true” to “:enabled: https” for
EVERY service except for templates (leave it as true - so it is
serving on both http and https).
And then it should work
Foreman 1.8 installer will handle the templates module better.
This is what i get in proxy.log:
I, [2015-01-27T14:01:53.455401 #31269] INFO – : Enumerated hosts on
x.x.x.x
D, [2015-01-27T14:01:53.455509 #31269] DEBUG – : Lazy loaded
x.x.x.x/255.255.255.0 records
10.238.17.21 - - [27/Jan/2015 14:01:53] “GET /10.214.7.0/10.214.7.155
HTTP/1.1” 200 174 0.0081
10.238.17.21 - - [27/Jan/2015 14:01:53] “GET /templateServer HTTP/1.1"
200
61 0.0039
I, [2015-01-27T14:01:54.187054 #31269] INFO – : TFTP: entry for
00:50:56:bc:4b:b4 created successfully
10.238.17.21 - - [27/Jan/2015 14:01:54] “POST /syslinux/00:50:56:bc:4b:b4
HTTP/1.1” 200 - 0.0056
D, [2015-01-27T14:01:54.472604 #31269] DEBUG – : Starting task:
/usr/bin/wget --timeout=10 --tries=3 --no-check-certificate -nv -c
"foo/pxeboot/vmlinuz” -O "foo vmlinuz"
10.238.17.21 - - [27/Jan/2015 14:01:54] “POST /fetch_boot_file HTTP/1.1"
200 - 0.0117
D, [2015-01-27T14:01:54.755184 #31269] DEBUG – : Starting task:
/usr/bin/wget --timeout=10 --tries=3 --no-check-certificate -nv -c
"foo/pxeboot/initrd.img” -O "foo initrd.img"
10.238.17.21 - - [27/Jan/2015 14:01:54] "POST /fetch_boot_file HTTP/1.1"
200 - 0.0119
E, [2015-01-27T14:03:26.131266 #31269] ERROR – : No client SSL
certificate supplied
10.214.7.155 - - [27/Jan/2015 14:03:26] “GET
/provision?token=356d4215-52da-4781-825a-cd7b56c01c37 HTTP/1.1” 403 34
0.0013
What is the correct way to set this up ?
Thanks in advance.
Cristian
–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
–
Best Regards,
Stephen Benjamin
Red Hat Engineering
–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
