SSL error on GET /unattended/provision

teo · November 4, 2019, 5:01am

Problem:
Performing a GET from /unattended/provision results in
[E] Failed to proxy /provision for {“splat”=>, “captures”=>[“provision”], “kind”=>“provision”}: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert unknown ca

This was first noticed when trying to build a previously discovered machine. Discovery seems to work fine, the discovery image boots up and correctly sends back the facts.

In case it matters, the setup in question is on a machine with 2 interfaces, with hostnames hostname-mgmt.domain.tld (primary) and hostname.domain.tld. The second one is added as ServerAlias in the Vhost stanza in the httpd configuration, and is present in the cert as alternative name.

Expected outcome:
The GET should return something that isn’t a SSL error, and the provisioning should work rather than error out during boot.

Foreman and Proxy versions:

1.23

Distribution and version:
CentOS 7

Other relevant data:
2019-11-04T05:33:59 946ab231 [I] Started GET /unattended/provision
2019-11-04T05:34:04 946ab231 [E] Failed to proxy /provision for {“splat”=>, “captures”=>[“provision”], “kind”=>“provision”}: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert unknown ca
2019-11-04T05:34:04 946ab231 [W] Failed to proxy /provision for {“splat”=>, “captures”=>[“provision”], “kind”=>“provision”}: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert unknown ca
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert unknown ca
/usr/share/ruby/net/http.rb:921:in connect' /usr/share/ruby/net/http.rb:921:inblock in connect’
/usr/share/ruby/timeout.rb:52:in timeout' /usr/share/ruby/net/http.rb:921:inconnect’
/usr/share/ruby/net/http.rb:862:in do_start' /usr/share/ruby/net/http.rb:851:instart’
/usr/share/ruby/net/http.rb:1373:in request' /usr/share/gems/gems/rest-client-1.6.7/lib/restclient/net_http_ext.rb:51:inrequest’
/usr/share/foreman-proxy/lib/proxy/request.rb:49:in send_request' /usr/share/foreman-proxy/modules/templates/proxy_request.rb:50:incall_template’
/usr/share/foreman-proxy/modules/templates/proxy_request.rb:12:in get' /usr/share/foreman-proxy/modules/templates/template_proxy_request.rb:6:inget’
/usr/share/foreman-proxy/modules/templates/templates_unattended_api.rb:25:in block (2 levels) in <class:TemplatesUnattendedApi>' /usr/share/foreman-proxy/lib/proxy/helpers.rb:14:inlog_halt’
/usr/share/foreman-proxy/modules/templates/templates_unattended_api.rb:24:in block in <class:TemplatesUnattendedApi>' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1610:incall’
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1610:in block in compile!' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:975:in’
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:975:in block (3 levels) in route!' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:994:inroute_eval’
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:975:in block (2 levels) in route!' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1015:inblock in process_route’
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1013:in catch' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1013:inprocess_route’
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:973:in block in route!' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:972:ineach’
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:972:in route!' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1085:inblock in dispatch!’
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in block in invoke' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:incatch’
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in invoke' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1082:indispatch!’
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:907:in block in call!' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:inblock in invoke’
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:in catch' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1067:ininvoke’
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:907:in call!' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:895:incall’
/usr/share/foreman-proxy/lib/proxy/log.rb:96:in call' /usr/share/foreman-proxy/lib/proxy/request_id_middleware.rb:11:incall’
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/xss_header.rb:18:in call' /usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/path_traversal.rb:16:incall’
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/json_csrf.rb:18:in call' /usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/base.rb:49:incall’
/usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/base.rb:49:in call' /usr/share/gems/gems/rack-protection-1.5.3/lib/rack/protection/frame_options.rb:31:incall’
/usr/share/gems/gems/rack-1.6.4/lib/rack/nulllogger.rb:9:in call' /usr/share/gems/gems/rack-1.6.4/lib/rack/head.rb:13:incall’
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/show_exceptions.rb:25:in call' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:182:incall’
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:2013:in call' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1487:inblock in call’
/usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1787:in synchronize' /usr/share/gems/gems/sinatra-1.4.8/lib/sinatra/base.rb:1487:incall’
/usr/share/gems/gems/rack-1.6.4/lib/rack/urlmap.rb:66:in block in call' /usr/share/gems/gems/rack-1.6.4/lib/rack/urlmap.rb:50:ineach’
/usr/share/gems/gems/rack-1.6.4/lib/rack/urlmap.rb:50:in call' /usr/share/gems/gems/rack-1.6.4/lib/rack/builder.rb:153:incall’
/usr/share/gems/gems/rack-1.6.4/lib/rack/handler/webrick.rb:88:in service' /usr/share/ruby/webrick/httpserver.rb:138:inservice’
/usr/share/ruby/webrick/httpserver.rb:94:in run' /usr/share/ruby/webrick/server.rb:295:inblock in start_thread’
/usr/share/gems/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in call' /usr/share/gems/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:inblock in create_with_logging_context’
2019-11-04T05:34:04 946ab231 [I] Finished GET /unattended/provision with 500 (5031.47 ms)

lzap · November 20, 2019, 3:01pm

Hello, your SSL configuration between proxy and foreman is not correct. Our installer does set up that correctly. Either certs expired or something is not right. Both Foreman and Proxy must have the correct CA and client cert in order to communicate (or proxy requests).