SSL verification error with Remote Execution plugin

Problem:

Hello everyone! We at GekkoFyre Networks are trying to get Remote Execution to work with Foreman for Puppet but don’t seem to be succeeding too much so far.

We’re encountering an issue where when other servers go to communicate with the proxy URL, https://<redacted>:8008/, we encounter an SSL certificate error due to it being self-signed.

We’ve tried modifying a few settings here and there but honestly, we’re not sure what exactly we are doing. There have been a few articles and forum threads we have come across, such as this one or instead this one, but they give us no solution nor proper understanding.

We’d appreciate any and all help at this point, thank you, in how to implement a Let’s Encrypt certificate or similar for TCP port 8008 in Foreman’s Remote Execution plugin. We’ve been able to do similar for the HTTP side of it so far, so it shouldn’t be too difficult.

Expected outcome:

Communicate with TCP port 8008 without any client-side SSL verification errors, via Foreman’s Remote Execution plugin.

Foreman and Proxy versions:

Foreman is v1.24, the latest at the time of writing, and we only just installed Remote Execution.

Distribution and version:

CentOS Linux 7.7.1908 with the latest updates via yum.

Other relevant data:
Please check the attached screenshot for additional information on what we are experiencing.

No one knows? :frowning:

Hi @phobosdthorga, a lot of folks are currently away for the holidays. Next week people will come back and hopefully one of them will know how to assist you.

1 Like

Thank you so much, I really appreciate that! I guess I’ll just patiently wait then :smiley:

1 Like

I’d recommend using let’s encrypt certificate only for Foreman WebUI. The rest of services should use certificates generated during the installation. That means you’ll have to fiddle with files containing the CA certificates and probably put multiple CA certs in them. If you want to use let’s encrypt everywhere, that may be also possible. In any case, you’ll probably need to reconfigure paths in

/etc/foreman/settings.yaml (3 options)
/etc/foreman-proxy/settings.yml (3 options, 6 if your proxy is not running on the same FQDN as your Foreman)
/etc/smart_proxy_dynflow_core/settings.yml (3 options, it should be the very same certificate as your proxy uses)

1 Like

Also, perhaps it would be helpful to understand what are you trying to achieve with cert on proxy. Users don’t usually access it in browser, it provides no UI. It only provides REST API for the Foreman itself. Foreman is the user facing part for all features, including remote execution.

2 Likes

Hello Marek!

Thank you so much for replying and assisting us. We’re now getting errors about the following:

Failure: ERF50-5345 [Foreman::WrappedException]: Unable to connect ([ProxyAPI::ProxyException]: ERF12-7885 [ProxyAPI::ProxyException]: Unable to fetch logs ([Errno::ECONNREFUSED]: Failed to open TCP connection to <redacted>:8443 (Connection refused - connect(2) for "<redacted>" port 8443)) for proxy https://<redacted>:8443/logs)

This is when we go to view the Smart Proxy under Foreman. Do you have any further assistance you can provide us with, please? Thank you.

P.S.
This is the results of netstat, by the way:

[root@<redacted> ~]# netstat -an | grep 8443
[root@<redacted> ~]#

So no-one has any knowledge on this?