Stats from remote agent through smart proxy?

Problem:

I have a Foreman installation (used default install options) that is working with Puppet/Puppetserver just fine. I added a Smart Proxy in a remote subnet, and then after a little fiddling with SSL certificates got a remote client to utilize the Proxy as its Puppetmaster, while maintaining all connections between the Proxy and the root Foreman server.

The remote client can be assigned classes through Foreman, and it will activate everything as it should. However, Foreman shows “No report” on the dashboard.

Expected outcome:

I want to be able to see that the remote client is properly pulling its configurations while the remote client does not have direct visibility to the Foreman server.

Is this not a capability of the Smart Proxy system? Is there a better way to accomplish this? I went with this method to avoid opening up services completely. Some endpoints will be behind connections without a static IP, but will always have a VPN to the Smart Proxy, which can always be connected to our Foreman/root puppetmaster.

Foreman and Proxy versions:

2.1.2

Foreman and Proxy plugin versions:

Distribution and version:

Ubuntu 18.04 (all servers)
RaspberryOS Buster (remote client)

Just dug a little deeper and found that I am getting:

ERROR [qtp1981987078-39] [puppetserver] Puppet Report processor failed: Could not send report to Foreman at https://foreman.example.com/api/config_reports: certificate verify failed

My foreman.yaml:

:url: “”
:ssl_ca: “/etc/puppetlabs/puppet/ssl/proxy/ca/ca_crt.pem”
:ssl_cert: “/etc/puppetlabs/puppet/ssl/proxy/certs/proxy.example.com.pem”
:ssl_key: “/etc/puppetlabs/puppet/ssl/proxy/private_keys/proxy.example.com.pem”

These are the certs created on our Foreman/root puppetmaster, then copied over to [proxyurl] Reports are good between puppet on [proxyurl] and .

[proxyurl] is also a Puppet CA so that the remote systems can have their agents obtain certs and connect. This piece may be where things are falling apart? Maybe I did this part incorrectly. Is there a way to take the certs created on the Foreman node for the proxy and let them be used by Puppet CA to sign the client certs?

I just started a new proxy server from scratch. Started with installing puppet/puppetserver, bootstrapped the SSL certs utilizing the Foreman Puppet CA, then ran foreman-installer for the proxy using instructions at Foreman :: Manual

For the remote agent to communicate fully, I had to generate certificates on Foreman Puppet CA, then copy those files around to the remote agent, which seems to allow the agent to utilize the smart proxy as the puppetserver, and the certificate is trusted throughout since it is signed by the same CA.

I have been trying to sign an intermediate cert with my Puppet CA cert that I could deploy to these proxies and enable Puppet CA on them to simplify the remote agent configuration but have been unsuccessful. Would I need to generate an entirely new CA chain in order to accomplish this? Has anyone successfully created an intermediate CA certificate from the CA created with a base foreman install?