I'm trying to install foreman-proxy onto a RHEL 6.5 machine
(registered/subscribed to RHN with optional channel) that is already a
puppetmaster/puppet-ca (3.6 from puppet-labs). I ran this command
foreman-installer --no-enable-foreman --no-enable-foreman-plugin-bootdisk
–no-enable-foreman-plugin-setup --enable-puppet
–puppet-server-ca=true
–puppet-server-foreman-url=https://foremanserver.example.com
–enable-foreman-proxy --foreman-proxy-puppetca=true
–foreman-proxy-tftp=false
–foreman-proxy-foreman-base-url=https://foremanserver.example.com
–foreman-proxy-oauth-consumer-key=key
–foreman-proxy-oauth-consumer-secret=secret
And I see these errors in the log
[ERROR 2014-08-08 15:14:17 main] Your puppet version does not support
progress bar
[ERROR 2014-08-08 15:15:57 main] /usr/bin/puppet cert --generate
NP1PUPPETMASTER2.np1.lgc.com returned 24 instead of one of [0]
[DEBUG 2014-08-08 15:15:56 main]
Execpuppet_server_config-generate_ca_cert: Executing
'/usr/bin/puppet cert --generate NP1PUPPETMASTER2.np1.lgc.com'
[DEBUG 2014-08-08 15:15:56 main] Executing '/usr/bin/puppet cert
–generate NP1PUPPETMASTER2.np1.lgc.com'
[ WARN 2014-08-08 15:15:57 main]
/Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns:
^[[1;31mWarning: Sections other than main, master, agent, user are
deprecated in puppet.conf. Please use the directory environments feature to
specify environments. (See
http://docs.puppetlabs.com/puppet/latest/reference/environments.html)
[ WARN 2014-08-08 15:15:57 main]
/Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns:
(at /usr/lib/ruby/site_ruby/1.8/puppet/settings/config_file.rb:77:in
`collect')^[[0m
[ WARN 2014-08-08 15:15:57 main]
/Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns:
^[[1;31mError: A Certificate already exists for
np1puppetmaster2.np1.lgc.com^[[0m
… giant stack trace of Ruby scripts …
[ERROR 2014-08-08 15:15:57 main]
/Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns:
change from notrun to 0 failed: /usr/bin/puppet cert --generate
NP1PUPPETMASTER2.np1.lgc.com returned 24 instead of one of [0]
I have no indication of what remediation, if any, is necessary. The puppet
and puppetmaster services are running, but foreman-proxy service is not. It
looks like /etc/foreman-proxy/settings.yaml hasn't been configured yet.
I'm hoping if I can tell foreman-installer to not run 'puppet cert
–generate' it'll pick up there and configure/start the proxy.
I've tried to manually configure /etc/foreman-proxy/settings.yml and and I
have the proxy starting now. But I can't register the proxy with the
foreman server because the server cert verification fails. When I click the
"Submit" button in the UI it gives me this error
Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verif…) for proxy
https://np1puppetmaster2.np1.lgc.com:8443/features
Using curl with -k in a shell on the foreman server works
[root@np1foreman foreman-proxy]# curl -k
https://np1puppetmaster2.np1.lgc.com:8443/features
["puppet","puppetca"][root@np1foreman foreman-proxy]#
I copied the /var/lib/puppet/ssl/*/np1puppetmaster2.np1.lgc.com.pem files
to the same path on my foreman server.
···
On Friday, August 8, 2014 3:55:20 PM UTC-5, Justin Georgeson wrote:
>
> I'm trying to install foreman-proxy onto a RHEL 6.5 machine
> (registered/subscribed to RHN with optional channel) that is already a
> puppetmaster/puppet-ca (3.6 from puppet-labs). I ran this command
>
> foreman-installer --no-enable-foreman
> --no-enable-foreman-plugin-bootdisk --no-enable-foreman-plugin-setup
> --enable-puppet --puppet-server-ca=true --puppet-server-foreman-url=
> https://foremanserver.example.com --enable-foreman-proxy
> --foreman-proxy-puppetca=true --foreman-proxy-tftp=false
> --foreman-proxy-foreman-base-url=https://foremanserver.example.com
> --foreman-proxy-oauth-consumer-key=*key*
> --foreman-proxy-oauth-consumer-secret=*secret*
>
>
> And I see these errors in the log
>
> [ERROR 2014-08-08 15:14:17 main] Your puppet version does not support
> progress bar
> [ERROR 2014-08-08 15:15:57 main] /usr/bin/puppet cert --generate
> NP1PUPPETMASTER2.np1.lgc.com returned 24 instead of one of [0]
> [DEBUG 2014-08-08 15:15:56 main]
> Exec[puppet_server_config-generate_ca_cert](provider=posix): Executing
> '/usr/bin/puppet cert --generate NP1PUPPETMASTER2.np1.lgc.com'
> [DEBUG 2014-08-08 15:15:56 main] Executing '/usr/bin/puppet cert
> --generate NP1PUPPETMASTER2.np1.lgc.com'
> [ WARN 2014-08-08 15:15:57 main]
> /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns:
> ^[[1;31mWarning: Sections other than main, master, agent, user are
> deprecated in puppet.conf. Please use the directory environments feature to
> specify environments. (See
> http://docs.puppetlabs.com/puppet/latest/reference/environments.html)
> [ WARN 2014-08-08 15:15:57 main]
> /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns:
> (at /usr/lib/ruby/site_ruby/1.8/puppet/settings/config_file.rb:77:in
> `collect')^[[0m
> [ WARN 2014-08-08 15:15:57 main]
> /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns:
> ^[[1;31mError: A Certificate already exists for
> np1puppetmaster2.np1.lgc.com^[[0m
>
> .... giant stack trace of Ruby scripts ...
>
> [ERROR 2014-08-08 15:15:57 main]
> /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns:
> change from notrun to 0 failed: /usr/bin/puppet cert --generate
> NP1PUPPETMASTER2.np1.lgc.com returned 24 instead of one of [0]
>
>
> I have no indication of what remediation, if any, is necessary. The puppet
> and puppetmaster services are running, but foreman-proxy service is not. It
> looks like /etc/foreman-proxy/settings.yaml hasn't been configured yet.
>
> I'm hoping if I can tell foreman-installer to not run 'puppet cert
> --generate' it'll pick up there and configure/start the proxy.
>