The foreman-proxy service fails to start

I have installed foreman on RHEL 6.5 workstation. However, the
foreman-proxy service will not start after install. This happens during the
installation or even if I try it by hand. Here's the output:

[root@dhcp135-50 ~]# service foreman-proxy start
Starting foreman-proxy: Unable to access the SSL keys. Are the values
correct in settings.yml and do permissions allow reading?: No such file or
directory -
/var/lib/puppet/ssl/certs/dhcp135-50.dqe.lab.eng.bos.redhat.com.pem
[FAILED]
[root@dhcp135-50 ~]#

The directory is there, but the .pem file is not. I assume the install
would set this all up. What am I missing?

Here's a listing of the directories…

[root@dhcp135-50 ~]# ls -R /var/lib/puppet/ssl
/var/lib/puppet/ssl:
certificate_requests certs private private_keys public_keys

/var/lib/puppet/ssl/certificate_requests:

/var/lib/puppet/ssl/certs:

/var/lib/puppet/ssl/private:

/var/lib/puppet/ssl/private_keys:
dhcp135-50.dqe.lab.eng.bos.redhat.com.pem

/var/lib/puppet/ssl/public_keys:
dhcp135-50.dqe.lab.eng.bos.redhat.com.pem
[root@dhcp135-50 ~]#

Thanks,

– Greg

Hello,

I assume this is Foreman 1.3. Can you please re-run the installer with
the same options doing dry run and pasting the result?

foreman-installer [your options] -n -v

Do you have SELinux turned on? Please check for denials as well.

LZ

··· On Tue, Oct 15, 2013 at 08:06:13AM -0700, Greg Allen wrote: > I have installed foreman on RHEL 6.5 workstation. However, the > foreman-proxy service will not start after install. This happens during the > installation or even if I try it by hand. Here's the output: > > [root@dhcp135-50 ~]# service foreman-proxy start > Starting foreman-proxy: Unable to access the SSL keys. Are the values > correct in settings.yml and do permissions allow reading?: No such file or > directory - > /var/lib/puppet/ssl/certs/dhcp135-50.dqe.lab.eng.bos.redhat.com.pem > [FAILED] > [root@dhcp135-50 ~]# > > The directory is there, but the .pem file is not. I assume the install > would set this all up. What am I missing? > > Here's a listing of the directories.... > > [root@dhcp135-50 ~]# ls -R /var/lib/puppet/ssl > /var/lib/puppet/ssl: > certificate_requests certs private private_keys public_keys > > /var/lib/puppet/ssl/certificate_requests: > > /var/lib/puppet/ssl/certs: > > /var/lib/puppet/ssl/private: > > /var/lib/puppet/ssl/private_keys: > dhcp135-50.dqe.lab.eng.bos.redhat.com.pem > > /var/lib/puppet/ssl/public_keys: > dhcp135-50.dqe.lab.eng.bos.redhat.com.pem > [root@dhcp135-50 ~]# > > > Thanks, > > -- Greg > > -- > You received this message because you are subscribed to the Google Groups "Foreman users" group. > To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com. > To post to this group, send email to foreman-users@googlegroups.com. > Visit this group at http://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/groups/opt_out.


Later,

Lukas “lzap” Zapletal
irc: lzap #theforeman

Here's the requested output:

[root@dhcp135-50 ~]# foreman-installer -n -v
[ INFO 2013-10-15 11:27:19 verbose] Running validation checks
[ INFO 2013-10-15 11:27:19 verbose] Loading facts in concat_basedir
[ INFO 2013-10-15 11:27:19 verbose] Loading facts in
postgres_default_version
[ INFO 2013-10-15 11:27:19 verbose] Loading facts in pe_version
[ INFO 2013-10-15 11:27:19 verbose] Loading facts in puppet_vardir
[ INFO 2013-10-15 11:27:19 verbose] Loading facts in root_home
[ INFO 2013-10-15 11:27:19 verbose] Loading facts in facter_dot_d
[ INFO 2013-10-15 11:27:23 verbose] ''
[ INFO 2013-10-15 11:27:23 verbose] Applying configuration version
'1381850840'
[ WARN 2013-10-15 11:27:24 verbose]
/Stage[main]/Foreman_proxy::Service/Service[foreman-proxy]/ensure:
current_value stopped, should be running (noop)
[ INFO 2013-10-15 11:27:24 verbose]
/Stage[main]/Foreman_proxy::Service/Service[foreman-proxy]: Unscheduling
refresh on Service[foreman-proxy]
[ERROR 2013-10-15 11:27:24 verbose]
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[dhcp135-50.dqe.lab.eng.bos.redhat.com]:
Could not evaluate: 404 Resource Not Found: <!DOCTYPE HTML PUBLIC
"-//IETF//DTD HTML 2.0//EN">
[ INFO 2013-10-15 11:27:24 verbose] <html><head>
[ INFO 2013-10-15 11:27:24 verbose] <title>404 Not Found</title>
[ INFO 2013-10-15 11:27:24 verbose] </head><body>
[ INFO 2013-10-15 11:27:24 verbose] <h1>Not Found</h1>
[ INFO 2013-10-15 11:27:24 verbose] <p>The requested URL /api/smart_proxies
was not found on this server.</p>
[ INFO 2013-10-15 11:27:24 verbose] <hr>
[ INFO 2013-10-15 11:27:24 verbose] <address>Apache/2.2.15 (Red Hat) Server
at dhcp135-50.dqe.lab.eng.bos.redhat.com Port 443</address>
[ INFO 2013-10-15 11:27:24 verbose] </body></html>
[ WARN 2013-10-15 11:27:24 verbose] /Whit[Foreman_proxy]: Dependency
Foreman_smartproxy[dhcp135-50.dqe.lab.eng.bos.redhat.com] has failures: true
[ WARN 2013-10-15 11:27:24 verbose] /Whit[Foreman_proxy]: Skipping because
of failed dependencies
[ WARN 2013-10-15 11:27:25 verbose] Finished catalog run in 1.68 seconds
[ INFO 2013-10-15 11:27:25 verbose] Puppet has finished, bye!
Something went wrong! Check the log for ERROR-level output
The full log is at /var/log/foreman-installer/foreman-installer.log
[root@dhcp135-50 ~]#

As for selinux, yes it is enabled. I didn't see anywhere where it said to
shut it off.

– Greg

> Here's the requested output:
>
> [root@dhcp135-50 ~]# foreman-installer -n -v
> [root@dhcp135-50 ~]#

Ok the installer think everything is set, but Foreman context is
apparently not up. Check Apache2 logs please.

> As for selinux, yes it is enabled. I didn't see anywhere where it said to
> shut it off.

No that is fine, just check if there are denials:

grep AVC /var/log/audit/audit.log

··· On Tue, Oct 15, 2013 at 08:37:53AM -0700, Greg Allen wrote:


Later,

Lukas “lzap” Zapletal
irc: lzap #theforeman

I do have some denials:

type=AVC msg=audit(1381778542.305:75739): avc: denied { sys_resource }
for pid=13788 comm="PassengerWatchd" capability=24
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
type=SYSCALL msg=audit(1381778542.305:75739): arch=c000003e syscall=1
success=no exit=-13 a0=4 a1=7f0b4ddc1000 a2=6 a3=ffffffff items=0
ppid=13787 pid=13788 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=642 comm="PassengerWatchd"
exe="/usr/lib/ruby/gems/1.8/gems/passenger-4.0.5/agents/PassengerWatchdog"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1381778542.336:75740): avc: denied { write } for
pid=13791 comm="PassengerHelper" path="[eventfd]" dev=anon_inodefs ino=3786
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=SYSCALL msg=audit(1381778542.336:75740): arch=c000003e syscall=1
success=no exit=-13 a0=a a1=7fff0bd86340 a2=8 a3=7fff0bd860c0 items=0
ppid=13788 pid=13791 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=642 comm="PassengerHelper"
exe="/usr/lib/ruby/gems/1.8/gems/passenger-4.0.5/agents/PassengerHelperAgent"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1381778542.373:75741): avc: denied { sys_resource }
for pid=13809 comm="PassengerWatchd" capability=24
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
type=SYSCALL msg=audit(1381778542.373:75741): arch=c000003e syscall=1
success=no exit=-13 a0=4 a1=7f38d1293000 a2=6 a3=ffffffff items=0
ppid=13807 pid=13809 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=642 comm="PassengerWatchd"
exe="/usr/lib/ruby/gems/1.8/gems/passenger-4.0.5/agents/PassengerWatchdog"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1381778542.710:75742): avc: denied { write } for
pid=13812 comm="PassengerHelper" path="[eventfd]" dev=anon_inodefs ino=3786
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=SYSCALL msg=audit(1381778542.710:75742): arch=c000003e syscall=1
success=no exit=-13 a0=a a1=7fff1c2adaf0 a2=8 a3=7fff1c2ad870 items=0
ppid=13809 pid=13812 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=642 comm="PassengerHelper"
exe="/usr/lib/ruby/gems/1.8/gems/passenger-4.0.5/agents/PassengerHelperAgent"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1381778542.746:75743): avc: denied { sys_resource }
for pid=13864 comm="PassengerWatchd" capability=24
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability

And some problems in the apache logs (ssl_error_log):

[Mon Oct 14 15:22:22 2013] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Mon Oct 14 15:22:22 2013] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Mon Oct 14 15:22:22 2013] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Tue Oct 15 11:25:48 2013] [error] [client 10.16.135.50] File does not
exist: /var/www/html/api
[Tue Oct 15 11:27:24 2013] [error] [client 10.16.135.50] File does not
exist: /var/www/html/api
[Tue Oct 15 11:36:38 2013] [error] [client 10.16.135.50] File does not
exist: /var/www/html/api
[Tue Oct 15 11:37:12 2013] [error] [client 10.16.135.50] File does not
exist: /var/www/html/api

And also error.log:

[Mon Oct 14 15:22:22 2013] [notice] SELinux policy enabled; httpd running
as context unconfined_u:system_r:httpd_t:s0
[Mon Oct 14 15:22:22 2013] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)
[ 2013-10-14 15:22:22.3060 13788/7f0b4ddaf720 agents/Watchdog/Main.cpp:440
]: Options: { 'analytics_log_user' => 'nobody', 'default_group' =>
'nobody', 'default_python' => 'python', 'default_ruby' => 'ruby',
'default_user' => 'nobody', 'log_level' => '0', 'max_instances_per_app' =>
'0', 'max_pool_size' => '6', 'passenger_root' =>
'/usr/lib/ruby/gems/1.8/gems/passenger-4.0.5', 'pool_idle_time' => '300',
'temp_dir' => '/tmp', 'union_station_gateway_address' =>
'gateway.unionstationapp.com', 'union_station_gateway_port' => '443',
'user_switching' => 'true', 'web_server_pid' => '13787', 'web_server_type'
=> 'apache', 'web_server_worker_gid' => '48', 'web_server_worker_uid' =>
'48' }
[ 2013-10-14 15:22:22.3169 13791/7f90730e8720
agents/HelperAgent/Main.cpp:555 ]: PassengerHelperAgent online, listening
at unix:/tmp/passenger.1.0.13787/generation-0/request
[ 2013-10-14 15:22:22.3223 13788/7f0b4ddaf720 agents/Watchdog/Main.cpp:564
]: All Phusion Passenger agents started!
[ 2013-10-14 15:22:22.3258 13796/7fdc6d9077e0
agents/LoggingAgent/Main.cpp:271 ]: PassengerLoggingAgent online, listening
at unix:/tmp/passenger.1.0.13787/generation-0/logging
[Mon Oct 14 15:22:22 2013] [notice] Digest: generating secret for digest
authentication …
[Mon Oct 14 15:22:22 2013] [notice] Digest: done
[ 2013-10-14 15:22:22.3742 13809/7f38d1281720 agents/Watchdog/Main.cpp:440
]: Options: { 'analytics_log_user' => 'nobody', 'default_group' =>
'nobody', 'default_python' => 'python', 'default_ruby' => 'ruby',
'default_user' => 'nobody', 'log_level' => '0', 'max_instances_per_app' =>
'0', 'max_pool_size' => '6', 'passenger_root' =>
'/usr/lib/ruby/gems/1.8/gems/passenger-4.0.5', 'pool_idle_time' => '300',
'temp_dir' => '/tmp', 'union_station_gateway_address' =>
'gateway.unionstationapp.com', 'union_station_gateway_port' => '443',
'user_switching' => 'true', 'web_server_pid' => '13807', 'web_server_type'
=> 'apache', 'web_server_worker_gid' => '48', 'web_server_worker_uid' =>
'48' }
[ 2013-10-14 15:22:22.3803 13812/7ff1b511f720
agents/HelperAgent/Main.cpp:555 ]: PassengerHelperAgent online, listening
at unix:/tmp/passenger.1.0.13807/generation-0/request
[ 2013-10-14 15:22:22.3853 13809/7f38d1281720 agents/Watchdog/Main.cpp:564
]: All Phusion Passenger agents started!
[ 2013-10-14 15:22:22.3938 13821/7f0b7650b7e0
agents/LoggingAgent/Main.cpp:271 ]: PassengerLoggingAgent online, listening
at unix:/tmp/passenger.1.0.13807/generation-0/logging
[Mon Oct 14 15:22:22 2013] [notice] Apache/2.2.15 (Unix) DAV/2
Phusion_Passenger/4.0.5 mod_ssl/2.2.15 OpenSSL/1.0.0-fips configured –
resuming normal operations
[Mon Oct 14 15:22:22 2013] [notice] SIGHUP received. Attempting to restart
[Mon Oct 14 15:22:22 2013] [notice] Digest: generating secret for digest
authentication …
[Mon Oct 14 15:22:22 2013] [notice] Digest: done
[ 2013-10-14 15:22:22.7478 13864/7fa138788720 agents/Watchdog/Main.cpp:440
]: Options: { 'analytics_log_user' => 'nobody', 'default_group' =>
'nobody', 'default_python' => 'python', 'default_ruby' => 'ruby',
'default_user' => 'nobody', 'log_level' => '0', 'max_instances_per_app' =>
'0', 'max_pool_size' => '6', 'passenger_root' =>
'/usr/lib/ruby/gems/1.8/gems/passenger-4.0.5', 'pool_idle_time' => '300',
'temp_dir' => '/tmp', 'union_station_gateway_address' =>
'gateway.unionstationapp.com', 'union_station_gateway_port' => '443',
'user_switching' => 'true', 'web_server_pid' => '13807', 'web_server_type'
=> 'apache', 'web_server_worker_gid' => '48', 'web_server_worker_uid' =>
'48' }
[ 2013-10-14 15:22:22.7553 13869/7f2198ab2720
agents/HelperAgent/Main.cpp:555 ]: PassengerHelperAgent online, listening
at unix:/tmp/passenger.1.0.13807/generation-1/request
[ 2013-10-14 15:22:22.7605 13864/7fa138788720 agents/Watchdog/Main.cpp:564
]: All Phusion Passenger agents started!
[ 2013-10-14 15:22:22.7668 13874/7f0dbde317e0
agents/LoggingAgent/Main.cpp:271 ]: PassengerLoggingAgent online, listening
at unix:/tmp/passenger.1.0.13807/generation-1/logging
[Mon Oct 14 15:22:22 2013] [notice] Apache/2.2.15 (Unix) DAV/2
Phusion_Passenger/4.0.5 mod_ssl/2.2.15 OpenSSL/1.0.0-fips configured –
resuming normal operations
[ 2013-10-14 15:22:52.3553 13806/7f0b4ddaf720 agents/Watchdog/Main.cpp:324
]: Some Phusion Passenger agent processes did not exit in time, forcefully
shutting down all.
[ 2013-10-14 15:22:52.7302 13863/7f38d1281720 agents/Watchdog/Main.cpp:324
]: Some Phusion Passenger agent processes did not exit in time, forcefully
shutting down all.
/etc/httpd/logs/error_log (END)

This whole setup doesn't look too promising…

– Greg

And here's the specific grep of the audit.log you asked for. I missed it
the first time…

[root@dhcp135-50 ~]# grep AVC /var/log/audit/audit.log
type=AVC msg=audit(1381778542.305:75739): avc: denied { sys_resource }
for pid=13788 comm="PassengerWatchd" capability=24
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1381778542.336:75740): avc: denied { write } for
pid=13791 comm="PassengerHelper" path="[eventfd]" dev=anon_inodefs ino=3786
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=AVC msg=audit(1381778542.373:75741): avc: denied { sys_resource }
for pid=13809 comm="PassengerWatchd" capability=24
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1381778542.710:75742): avc: denied { write } for
pid=13812 comm="PassengerHelper" path="[eventfd]" dev=anon_inodefs ino=3786
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=AVC msg=audit(1381778542.746:75743): avc: denied { sys_resource }
for pid=13864 comm="PassengerWatchd" capability=24
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1381778572.360:75759): avc: denied { fowner } for
pid=14139 comm="chmod" capability=3
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1381778572.731:75760): avc: denied { fowner } for
pid=14147 comm="chmod" capability=3
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1381800142.764:76127): avc: denied { fowner } for
pid=17889 comm="touch" capability=3
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1381821742.770:76464): avc: denied { fowner } for
pid=19827 comm="touch" capability=3
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1381843342.778:76801): avc: denied { fowner } for
pid=22905 comm="touch" capability=3
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
[root@dhcp135-50 ~]#

Hey,

can you file an issue for us? Please include operating system you have
and this piece of the log file.

In the meantime, you need to turn off selinux, restart apache and finish
the installation:

  1. setenforce 0
  2. service httpd restart
  3. foreman-installer …

Turn off SELinux permanently if you plan to restart the box (in
/etc/sysconf�g/selinux).

LZ

··· On Tue, Oct 15, 2013 at 09:07:57AM -0700, Greg Allen wrote: > And here's the specific grep of the audit.log you asked for. I missed it > the first time.... > > [root@dhcp135-50 ~]# grep AVC /var/log/audit/audit.log > type=AVC msg=audit(1381778542.305:75739): avc: denied { sys_resource } > for pid=13788 comm="PassengerWatchd" capability=24 > scontext=unconfined_u:system_r:httpd_t:s0 > tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability > type=AVC msg=audit(1381778542.336:75740): avc: denied { write } for > pid=13791 comm="PassengerHelper" path="[eventfd]" dev=anon_inodefs ino=3786 > scontext=unconfined_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file > type=AVC msg=audit(1381778542.373:75741): avc: denied { sys_resource } > for pid=13809 comm="PassengerWatchd" capability=24 > scontext=unconfined_u:system_r:httpd_t:s0 > tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability > type=AVC msg=audit(1381778542.710:75742): avc: denied { write } for > pid=13812 comm="PassengerHelper" path="[eventfd]" dev=anon_inodefs ino=3786 > scontext=unconfined_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file > type=AVC msg=audit(1381778542.746:75743): avc: denied { sys_resource } > for pid=13864 comm="PassengerWatchd" capability=24 > scontext=unconfined_u:system_r:httpd_t:s0 > tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability > type=AVC msg=audit(1381778572.360:75759): avc: denied { fowner } for > pid=14139 comm="chmod" capability=3 > scontext=unconfined_u:system_r:httpd_t:s0 > tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability > type=AVC msg=audit(1381778572.731:75760): avc: denied { fowner } for > pid=14147 comm="chmod" capability=3 > scontext=unconfined_u:system_r:httpd_t:s0 > tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability > type=AVC msg=audit(1381800142.764:76127): avc: denied { fowner } for > pid=17889 comm="touch" capability=3 > scontext=unconfined_u:system_r:httpd_t:s0 > tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability > type=AVC msg=audit(1381821742.770:76464): avc: denied { fowner } for > pid=19827 comm="touch" capability=3 > scontext=unconfined_u:system_r:httpd_t:s0 > tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability > type=AVC msg=audit(1381843342.778:76801): avc: denied { fowner } for > pid=22905 comm="touch" capability=3 > scontext=unconfined_u:system_r:httpd_t:s0 > tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability > [root@dhcp135-50 ~]# >


Later,

Lukas “lzap” Zapletal
irc: lzap #theforeman

Sure, I can file an issue.

But the steps you provided still have the same problem. Here's the output:

[root@dhcp135-50 ~]# setenforce 0
[root@dhcp135-50 ~]# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: Syntax error on line 48 of /etc/httpd/conf.d/foreman.conf:
SSLCertificateFile: file
'/var/lib/puppet/ssl/certs/dhcp135-50.dqe.lab.eng.bos.redhat.com.pem' does
not exist or is empty
[FAILED]
[root@dhcp135-50 ~]# foreman-installer
/Stage[main]/Apache::Service/Service[httpd]/ensure: change from stopped to
running failed: Could not start Service[httpd]: Execution of '/sbin/service
httpd start' returned 1: at
/usr/share/foreman-installer/modules/apache/manifests/service.pp:14
/Stage[main]/Foreman_proxy::Service/Service[foreman-proxy]/ensure: change
from stopped to running failed: Could not start Service[foreman-proxy]:
Execution of '/sbin/service foreman-proxy start' returned 1: at
/usr/share/foreman-installer/modules/foreman_proxy/manifests/service.pp:9
Installing Done
[100%]
[…]
Something went wrong! Check the log for ERROR-level output
The full log is at /var/log/foreman-installer/foreman-installer.log
[root@dhcp135-50 ~]#

It still complains about the missing SSL certificate file, both the httpd
daemon and also the foreman-proxy service.

What creates this file, and why isn't it being generated?

Is there a way to uninstall completely and start over? I haven't been able
to find a way…

I removed /etc/http/conf.d/foreman.conf and tried again. This allowed the
httpd server to start successfully.

However, I still get the same error with the foreman-proxy service
complaining about the missing SSL certificate file.I assume this is
supposed to be generated by the installation process…

I have the same error when restarting foreman-proxy. It was working
until a few days ago.

The problem on my part seems that foreman-proxy tries to access the
certificate but it doesn't have enough permissions:

foreman-proxy was not running. [FAILED]
Starting foreman-proxy: Unable to access the SSL keys. Are the values
correct in settings.yml and do permissions allow reading?: Permission
denied - /var/lib/puppet/ssl/private_keys/puppet.synygy.net.pem
from /usr/share/foreman-proxy/bin/…/lib/smart_proxy.rb:62
[FAILED]

ls -la /var/lib/puppet/ssl/private_keys/puppet.synygy.net.pem
-rw-------. 1 puppet puppet 3243 Jun 10 03:30
/var/lib/puppet/ssl/private_keys/puppet.synygy.net.pem

FOREMAN_PROXY_USER is foreman-proxy

If I set FOREMAN_PROXY_USER to puppet and chown the logs to puppet it
starts correctly.

··· On Wed, Oct 16, 2013 at 4:40 PM, Greg Allen wrote: > I removed /etc/http/conf.d/foreman.conf and tried again. This allowed the > httpd server to start successfully. > > However, I still get the same error with the foreman-proxy service > complaining about the missing SSL certificate file.I assume this is supposed > to be generated by the installation process.... > > -- > You received this message because you are subscribed to the Google Groups > "Foreman users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to foreman-users+unsubscribe@googlegroups.com. > To post to this group, send email to foreman-users@googlegroups.com. > Visit this group at http://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/groups/opt_out.

As foreman-proxy just needs read permissions, it's added to the puppet
group during installation.

We'd then suggest adding these lines to puppet.conf to permit group read
on the key and parent dir:

[main]
privatekeydir = $ssldir/private_keys { group = service }
hostprivkey = $privatekeydir/$certname.pem { mode = 640 }

(Foreman :: Manual)

··· On 25/10/13 08:54, Cristian Falcas wrote: > The problem on my part seems that foreman-proxy tries to access the > certificate but it doesn't have enough permissions: > > foreman-proxy was not running. [FAILED] > Starting foreman-proxy: Unable to access the SSL keys. Are the values > correct in settings.yml and do permissions allow reading?: Permission > denied - /var/lib/puppet/ssl/private_keys/puppet.synygy.net.pem > from /usr/share/foreman-proxy/bin/../lib/smart_proxy.rb:62 > [FAILED] > > > > ls -la /var/lib/puppet/ssl/private_keys/puppet.synygy.net.pem > -rw-------. 1 puppet puppet 3243 Jun 10 03:30 > /var/lib/puppet/ssl/private_keys/puppet.synygy.net.pem > > > > FOREMAN_PROXY_USER is foreman-proxy > > > If I set FOREMAN_PROXY_USER to puppet and chown the logs to puppet it > starts correctly.


Dominic Cleal
Red Hat Engineering

Hi Dominic,

I am also facing same problem. i copied pem file from puppetCA in foreman
system. i check every thing that you mentioned below mail chain. But no
luck.

  1. SELinux disabled
  2. Firewall (fully flushed)
  3. puppet.conf have right entries.
  4. permission of certificate is

-rw-r----- 1 puppet root 3243 May 1 17:37
/var/lib/puppet/ssl/private_keys/foreman.example.com.pem
5. puppet group have both foreman and foreman-proxy.

I don't know what to do… Did you guys solved that problem. If yes kindly
suggest something.

Thanks in advance.

··· On Friday, 25 October 2013 13:26:17 UTC+5:30, Dominic Cleal wrote: > > On 25/10/13 08:54, Cristian Falcas wrote: > > The problem on my part seems that foreman-proxy tries to access the > > certificate but it doesn't have enough permissions: > > > > foreman-proxy was not running. [FAILED] > > Starting foreman-proxy: Unable to access the SSL keys. Are the values > > correct in settings.yml and do permissions allow reading?: Permission > > denied - /var/lib/puppet/ssl/private_keys/puppet.synygy.net.pem > > from /usr/share/foreman-proxy/bin/../lib/smart_proxy.rb:62 > > [FAILED] > > > > > > > > ls -la /var/lib/puppet/ssl/private_keys/puppet.synygy.net.pem > > -rw-------. 1 puppet puppet 3243 Jun 10 03:30 > > /var/lib/puppet/ssl/private_keys/puppet.synygy.net.pem > > > > > > > > FOREMAN_PROXY_USER is foreman-proxy > > > > > > If I set FOREMAN_PROXY_USER to puppet and chown the logs to puppet it > > starts correctly. > > As foreman-proxy just needs read permissions, it's added to the puppet > group during installation. > > We'd then suggest adding these lines to puppet.conf to permit group read > on the key and parent dir: > > [main] > privatekeydir = $ssldir/private_keys { group = service } > hostprivkey = $privatekeydir/$certname.pem { mode = 640 } > > ( > http://theforeman.org/manuals/1.3/index.html#5.4.2SecuringSmartProxyRequests) > > > -- > Dominic Cleal > Red Hat Engineering >

That file doesn't have "puppet" group ownership, only user ownership.
Try running "chgrp puppet
/var/lib/puppet/ssl/private_keys/foreman.example.com.pem".

You may also want to try changing the hostprivkey setting to:
hostprivkey = $privatekeydir/$certname.pem { mode = 640, group =
service }

··· -- Dominic Cleal Red Hat Engineering

On 01/05/14 13:25, paps eddy wrote:

Hi Dominic,

I am also facing same problem. i copied pem file from puppetCA in
foreman system. i check every thing that you mentioned below mail chain.
But no luck.

  1. SELinux disabled
  2. Firewall (fully flushed)
  3. puppet.conf have right entries.
  4. permission of certificate is

-rw-r----- 1 puppet root 3243 May 1 17:37
/var/lib/puppet/ssl/private_keys/foreman.example.com.pem
5. puppet group have both foreman and foreman-proxy.

I don’t know what to do… Did you guys solved that problem. If yes
kindly suggest something.

Thanks in advance.

Thanks, Dominic… its working now… thanks a lot mate…

··· On Thursday, 1 May 2014 18:06:40 UTC+5:30, Dominic Cleal wrote: > > That file doesn't have "puppet" group ownership, only user ownership. > Try running "chgrp puppet > /var/lib/puppet/ssl/private_keys/foreman.example.com.pem". > > You may also want to try changing the hostprivkey setting to: > hostprivkey = $privatekeydir/$certname.pem { mode = 640, group = > service } > > -- > Dominic Cleal > Red Hat Engineering > > On 01/05/14 13:25, paps eddy wrote: > > Hi Dominic, > > > > I am also facing same problem. i copied pem file from puppetCA in > > foreman system. i check every thing that you mentioned below mail chain. > > But no luck. > > 1. SELinux disabled > > 2. Firewall (fully flushed) > > 3. puppet.conf have right entries. > > 4. permission of certificate is > > > > -rw-r----- 1 puppet root 3243 May 1 17:37 > > /var/lib/puppet/ssl/private_keys/foreman.example.com.pem > > 5. puppet group have both foreman and foreman-proxy. > > > > I don't know what to do.. Did you guys solved that problem. If yes > > kindly suggest something. > > > > Thanks in advance. > >