Hi all,

I have successfully installed Foreman and Foreman-proxy on my Puppet
server(CentOS 6.6) and integrated them. This machine has the following
smart proxy features: TFTP, DNS, DHCP, Puppet, Puppet CA, and BMC
I have DNS installed on another machine (CentOS 6.6, bind). I installed
foreman-proxy on my DNS machine. I was able to add smart proxy from my DNS
machine in my Foreman UI on my puppet server without ssl.

When I try to add it with ssl I have the following errors in the
/var/log/foreman/production.log file on my Puppet server:

Failed to save: Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://hostname:8443/features https://hostname:8443/features, Please
check the proxy is configured and running on the host.

On the other side on my DNS server using foreman-proxy in foreground mode
I can see:

[2015-01-14 11:25:41] ERROR OpenSSL::SSL::SSLError:
SSL_CTX_use_PrivateKey:: key values mismatch

• /usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize’*

My DNS server is managed by my Puppet server. The certificate is signed by
Puppet server.

It looks like a permission issue on my DNS server (because local smart
proxy on Puppet server works). What I checked on my DNS server:

cat /etc/foreman-proxy/settings.yml

:ssl_certificate: /var/lib/puppet/ssl/certs/ca.pem:ssl_ca_file:
/var/lib/puppet/ssl/certs/hostname.pem:ssl_private_key:
/var/lib/puppet/ssl/private_keys/hostname.pem# Hosts which the proxy
accepts connections from# commenting the following lines would mean every
verified SSL connection allowed#:trusted_hosts: (I tried with localhost
and Puppet server)

:https_port: 8443

• id foreman-proxy*
  uid=494(foreman-proxy) gid=494(foreman-proxy)
  groups=494(foreman-proxy),52(puppet)

ls -la /var/lib/puppet/ssl/certs/hostname.pem
-rw-r–r-- 1 puppet puppet 1992 Jan 14 10:02
/var/lib/puppet/ssl/certs/hostname.pem

ls -la /var/lib/puppet/ssl/private_keys/hostname.pem -rw-r----- 1 puppet
puppet 3243 Jan 14 10:00 /var/lib/puppet/ssl/private_keys/hostname.pem

ls -la /var/lib/puppet/ssl/

drwxr-x— 2 puppet puppet 4096 Jan 14 10:00 private_keys

I tried with stopped firewall as well. The same result.
I don’t have foreman user on my DNS server, only foreman-proxy

My foreman-proxy versions are:
On Puppet server: foreman-proxy-1.7.0-1.el6.noarch
On DNS server: foreman-proxy-1.7.1-1.el6.noarch

On my DNS server (the same result with -k flag):
curl -v --cert /var/lib/puppet/ssl/certs/hostname.pem --key
/var/lib/puppet/ssl/private_keys/hostname.pem
https://hostname:8443/features https://hostname:8443/features* About to
connect() to hostname port 8443 (#0)*
** Trying 132.249.232.5… connected*
** Connected to nostname (ip-address) port 8443 (#0)*
** Initializing NSS with certpath: sql:/etc/pki/nssdb*
** CAfile: /etc/pki/tls/certs/ca-bundle.crt*

• CApath: none*
  ** NSS error -5938*
  ** Closing connection #0*
  ** SSL connect error*
  curl: (35) SSL connect error

I’d appreciate any help.
Thanks.

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

As far as I understand I don’t need to do it manually.
Foreman :: Manual

If the smart proxy host is not managed by Puppet, you will need to
generate a certificate - skip forward to the generate section.

My DNS server is managed by Puppet and already has certs installed.
Anyway just to double check I deleted them, sent request to Puppet, sign
them there and tried again. No good.

Any ideas?

My DNS server is managed by Puppet and already has certificates installed.
I can delete

On Wednesday, January 14, 2015 at 1:52:59 PM UTC-8, claude juif wrote:

Hi,

Did you copy those certificate from puppetCA server after generate them ?
(using puppet cert generate command ?) It seems you have a private key
mismatch.

Regards

2015-01-14 22:26 GMT+01:00 tyon surb...@ucdavis.edu:

Hi all,

I have successfully installed Foreman and Foreman-proxy on my Puppet
server(CentOS 6.6) and integrated them. This machine has the following
smart proxy features: TFTP, DNS, DHCP, Puppet, Puppet CA, and BMC
I have DNS installed on another machine (CentOS 6.6, bind). I installed
foreman-proxy on my DNS machine. I was able to add smart proxy from my DNS
machine in my Foreman UI on my puppet server without ssl.

When I try to add it with ssl I have the following errors in the
/var/log/foreman/production.log file on my Puppet server:

Failed to save: Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://hostname:8443/features https://hostname:8443/features, Please
check the proxy is configured and running on the host.

On the other side on my DNS server using foreman-proxy in foreground
mode I can see:

[2015-01-14 11:25:41] ERROR OpenSSL::SSL::SSLError:
SSL_CTX_use_PrivateKey:: key values mismatch

• /usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize’*

My DNS server is managed by my Puppet server. The certificate is signed
by Puppet server.

It looks like a permission issue on my DNS server (because local smart
proxy on Puppet server works). What I checked on my DNS server:

cat /etc/foreman-proxy/settings.yml

:ssl_certificate: /var/lib/puppet/ssl/certs/ca.pem:ssl_ca_file:
/var/lib/puppet/ssl/certs/hostname.pem:ssl_private_key:
/var/lib/puppet/ssl/private_keys/hostname.pem# Hosts which the proxy
accepts connections from# commenting the following lines would mean every
verified SSL connection allowed#:trusted_hosts: (I tried with localhost
and Puppet server)

:https_port: 8443

• id foreman-proxy*
  uid=494(foreman-proxy) gid=494(foreman-proxy)
  groups=494(foreman-proxy),52(puppet)

ls -la /var/lib/puppet/ssl/certs/hostname.pem
-rw-r–r-- 1 puppet puppet 1992 Jan 14 10:02
/var/lib/puppet/ssl/certs/hostname.pem

ls -la /var/lib/puppet/ssl/private_keys/hostname.pem -rw-r----- 1
puppet puppet 3243 Jan 14 10:00
/var/lib/puppet/ssl/private_keys/hostname.pem

ls -la /var/lib/puppet/ssl/

drwxr-x— 2 puppet puppet 4096 Jan 14 10:00 private_keys

I tried with stopped firewall as well. The same result.
I don’t have foreman user on my DNS server, only foreman-proxy

My foreman-proxy versions are:
On Puppet server: foreman-proxy-1.7.0-1.el6.noarch
On DNS server: foreman-proxy-1.7.1-1.el6.noarch

On my DNS server (the same result with -k flag):
curl -v --cert /var/lib/puppet/ssl/certs/hostname.pem --key
/var/lib/puppet/ssl/private_keys/hostname.pem
https://hostname:8443/features https://hostname:8443/features* About to
connect() to hostname port 8443 (#0)*
** Trying 132.249.232.5… connected*
** Connected to nostname (ip-address) port 8443 (#0)*
** Initializing NSS with certpath: sql:/etc/pki/nssdb*
** CAfile: /etc/pki/tls/certs/ca-bundle.crt*

• CApath: none*
  ** NSS error -5938*
  ** Closing connection #0*
  ** SSL connect error*
  curl: (35) SSL connect error

I’d appreciate any help.
Thanks.

–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

We have the same problem. First we noticed that back when we ran Foreman
1.4.x (do not have data for earlier versions as we didn’t have multiple
proxies at that time), but all subsequent versions (running 1.7.1 now) have
the same problem.

It appears that adding a new proxy somehow invalidates the certs of
previously configured proxies from Foreman perspective as if it expects
all proxies to have a cert of that lastly-added one. Basically, none of
the previous proxies work now - one can click
It is very strange and it does not seem to be really cert-related, but
more like a logic somewhere in Foreman code that deals with proxies, IMHO.
Using the proposed curl verification method, I can talk over SSL to any of
the proxies, but Foreman would complain that cert is missing:

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm01.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm02.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm03.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

The only way to workaround this issue I found so far is to exchange the
SSL (both public and private) keys and certs between all proxies, which is
obviously not a proper thing to do.

Please let me if I misunderstand or missing something here.
Thanks!

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

I think it would be better for me to start another topic on this as it
appears we have a different issue with proxies.

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Hey claude,

thank you for your help, but no joy

curl -v --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname.pem --key
/var/lib/puppet/ssl/private_keys/hostname.pem
https://hostname:8443/features

• About to connect() to hostname port 8443 (#0)
• Trying XXX.XXX.XXX.X… connected
• Connected to hostname (XXX.XXX.XXX.X) port 8443 (#0)
• Initializing NSS with certpath: sql:/etc/pki/nssdb
• CAfile: /var/lib/puppet/ssl/certs/ca.pem
  CApath: none
• NSS error -5938
• Closing connection #0
• SSL connect error
  curl: (35) SSL connect error

On Wednesday, January 14, 2015 at 3:45:50 PM UTC-8, claude juif wrote:

Can you add the cacert parameter to curl and see if it’s working ? -

curl -v --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname.pem --key
/var/lib/puppet/ssl/private_keys/hostname.pem https://hostname:8443/features
https://hostname:8443/features*

From the output of curl it seems it’s using the wrong CA file.

If it works double check that /etc/foreman-proxy/settings.yml contains
the right path to cert

2015-01-14 23:29 GMT+01:00 tyon surb...@ucdavis.edu:

As far as I understand I don’t need to do it manually.
Foreman :: Manual

If the smart proxy host is not managed by Puppet, you will need to
generate a certificate - skip forward to the generate section.

My DNS server is managed by Puppet and already has certs installed.
Anyway just to double check I deleted them, sent request to Puppet, sign
them there and tried again. No good.

Any ideas?

My DNS server is managed by Puppet and already has certificates
installed. I can delete

On Wednesday, January 14, 2015 at 1:52:59 PM UTC-8, claude juif wrote:

Hi,

Did you copy those certificate from puppetCA server after generate them
? (using puppet cert generate command ?) It seems you have a private key
mismatch.

Regards

2015-01-14 22:26 GMT+01:00 tyon surb...@ucdavis.edu:

Hi all,

I have successfully installed Foreman and Foreman-proxy on my Puppet
server(CentOS 6.6) and integrated them. This machine has the following
smart proxy features: TFTP, DNS, DHCP, Puppet, Puppet CA, and BMC
I have DNS installed on another machine (CentOS 6.6, bind). I
installed foreman-proxy on my DNS machine. I was able to add smart proxy
from my DNS machine in my Foreman UI on my puppet server without ssl.

When I try to add it with ssl I have the following errors in the
/var/log/foreman/production.log file on my Puppet server:

Failed to save: Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://hostname:8443/features https://hostname:8443/features, Please
check the proxy is configured and running on the host.

On the other side on my DNS server using foreman-proxy in foreground
mode I can see:

[2015-01-14 11:25:41] ERROR OpenSSL::SSL::SSLError:
SSL_CTX_use_PrivateKey:: key values mismatch

• /usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize’*

My DNS server is managed by my Puppet server. The certificate is
signed by Puppet server.

It looks like a permission issue on my DNS server (because local smart
proxy on Puppet server works). What I checked on my DNS server:

cat /etc/foreman-proxy/settings.yml

:ssl_certificate: /var/lib/puppet/ssl/certs/ca.pem:ssl_ca_file:
/var/lib/puppet/ssl/certs/hostname.pem:ssl_private_key:
/var/lib/puppet/ssl/private_keys/hostname.pem# Hosts which the proxy
accepts connections from# commenting the following lines would mean every
verified SSL connection allowed#:trusted_hosts: (I tried with localhost
and Puppet server)

:https_port: 8443

• id foreman-proxy*
  uid=494(foreman-proxy) gid=494(foreman-proxy)
  groups=494(foreman-proxy),52(puppet)

ls -la /var/lib/puppet/ssl/certs/hostname.pem
-rw-r–r-- 1 puppet puppet 1992 Jan 14 10:02
/var/lib/puppet/ssl/certs/hostname.pem

ls -la /var/lib/puppet/ssl/private_keys/hostname.pem -rw-r----- 1
puppet puppet 3243 Jan 14 10:00
/var/lib/puppet/ssl/private_keys/hostname.pem

ls -la /var/lib/puppet/ssl/

drwxr-x— 2 puppet puppet 4096 Jan 14 10:00 private_keys

I tried with stopped firewall as well. The same result.
I don’t have foreman user on my DNS server, only foreman-proxy

My foreman-proxy versions are:
On Puppet server: foreman-proxy-1.7.0-1.el6.noarch
On DNS server: foreman-proxy-1.7.1-1.el6.noarch

On my DNS server (the same result with -k flag):
curl -v --cert /var/lib/puppet/ssl/certs/hostname.pem --key
/var/lib/puppet/ssl/private_keys/hostname.pem
https://hostname:8443/features https://hostname:8443/features* About to
connect() to hostname port 8443 (#0)*
** Trying 132.249.232.5… connected*
** Connected to nostname (ip-address) port 8443 (#0)*
** Initializing NSS with certpath: sql:/etc/pki/nssdb*
** CAfile: /etc/pki/tls/certs/ca-bundle.crt*

• CApath: none*
  ** NSS error -5938*
  ** Closing connection #0*
  ** SSL connect error*
  curl: (35) SSL connect error

I’d appreciate any help.
Thanks.

–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

So my question for Konstantin: what directory you copy cert/private key
from client? Do you point to this directory in Foreman proxy settings file?

Claude, did you install you foreman-proxy with foreman installer? I used a
rpm package. foreman-proxy-1.7.1-1.el6.noarch

I tried to restart foreman proxy many times on my DNS server, it didn’t
help. The problem is definitely related with my installation on DNS server,
because I cannot successfully test it with curl even from localhost (my DNS
server).

I don’t have any errors in my proxy.log file on both machines.

My DNS server:
W, [2015-01-15T08:51:01.885364 #4180] WARN – : Couldn’t find settings
file /etc/foreman-proxy/settings.d/foreman_proxy.yml. Using default
settings.
I, [2015-01-15T08:51:01.886431 #4180] INFO – : ‘foreman_proxy’ settings
were initialized with default values: :enabled: true
I, [2015-01-15T08:51:01.894369 #4180] INFO – : ‘facts’ module is
disabled.
I, [2015-01-15T08:51:01.902487 #4180] INFO – : ‘templates’ module is
disabled.
I, [2015-01-15T08:51:01.903152 #4180] INFO – : ‘tftp’ module is
disabled.
I, [2015-01-15T08:51:01.903619 #4180] INFO – : ‘dhcp’ module is
disabled.
I, [2015-01-15T08:51:01.904281 #4180] INFO – : ‘puppetca’ module is
disabled.
I, [2015-01-15T08:51:01.905342 #4180] INFO – : ‘puppet’ module is
disabled.
I, [2015-01-15T08:51:01.905923 #4180] INFO – : ‘bmc’ module is
disabled.
I, [2015-01-15T08:51:01.906660 #4180] INFO – : ‘realm’ module is
disabled.

My Puppet server:
I, [2015-01-15T08:43:21.601876 #11151] INFO – : 'foreman_proxy’
settings were initialized with default values: :enabled: true
I, [2015-01-15T08:43:21.685245 #11151] INFO – : ‘facts’ module is
disabled.
I, [2015-01-15T08:43:21.705146 #11151] INFO – : ‘templates’ module is
disabled.
I, [2015-01-15T08:43:21.752811 #11151] INFO – : ‘dhcp’ settings were
initialized with default values: :dhcp_provider: isc
I, [2015-01-15T08:43:24.446693 #11151] INFO – : ‘puppet’ settings were
initialized with default values: :puppetdir: /etc/puppet
I, [2015-01-15T08:43:24.652776 #11151] INFO – : ‘realm’ module is
disabled.

Only errors which I can see:

on my DNS server when I start foreman-proxy in foreground mode and try
to safe proxy on my Puppet server:

[2015-01-15 08:51:42] ERROR OpenSSL::SSL::SSLError:
SSL_CTX_use_PrivateKey:: key values mismatch
/usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize’

on my Puppet server in foreman/production.log file:

Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://ns1.domain.name:8443/features
https://ns1.domain.name:8443/features
Please check the proxy is configured and running on the host.

I’m using it without SSL for now but it is not what I want

On Thursday, January 15, 2015 at 2:32:29 AM UTC-8, claude juif wrote:

Hi Konstantin,

I actually have 2 smart proxies linked to my foreman instance and it’s
working really well.

What is the exact error you had ? What do you mean by exchange the SSL
between all proxies ?

Basically on the puppetCA(foreman) server, you have to generate a
certificate for all of your proxies. Copied them over to each proxy.
(ca.pem, hostname-key.pem, hostname-cert.pem).

On each proxy you also need to add the trusted host parameters pointing
to your foreman instance.

By the way, how didi you install foreman proxy ? With the
foreman-installer ? or with packages ?

Regards,

2015-01-15 2:25 GMT+01:00 ‘Konstantin Orekhov’ via Foreman users <
forema...@googlegroups.com>:

We have the same problem. First we noticed that back when we ran Foreman
1.4.x (do not have data for earlier versions as we didn’t have multiple
proxies at that time), but all subsequent versions (running 1.7.1 now) have
the same problem.

It appears that adding a new proxy somehow invalidates the certs of
previously configured proxies from Foreman perspective as if it expects
all proxies to have a cert of that lastly-added one. Basically, none of
the previous proxies work now - one can click
It is very strange and it does not seem to be really cert-related, but
more like a logic somewhere in Foreman code that deals with proxies, IMHO.
Using the proposed curl verification method, I can talk over SSL to any of
the proxies, but Foreman would complain that cert is missing:

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm01.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm02.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm03.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

The only way to workaround this issue I found so far is to exchange the
SSL (both public and private) keys and certs between all proxies, which is
obviously not a proper thing to do.

Please let me if I misunderstand or missing something here.
Thanks!

–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Yes, puppet agent -t works (DNS server)

puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Loading facts
Info: Caching catalog for ns1.domain.name http://ns1.domain.name
Info: Applying configuration version '1421279051’
Notice: Finished catalog run in 6.62 seconds

Sorry, I didn’t mention it before my /var/log/foreman/production.log on
Puppet server:

Parameters: {“utf8”=>“✓”,
“authenticity_token”=>“ckB6EqKPnwbAslAaV7YQMIZHysUz6GyJMOJHSNylPgw=”,
“smart_proxy”=>{“name”=>“NS-Proxy”, “url”=>“https://ns1.domain.name:8443
https://ns1.domain.name:8443”}}
Failed to save: Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://ns1.domain.name:8443/features
https://ns1.domain.name:8443/features, Please check the proxy is
configured and running on the host.

What do you mean no proxy between? I have proxy running on my Puppet
server and on my DNS server. Proxy on Puppet server works with ssl, proxy
on DNS server is starting with ssl, but I cannot connect.

I test curl on my DNS server. hostname.pem is dns fqdn and
https://hostname:8443… is https://dnsfqdn:8443 too. Or do you mean
something else?

On Wednesday, January 14, 2015 at 4:15:26 PM UTC-8, claude juif wrote:

I assume puppet agent -t is working right ?

error -5938 is PR_END_OF_FILE_ERROR.

“This error is only emitted by the SSL library when a read during SSL
handshake returns a 0 byte count, meaning the peer closed the TCP
connection.”

I think you should have a look at the server log
(/var/log/foreman/production.log). Something is wrong on the server
side. (No proxy between ?)

And just to be clear hostname.pem is dns fqdn and https://hostname:8443…
is https://puppetfqdn:8443 ?

2015-01-15 0:57 GMT+01:00 tyon surb...@ucdavis.edu:

Hey claude,

thank you for your help, but no joy

curl -v --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname.pem --key
/var/lib/puppet/ssl/private_keys/hostname.pem
https://hostname:8443/features

• About to connect() to hostname port 8443 (#0)
• Trying XXX.XXX.XXX.X… connected
• Connected to hostname (XXX.XXX.XXX.X) port 8443 (#0)
• Initializing NSS with certpath: sql:/etc/pki/nssdb
• CAfile: /var/lib/puppet/ssl/certs/ca.pem
  CApath: none
• NSS error -5938
• Closing connection #0
• SSL connect error
  curl: (35) SSL connect error

On Wednesday, January 14, 2015 at 3:45:50 PM UTC-8, claude juif wrote:

Can you add the cacert parameter to curl and see if it’s working ? -

curl -v --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname.pem --key
/var/lib/puppet/ssl/private_keys/hostname.pem https://hostname:8443/features
https://hostname:8443/features*

From the output of curl it seems it’s using the wrong CA file.

If it works double check that /etc/foreman-proxy/settings.yml contains
the right path to cert

2015-01-14 23:29 GMT+01:00 tyon surb...@ucdavis.edu:

As far as I understand I don’t need to do it manually.
Foreman :: Manual

If the smart proxy host is not managed by Puppet, you will need to
generate a certificate - skip forward to the generate section.

My DNS server is managed by Puppet and already has certs installed.
Anyway just to double check I deleted them, sent request to Puppet,
sign them there and tried again. No good.

Any ideas?

My DNS server is managed by Puppet and already has certificates
installed. I can delete

On Wednesday, January 14, 2015 at 1:52:59 PM UTC-8, claude juif wrote:

Hi,

Did you copy those certificate from puppetCA server after generate
them ? (using puppet cert generate command ?) It seems you have a private
key mismatch.

Regards

2015-01-14 22:26 GMT+01:00 tyon surb...@ucdavis.edu:

Hi all,

I have successfully installed Foreman and Foreman-proxy on my Puppet
server(CentOS 6.6) and integrated them. This machine has the following
smart proxy features: TFTP, DNS, DHCP, Puppet, Puppet CA, and BMC
I have DNS installed on another machine (CentOS 6.6, bind). I
installed foreman-proxy on my DNS machine. I was able to add smart proxy
from my DNS machine in my Foreman UI on my puppet server without ssl.

When I try to add it with ssl I have the following errors in the
/var/log/foreman/production.log file on my Puppet server:

Failed to save: Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://hostname:8443/features https://hostname:8443/features, Please
check the proxy is configured and running on the host.

On the other side on my DNS server using foreman-proxy in foreground
mode I can see:

[2015-01-14 11:25:41] ERROR OpenSSL::SSL::SSLError:
SSL_CTX_use_PrivateKey:: key values mismatch

• /usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize’*

My DNS server is managed by my Puppet server. The certificate is
signed by Puppet server.

It looks like a permission issue on my DNS server (because local
smart proxy on Puppet server works). What I checked on my DNS server:

cat /etc/foreman-proxy/settings.yml

:ssl_certificate: /var/lib/puppet/ssl/certs/ca.pem:ssl_ca_file:
/var/lib/puppet/ssl/certs/hostname.pem:ssl_private_key:
/var/lib/puppet/ssl/private_keys/hostname.pem# Hosts which the proxy
accepts connections from# commenting the following lines would mean every
verified SSL connection allowed#:trusted_hosts: (I tried with localhost
and Puppet server)

:https_port: 8443

• id foreman-proxy*
  uid=494(foreman-proxy) gid=494(foreman-proxy)
  groups=494(foreman-proxy),52(puppet)

ls -la /var/lib/puppet/ssl/certs/hostname.pem
-rw-r–r-- 1 puppet puppet 1992 Jan 14 10:02
/var/lib/puppet/ssl/certs/hostname.pem

ls -la /var/lib/puppet/ssl/private_keys/hostname.pem -rw-r----- 1
puppet puppet 3243 Jan 14 10:00
/var/lib/puppet/ssl/private_keys/hostname.pem

ls -la /var/lib/puppet/ssl/

drwxr-x— 2 puppet puppet 4096 Jan 14 10:00 private_keys

I tried with stopped firewall as well. The same result.
I don’t have foreman user on my DNS server, only foreman-proxy

My foreman-proxy versions are:
On Puppet server: foreman-proxy-1.7.0-1.el6.noarch
On DNS server: foreman-proxy-1.7.1-1.el6.noarch

On my DNS server (the same result with -k flag):
curl -v --cert /var/lib/puppet/ssl/certs/hostname.pem --key
/var/lib/puppet/ssl/private_keys/hostname.pem
https://hostname:8443/features https://hostname:8443/features* About to
connect() to hostname port 8443 (#0)*
** Trying 132.249.232.5… connected*
** Connected to nostname (ip-address) port 8443 (#0)*
** Initializing NSS with certpath: sql:/etc/pki/nssdb*
** CAfile: /etc/pki/tls/certs/ca-bundle.crt*

• CApath: none*
  ** NSS error -5938*
  ** Closing connection #0*
  ** SSL connect error*
  curl: (35) SSL connect error

I’d appreciate any help.
Thanks.

–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Puppet server has private key. When you do a puppet cert generate on the
puppetCA, you have 3 files : cert, private key and public key. Please
ensure both private keys are the same : eg PuppetCA and DNS Server by
viewing them in a text editor.

It works exactly the same way as generating a self signed certificate by
hand.

So my question for Konstantin: what directory you copy cert/private key
from client? Do you point to this directory in Foreman proxy settings file?

Claude, did you install you foreman-proxy with foreman installer? I used
a rpm package. foreman-proxy-1.7.1-1.el6.noarch

I tried to restart foreman proxy many times on my DNS server, it didn’t
help. The problem is definitely related with my installation on DNS server,
because I cannot successfully test it with curl even from localhost (my DNS
server).

I don’t have any errors in my proxy.log file on both machines.

My DNS server:
W, [2015-01-15T08:51:01.885364 #4180] WARN – : Couldn’t find settings
file /etc/foreman-proxy/settings.d/foreman_proxy.yml. Using default
settings.
I, [2015-01-15T08:51:01.886431 #4180] INFO – : 'foreman_proxy’
settings were initialized with default values: :enabled: true
I, [2015-01-15T08:51:01.894369 #4180] INFO – : ‘facts’ module is
disabled.
I, [2015-01-15T08:51:01.902487 #4180] INFO – : ‘templates’ module is
disabled.
I, [2015-01-15T08:51:01.903152 #4180] INFO – : ‘tftp’ module is
disabled.
I, [2015-01-15T08:51:01.903619 #4180] INFO – : ‘dhcp’ module is
disabled.
I, [2015-01-15T08:51:01.904281 #4180] INFO – : ‘puppetca’ module is
disabled.
I, [2015-01-15T08:51:01.905342 #4180] INFO – : ‘puppet’ module is
disabled.
I, [2015-01-15T08:51:01.905923 #4180] INFO – : ‘bmc’ module is
disabled.
I, [2015-01-15T08:51:01.906660 #4180] INFO – : ‘realm’ module is
disabled.

My Puppet server:
I, [2015-01-15T08:43:21.601876 #11151] INFO – : 'foreman_proxy’
settings were initialized with default values: :enabled: true
I, [2015-01-15T08:43:21.685245 #11151] INFO – : ‘facts’ module is
disabled.
I, [2015-01-15T08:43:21.705146 #11151] INFO – : ‘templates’ module is
disabled.
I, [2015-01-15T08:43:21.752811 #11151] INFO – : ‘dhcp’ settings were
initialized with default values: :dhcp_provider: isc
I, [2015-01-15T08:43:24.446693 #11151] INFO – : ‘puppet’ settings were
initialized with default values: :puppetdir: /etc/puppet
I, [2015-01-15T08:43:24.652776 #11151] INFO – : ‘realm’ module is
disabled.

Only errors which I can see:

on my DNS server when I start foreman-proxy in foreground mode and try
to safe proxy on my Puppet server:

[2015-01-15 08:51:42] ERROR OpenSSL::SSL::SSLError:
SSL_CTX_use_PrivateKey:: key values mismatch
/usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize’

on my Puppet server in foreman/production.log file:

Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://ns1.domain.name:8443/features
https://ns1.domain.name:8443/features
Please check the proxy is configured and running on the host.

I’m using it without SSL for now but it is not what I want

On Thursday, January 15, 2015 at 2:32:29 AM UTC-8, claude juif wrote:

Hi Konstantin,

I actually have 2 smart proxies linked to my foreman instance and it’s
working really well.

What is the exact error you had ? What do you mean by exchange the SSL
between all proxies ?

Basically on the puppetCA(foreman) server, you have to generate a
certificate for all of your proxies. Copied them over to each proxy.
(ca.pem, hostname-key.pem, hostname-cert.pem).

On each proxy you also need to add the trusted host parameters pointing
to your foreman instance.

By the way, how didi you install foreman proxy ? With the
foreman-installer ? or with packages ?

Regards,

2015-01-15 2:25 GMT+01:00 ‘Konstantin Orekhov’ via Foreman users <
forema...@googlegroups.com>:

We have the same problem. First we noticed that back when we ran
Foreman 1.4.x (do not have data for earlier versions as we didn’t have
multiple proxies at that time), but all subsequent versions (running 1.7.1
now) have the same problem.

It appears that adding a new proxy somehow invalidates the certs of
previously configured proxies from Foreman perspective as if it expects
all proxies to have a cert of that lastly-added one. Basically, none of
the previous proxies work now - one can click
It is very strange and it does not seem to be really cert-related, but
more like a logic somewhere in Foreman code that deals with proxies, IMHO.
Using the proposed curl verification method, I can talk over SSL to any of
the proxies, but Foreman would complain that cert is missing:

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm01.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm02.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm03.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

The only way to workaround this issue I found so far is to exchange the
SSL (both public and private) keys and certs between all proxies, which is
obviously not a proper thing to do.

Please let me if I misunderstand or missing something here.
Thanks!

–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-user...@googlegroups.com <javascript:>.
To post to this group, send email to forema...@googlegroups.com
<javascript:>.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

As I mentioned before I didn’t execute 'cert generate ns1.domain.name
http://ns1.domain.name’ command on my Puppet server because my DNS
server is managed by Puppet already.

Thank you for your help.

Puppet server has private key. When you do a puppet cert generate on the
puppetCA, you have 3 files : cert, private key and public key. Please
ensure both private keys are the same : eg PuppetCA and DNS Server by
viewing them in a text editor.

It works exactly the same way as generating a self signed certificate by
hand.

So my question for Konstantin: what directory you copy cert/private key
from client? Do you point to this directory in Foreman proxy settings file?

Claude, did you install you foreman-proxy with foreman installer? I used
a rpm package. foreman-proxy-1.7.1-1.el6.noarch

I tried to restart foreman proxy many times on my DNS server, it didn’t
help. The problem is definitely related with my installation on DNS server,
because I cannot successfully test it with curl even from localhost (my DNS
server).

I don’t have any errors in my proxy.log file on both machines.

My DNS server:
W, [2015-01-15T08:51:01.885364 #4180] WARN – : Couldn’t find settings
file /etc/foreman-proxy/settings.d/foreman_proxy.yml. Using default
settings.
I, [2015-01-15T08:51:01.886431 #4180] INFO – : 'foreman_proxy’
settings were initialized with default values: :enabled: true
I, [2015-01-15T08:51:01.894369 #4180] INFO – : ‘facts’ module is
disabled.
I, [2015-01-15T08:51:01.902487 #4180] INFO – : ‘templates’ module is
disabled.
I, [2015-01-15T08:51:01.903152 #4180] INFO – : ‘tftp’ module is
disabled.
I, [2015-01-15T08:51:01.903619 #4180] INFO – : ‘dhcp’ module is
disabled.
I, [2015-01-15T08:51:01.904281 #4180] INFO – : ‘puppetca’ module is
disabled.
I, [2015-01-15T08:51:01.905342 #4180] INFO – : ‘puppet’ module is
disabled.
I, [2015-01-15T08:51:01.905923 #4180] INFO – : ‘bmc’ module is
disabled.
I, [2015-01-15T08:51:01.906660 #4180] INFO – : ‘realm’ module is
disabled.

My Puppet server:
I, [2015-01-15T08:43:21.601876 #11151] INFO – : 'foreman_proxy’
settings were initialized with default values: :enabled: true
I, [2015-01-15T08:43:21.685245 #11151] INFO – : ‘facts’ module is
disabled.
I, [2015-01-15T08:43:21.705146 #11151] INFO – : ‘templates’ module is
disabled.
I, [2015-01-15T08:43:21.752811 #11151] INFO – : ‘dhcp’ settings were
initialized with default values: :dhcp_provider: isc
I, [2015-01-15T08:43:24.446693 #11151] INFO – : ‘puppet’ settings
were initialized with default values: :puppetdir: /etc/puppet
I, [2015-01-15T08:43:24.652776 #11151] INFO – : ‘realm’ module is
disabled.

Only errors which I can see:

on my DNS server when I start foreman-proxy in foreground mode and
try to safe proxy on my Puppet server:

[2015-01-15 08:51:42] ERROR OpenSSL::SSL::SSLError:
SSL_CTX_use_PrivateKey:: key values mismatch
/usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize’

on my Puppet server in foreman/production.log file:

Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://ns1.domain.name:8443/features
https://ns1.domain.name:8443/features
Please check the proxy is configured and running on the host.

I’m using it without SSL for now but it is not what I want

On Thursday, January 15, 2015 at 2:32:29 AM UTC-8, claude juif wrote:

Hi Konstantin,

I actually have 2 smart proxies linked to my foreman instance and it’s
working really well.

What is the exact error you had ? What do you mean by exchange the SSL
between all proxies ?

Basically on the puppetCA(foreman) server, you have to generate a
certificate for all of your proxies. Copied them over to each proxy.
(ca.pem, hostname-key.pem, hostname-cert.pem).

On each proxy you also need to add the trusted host parameters pointing
to your foreman instance.

By the way, how didi you install foreman proxy ? With the
foreman-installer ? or with packages ?

Regards,

2015-01-15 2:25 GMT+01:00 ‘Konstantin Orekhov’ via Foreman users <
forema...@googlegroups.com>:

We have the same problem. First we noticed that back when we ran
Foreman 1.4.x (do not have data for earlier versions as we didn’t have
multiple proxies at that time), but all subsequent versions (running 1.7.1
now) have the same problem.

It appears that adding a new proxy somehow invalidates the certs of
previously configured proxies from Foreman perspective as if it expects
all proxies to have a cert of that lastly-added one. Basically, none of
the previous proxies work now - one can click
It is very strange and it does not seem to be really cert-related, but
more like a logic somewhere in Foreman code that deals with proxies, IMHO.
Using the proposed curl verification method, I can talk over SSL to any of
the proxies, but Foreman would complain that cert is missing:

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm01.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm02.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm03.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

The only way to workaround this issue I found so far is to exchange
the SSL (both public and private) keys and certs between all proxies, which
is obviously not a proper thing to do.

Please let me if I misunderstand or missing something here.
Thanks!

–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

You’re right, it’s just because i generate them on the puppetCA server,
the private key is not needed on the server side.

Can you try this command in the /var/lib/puppet/ssl directory and check if
the modulus output are the same ?

openssl rsa -noout -modulus -in private_keys/ns1.uctechnology.ucdavis.edu.
pem
openssl x509 -noout -modulus -in certs/ns1.uctechnology.ucdavis.edu.pem

Can you also check :
openssl verify -verbose -CAfile certs/ca.pem certs/
ns1.uctechnology.ucdavis.edu.pem

It should return OK

If modulus are not the same or if the last return any other message than
ok, you have something wrong on certificate, on the DNS side.

You can also do the last command with the certs/ca*.pem on the server
side to see if it’s not on the server side.*

As I mentioned before I didn’t execute 'cert generate ns1.domain.name
http://ns1.domain.name’ command on my Puppet server because my DNS
server is managed by Puppet already.

Thank you for your help.

Puppet server has private key. When you do a puppet cert generate on the
puppetCA, you have 3 files : cert, private key and public key. Please
ensure both private keys are the same : eg PuppetCA and DNS Server by
viewing them in a text editor.

It works exactly the same way as generating a self signed certificate by
hand.

So my question for Konstantin: what directory you copy cert/private key
from client? Do you point to this directory in Foreman proxy settings file?

Claude, did you install you foreman-proxy with foreman installer? I
used a rpm package. foreman-proxy-1.7.1-1.el6.noarch

I tried to restart foreman proxy many times on my DNS server, it didn’t
help. The problem is definitely related with my installation on DNS server,
because I cannot successfully test it with curl even from localhost (my DNS
server).

I don’t have any errors in my proxy.log file on both machines.

My DNS server:
W, [2015-01-15T08:51:01.885364 #4180] WARN – : Couldn’t find
settings file /etc/foreman-proxy/settings.d/foreman_proxy.yml. Using
default settings.
I, [2015-01-15T08:51:01.886431 #4180] INFO – : 'foreman_proxy’
settings were initialized with default values: :enabled: true
I, [2015-01-15T08:51:01.894369 #4180] INFO – : ‘facts’ module is
disabled.
I, [2015-01-15T08:51:01.902487 #4180] INFO – : ‘templates’ module is
disabled.
I, [2015-01-15T08:51:01.903152 #4180] INFO – : ‘tftp’ module is
disabled.
I, [2015-01-15T08:51:01.903619 #4180] INFO – : ‘dhcp’ module is
disabled.
I, [2015-01-15T08:51:01.904281 #4180] INFO – : ‘puppetca’ module is
disabled.
I, [2015-01-15T08:51:01.905342 #4180] INFO – : ‘puppet’ module is
disabled.
I, [2015-01-15T08:51:01.905923 #4180] INFO – : ‘bmc’ module is
disabled.
I, [2015-01-15T08:51:01.906660 #4180] INFO – : ‘realm’ module is
disabled.

My Puppet server:
I, [2015-01-15T08:43:21.601876 #11151] INFO – : 'foreman_proxy’
settings were initialized with default values: :enabled: true
I, [2015-01-15T08:43:21.685245 #11151] INFO – : ‘facts’ module is
disabled.
I, [2015-01-15T08:43:21.705146 #11151] INFO – : ‘templates’ module
is disabled.
I, [2015-01-15T08:43:21.752811 #11151] INFO – : ‘dhcp’ settings were
initialized with default values: :dhcp_provider: isc
I, [2015-01-15T08:43:24.446693 #11151] INFO – : ‘puppet’ settings
were initialized with default values: :puppetdir: /etc/puppet
I, [2015-01-15T08:43:24.652776 #11151] INFO – : ‘realm’ module is
disabled.

Only errors which I can see:

on my DNS server when I start foreman-proxy in foreground mode and
try to safe proxy on my Puppet server:

[2015-01-15 08:51:42] ERROR OpenSSL::SSL::SSLError:
SSL_CTX_use_PrivateKey:: key values mismatch
/usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize’

on my Puppet server in foreman/production.log file:

Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://ns1.domain.name:8443/features
https://ns1.domain.name:8443/features
Please check the proxy is configured and running on the host.

I’m using it without SSL for now but it is not what I want

On Thursday, January 15, 2015 at 2:32:29 AM UTC-8, claude juif wrote:

Hi Konstantin,

I actually have 2 smart proxies linked to my foreman instance and it’s
working really well.

What is the exact error you had ? What do you mean by exchange the SSL
between all proxies ?

Basically on the puppetCA(foreman) server, you have to generate a
certificate for all of your proxies. Copied them over to each proxy.
(ca.pem, hostname-key.pem, hostname-cert.pem).

On each proxy you also need to add the trusted host parameters
pointing to your foreman instance.

By the way, how didi you install foreman proxy ? With the
foreman-installer ? or with packages ?

Regards,

2015-01-15 2:25 GMT+01:00 ‘Konstantin Orekhov’ via Foreman users <
forema...@googlegroups.com>:

We have the same problem. First we noticed that back when we ran
Foreman 1.4.x (do not have data for earlier versions as we didn’t have
multiple proxies at that time), but all subsequent versions (running 1.7.1
now) have the same problem.

It appears that adding a new proxy somehow invalidates the certs of
previously configured proxies from Foreman perspective as if it expects
all proxies to have a cert of that lastly-added one. Basically, none of
the previous proxies work now - one can click
It is very strange and it does not seem to be really cert-related,
but more like a logic somewhere in Foreman code that deals with proxies,
IMHO. Using the proposed curl verification method, I can talk over SSL to
any of the proxies, but Foreman would complain that cert is missing:

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem
–cert /var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm01.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem
–cert /var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm02.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem
–cert /var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm03.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

The only way to workaround this issue I found so far is to exchange
the SSL (both public and private) keys and certs between all proxies, which
is obviously not a proper thing to do.

Please let me if I misunderstand or missing something here.
Thanks!

–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-user...@googlegroups.com <javascript:>.
To post to this group, send email to forema...@googlegroups.com
<javascript:>.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

I really appreciate your help.

You’re right, it’s just because i generate them on the puppetCA server,
the private key is not needed on the server side.

Can you try this command in the /var/lib/puppet/ssl directory and check
if the modulus output are the same ?

openssl rsa -noout -modulus -in private_keys/ns1.uctechnology.ucdavis.edu
.pem
openssl x509 -noout -modulus -in certs/ns1.uctechnology.ucdavis.edu.pem

Can you also check :
openssl verify -verbose -CAfile certs/ca.pem certs/ns1.uctechnology.
ucdavis.edu.pem

It should return OK

If modulus are not the same or if the last return any other message than
ok, you have something wrong on certificate, on the DNS side.

You can also do the last command with the certs/ca*.pem on the server
side to see if it’s not on the server side.*

As I mentioned before I didn’t execute 'cert generate ns1.domain.name
http://ns1.domain.name’ command on my Puppet server because my DNS
server is managed by Puppet already.

Thank you for your help.

Puppet server has private key. When you do a puppet cert generate on
the puppetCA, you have 3 files : cert, private key and public key. Please
ensure both private keys are the same : eg PuppetCA and DNS Server by
viewing them in a text editor.

It works exactly the same way as generating a self signed certificate
by hand.

So my question for Konstantin: what directory you copy cert/private
key from client? Do you point to this directory in Foreman proxy settings
file?

Claude, did you install you foreman-proxy with foreman installer? I
used a rpm package. foreman-proxy-1.7.1-1.el6.noarch

I tried to restart foreman proxy many times on my DNS server, it
didn’t help. The problem is definitely related with my installation on DNS
server, because I cannot successfully test it with curl even from localhost
(my DNS server).

I don’t have any errors in my proxy.log file on both machines.

My DNS server:
W, [2015-01-15T08:51:01.885364 #4180] WARN – : Couldn’t find
settings file /etc/foreman-proxy/settings.d/foreman_proxy.yml. Using
default settings.
I, [2015-01-15T08:51:01.886431 #4180] INFO – : 'foreman_proxy’
settings were initialized with default values: :enabled: true
I, [2015-01-15T08:51:01.894369 #4180] INFO – : ‘facts’ module is
disabled.
I, [2015-01-15T08:51:01.902487 #4180] INFO – : ‘templates’ module
is disabled.
I, [2015-01-15T08:51:01.903152 #4180] INFO – : ‘tftp’ module is
disabled.
I, [2015-01-15T08:51:01.903619 #4180] INFO – : ‘dhcp’ module is
disabled.
I, [2015-01-15T08:51:01.904281 #4180] INFO – : ‘puppetca’ module is
disabled.
I, [2015-01-15T08:51:01.905342 #4180] INFO – : ‘puppet’ module is
disabled.
I, [2015-01-15T08:51:01.905923 #4180] INFO – : ‘bmc’ module is
disabled.
I, [2015-01-15T08:51:01.906660 #4180] INFO – : ‘realm’ module is
disabled.

My Puppet server:
I, [2015-01-15T08:43:21.601876 #11151] INFO – : 'foreman_proxy’
settings were initialized with default values: :enabled: true
I, [2015-01-15T08:43:21.685245 #11151] INFO – : ‘facts’ module is
disabled.
I, [2015-01-15T08:43:21.705146 #11151] INFO – : ‘templates’ module
is disabled.
I, [2015-01-15T08:43:21.752811 #11151] INFO – : ‘dhcp’ settings
were initialized with default values: :dhcp_provider: isc
I, [2015-01-15T08:43:24.446693 #11151] INFO – : ‘puppet’ settings
were initialized with default values: :puppetdir: /etc/puppet
I, [2015-01-15T08:43:24.652776 #11151] INFO – : ‘realm’ module is
disabled.

Only errors which I can see:

on my DNS server when I start foreman-proxy in foreground mode and
try to safe proxy on my Puppet server:

[2015-01-15 08:51:42] ERROR OpenSSL::SSL::SSLError:
SSL_CTX_use_PrivateKey:: key values mismatch
/usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize’

on my Puppet server in foreman/production.log file:

Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://ns1.domain.name:8443/features
https://ns1.domain.name:8443/features
Please check the proxy is configured and running on the host.

I’m using it without SSL for now but it is not what I want

On Thursday, January 15, 2015 at 2:32:29 AM UTC-8, claude juif wrote:

Hi Konstantin,

I actually have 2 smart proxies linked to my foreman instance and
it’s working really well.

What is the exact error you had ? What do you mean by exchange the
SSL between all proxies ?

Basically on the puppetCA(foreman) server, you have to generate a
certificate for all of your proxies. Copied them over to each proxy.
(ca.pem, hostname-key.pem, hostname-cert.pem).

On each proxy you also need to add the trusted host parameters
pointing to your foreman instance.

By the way, how didi you install foreman proxy ? With the
foreman-installer ? or with packages ?

Regards,

2015-01-15 2:25 GMT+01:00 ‘Konstantin Orekhov’ via Foreman users <
forema...@googlegroups.com>:

We have the same problem. First we noticed that back when we ran
Foreman 1.4.x (do not have data for earlier versions as we didn’t have
multiple proxies at that time), but all subsequent versions (running 1.7.1
now) have the same problem.

It appears that adding a new proxy somehow invalidates the certs of
previously configured proxies from Foreman perspective as if it expects
all proxies to have a cert of that lastly-added one. Basically, none of
the previous proxies work now - one can click
It is very strange and it does not seem to be really cert-related,
but more like a logic somewhere in Foreman code that deals with proxies,
IMHO. Using the proposed curl verification method, I can talk over SSL to
any of the proxies, but Foreman would complain that cert is missing:

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem
–cert /var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H
"Content-Type: application/json" -H "Accept:application/json"
https://ppm01.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem
–cert /var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H
"Content-Type: application/json" -H "Accept:application/json"
https://ppm02.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem
–cert /var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H
"Content-Type: application/json" -H "Accept:application/json"
https://ppm03.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

The only way to workaround this issue I found so far is to exchange
the SSL (both public and private) keys and certs between all proxies, which
is obviously not a proper thing to do.

Please let me if I misunderstand or missing something here.
Thanks!

–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.