Unable to add a new remote smart proxy in Foreman (ERROR key values mismatch)

Hi all,

I have successfully installed Foreman and Foreman-proxy on my Puppet
server(CentOS 6.6) and integrated them. This machine has the following
smart proxy features: TFTP, DNS, DHCP, Puppet, Puppet CA, and BMC
I have DNS installed on another machine (CentOS 6.6, bind). I installed
foreman-proxy on my DNS machine. I was able to add smart proxy from my DNS
machine in my Foreman UI on my puppet server without ssl.

When I try to add it with ssl I have the following errors in the
/var/log/foreman/production.log file on my Puppet server:

Failed to save: Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://hostname:8443/features, Please check the proxy is configured and
running on the host.

On the other side on my DNS server using foreman-proxy in foreground mode I
can see:

[2015-01-14 11:25:41] ERROR OpenSSL::SSL::SSLError:
SSL_CTX_use_PrivateKey:: key values mismatch

  • /usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize'*

My DNS server is managed by my Puppet server. The certificate is signed by
Puppet server.

It looks like a permission issue on my DNS server (because local smart
proxy on Puppet server works). What I checked on my DNS server:

cat /etc/foreman-proxy/settings.yml

:ssl_certificate: /var/lib/puppet/ssl/certs/ca.pem:ssl_ca_file:
/var/lib/puppet/ssl/certs/hostname.pem:ssl_private_key:
/var/lib/puppet/ssl/private_keys/hostname.pem# Hosts which the proxy
accepts connections from# commenting the following lines would mean every
verified SSL connection allowed#:trusted_hosts: (I tried with localhost
and Puppet server)

:https_port: 8443

  • id foreman-proxy*
    uid=494(foreman-proxy) gid=494(foreman-proxy)
    groups=494(foreman-proxy),52(puppet)

ls -la /var/lib/puppet/ssl/certs/hostname.pem
-rw-r–r-- 1 puppet puppet 1992 Jan 14 10:02
/var/lib/puppet/ssl/certs/hostname.pem

ls -la /var/lib/puppet/ssl/private_keys/hostname.pem -rw-r----- 1 puppet
puppet 3243 Jan 14 10:00 /var/lib/puppet/ssl/private_keys/hostname.pem

ls -la /var/lib/puppet/ssl/

drwxr-x— 2 puppet puppet 4096 Jan 14 10:00 private_keys

I tried with stopped firewall as well. The same result.
I don't have foreman user on my DNS server, only foreman-proxy

My foreman-proxy versions are:
On Puppet server: foreman-proxy-1.7.0-1.el6.noarch
On DNS server: foreman-proxy-1.7.1-1.el6.noarch

On my DNS server (the same result with -k flag):
curl -v --cert /var/lib/puppet/ssl/certs/hostname.pem --key
/var/lib/puppet/ssl/private_keys/hostname.pem
https://hostname:8443/features
About to connect() to hostname port 8443
(#0)*
** Trying 132.249.232.5… connected*
** Connected to nostname (ip-address) port 8443 (#0)*
** Initializing NSS with certpath: sql:/etc/pki/nssdb*
** CAfile: /etc/pki/tls/certs/ca-bundle.crt*

  • CApath: none*
    ** NSS error -5938*
    ** Closing connection #0*
    ** SSL connect error*
    curl: (35) SSL connect error

I'd appreciate any help.
Thanks.

We have the same problem. First we noticed that back when we ran Foreman
1.4.x (do not have data for earlier versions as we didn't have multiple
proxies at that time), but all subsequent versions (running 1.7.1 now) have
the same problem.

It appears that adding a new proxy somehow invalidates the certs of
previously configured proxies from Foreman perspective as if it expects
all proxies to have a cert of that lastly-added one. Basically, none of
the previous proxies work now - one can click
It is very strange and it does not seem to be really cert-related, but more
like a logic somewhere in Foreman code that deals with proxies, IMHO. Using
the proposed curl verification method, I can talk over SSL to any of the
proxies, but Foreman would complain that cert is missing:

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H "Content-Type:
application/json" -H "Accept:application/json"
https://ppm01.mydomain:8443/features
["abrt","bmc","puppet"]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H "Content-Type:
application/json" -H "Accept:application/json"
https://ppm02.mydomain:8443/features
["abrt","bmc","puppet"]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H "Content-Type:
application/json" -H "Accept:application/json"
https://ppm03.mydomain:8443/features
["abrt","bmc","puppet"]

The only way to workaround this issue I found so far is to exchange the SSL
(both public and private) keys and certs between all proxies, which is
obviously not a proper thing to do.

Please let me if I misunderstand or missing something here.
Thanks!

Hi,

Did you copy those certificate from puppetCA server after generate them ?
(using puppet cert generate command ?) It seems you have a private key
mismatch.

Regards

··· 2015-01-14 22:26 GMT+01:00 tyon :

Hi all,

I have successfully installed Foreman and Foreman-proxy on my Puppet
server(CentOS 6.6) and integrated them. This machine has the following
smart proxy features: TFTP, DNS, DHCP, Puppet, Puppet CA, and BMC
I have DNS installed on another machine (CentOS 6.6, bind). I installed
foreman-proxy on my DNS machine. I was able to add smart proxy from my DNS
machine in my Foreman UI on my puppet server without ssl.

When I try to add it with ssl I have the following errors in the
/var/log/foreman/production.log file on my Puppet server:

Failed to save: Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://hostname:8443/features https://hostname:8443/features, Please
check the proxy is configured and running on the host.

On the other side on my DNS server using foreman-proxy in foreground mode
I can see:

[2015-01-14 11:25:41] ERROR OpenSSL::SSL::SSLError:
SSL_CTX_use_PrivateKey:: key values mismatch

  • /usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize’*

My DNS server is managed by my Puppet server. The certificate is signed by
Puppet server.

It looks like a permission issue on my DNS server (because local smart
proxy on Puppet server works). What I checked on my DNS server:

cat /etc/foreman-proxy/settings.yml

:ssl_certificate: /var/lib/puppet/ssl/certs/ca.pem:ssl_ca_file:
/var/lib/puppet/ssl/certs/hostname.pem:ssl_private_key:
/var/lib/puppet/ssl/private_keys/hostname.pem# Hosts which the proxy
accepts connections from# commenting the following lines would mean every
verified SSL connection allowed#:trusted_hosts: (I tried with localhost
and Puppet server)

:https_port: 8443

  • id foreman-proxy*
    uid=494(foreman-proxy) gid=494(foreman-proxy)
    groups=494(foreman-proxy),52(puppet)

ls -la /var/lib/puppet/ssl/certs/hostname.pem
-rw-r–r-- 1 puppet puppet 1992 Jan 14 10:02
/var/lib/puppet/ssl/certs/hostname.pem

ls -la /var/lib/puppet/ssl/private_keys/hostname.pem -rw-r----- 1 puppet
puppet 3243 Jan 14 10:00 /var/lib/puppet/ssl/private_keys/hostname.pem

ls -la /var/lib/puppet/ssl/

drwxr-x— 2 puppet puppet 4096 Jan 14 10:00 private_keys

I tried with stopped firewall as well. The same result.
I don’t have foreman user on my DNS server, only foreman-proxy

My foreman-proxy versions are:
On Puppet server: foreman-proxy-1.7.0-1.el6.noarch
On DNS server: foreman-proxy-1.7.1-1.el6.noarch

On my DNS server (the same result with -k flag):
curl -v --cert /var/lib/puppet/ssl/certs/hostname.pem --key
/var/lib/puppet/ssl/private_keys/hostname.pem
https://hostname:8443/features
https://hostname:8443/features* About to
connect() to hostname port 8443 (#0)*
** Trying 132.249.232.5… connected*
** Connected to nostname (ip-address) port 8443 (#0)*
** Initializing NSS with certpath: sql:/etc/pki/nssdb*
** CAfile: /etc/pki/tls/certs/ca-bundle.crt*

  • CApath: none*
    ** NSS error -5938*
    ** Closing connection #0*
    ** SSL connect error*
    curl: (35) SSL connect error

I’d appreciate any help.
Thanks.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

I think it would be better for me to start another topic on this as it
appears we have a different issue with proxies.

As far as I understand I don't need to do it manually.
http://theforeman.org/manuals/1.7/index.html#4.3.11SSL

If the smart proxy host is not managed by Puppet, you will need to generate
a certificate - skip forward to the generate section.

My DNS server is managed by Puppet and already has certs installed.
Anyway just to double check I deleted them, sent request to Puppet, sign
them there and tried again. No good.

Any ideas?

My DNS server is managed by Puppet and already has certificates installed.
I can delete

··· On Wednesday, January 14, 2015 at 1:52:59 PM UTC-8, claude juif wrote: > > Hi, > > Did you copy those certificate from puppetCA server after generate them ? > (using puppet cert generate command ?) It seems you have a private key > mismatch. > > Regards > > > 2015-01-14 22:26 GMT+01:00 tyon <surb...@ucdavis.edu >: > >> Hi all, >> >> I have successfully installed Foreman and Foreman-proxy on my Puppet >> server(CentOS 6.6) and integrated them. This machine has the following >> smart proxy features: TFTP, DNS, DHCP, Puppet, Puppet CA, and BMC >> I have DNS installed on another machine (CentOS 6.6, bind). I installed >> foreman-proxy on my DNS machine. I was able to add smart proxy from my DNS >> machine in my Foreman UI on my puppet server without ssl. >> >> When I try to add it with ssl I have the following errors in the >> /var/log/foreman/production.log file on my Puppet server: >> >> *Failed to save: Unable to communicate with the proxy: ERF12-2530 >> [ProxyAPI::ProxyException]: Unable to detect features >> ([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0 >> state=SSLv2/v3 read server hello A) for proxy >> https://hostname:8443/features , Please >> check the proxy is configured and running on the host.* >> >> On the other side on my DNS server using foreman-proxy in foreground mode >> I can see: >> >> *[2015-01-14 11:25:41] ERROR OpenSSL::SSL::SSLError: >> SSL_CTX_use_PrivateKey:: key values mismatch* >> * /usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize'* >> >> My DNS server is managed by my Puppet server. The certificate is signed >> by Puppet server. >> >> It looks like a permission issue on my DNS server (because local smart >> proxy on Puppet server works). What I checked on my DNS server: >> >> >> *cat /etc/foreman-proxy/settings.yml* >> >> >> *:ssl_certificate: /var/lib/puppet/ssl/certs/ca.pem:ssl_ca_file: >> /var/lib/puppet/ssl/certs/hostname.pem:ssl_private_key: >> /var/lib/puppet/ssl/private_keys/hostname.pem# Hosts which the proxy >> accepts connections from# commenting the following lines would mean every >> verified SSL connection allowed#:trusted_hosts: (I tried with localhost >> and Puppet server)* >> >> >> *:https_port: 8443* >> * id foreman-proxy* >> *uid=494(foreman-proxy) gid=494(foreman-proxy) >> groups=494(foreman-proxy),52(puppet)* >> >> >> *ls -la /var/lib/puppet/ssl/certs/hostname.pem* >> *-rw-r--r-- 1 puppet puppet 1992 Jan 14 10:02 >> /var/lib/puppet/ssl/certs/hostname.pem* >> >> *ls -la /var/lib/puppet/ssl/private_keys/hostname.pem -rw-r----- 1 puppet >> puppet 3243 Jan 14 10:00 /var/lib/puppet/ssl/private_keys/hostname.pem* >> >> >> *ls -la /var/lib/puppet/ssl/* >> >> *drwxr-x--- 2 puppet puppet 4096 Jan 14 10:00 private_keys* >> >> I tried with stopped firewall as well. The same result. >> I don't have foreman user on my DNS server, only foreman-proxy >> >> My foreman-proxy versions are: >> On Puppet server: foreman-proxy-1.7.0-1.el6.noarch >> On DNS server: foreman-proxy-1.7.1-1.el6.noarch >> >> >> On my DNS server (the same result with -k flag): >> *curl -v --cert /var/lib/puppet/ssl/certs/hostname.pem --key >> /var/lib/puppet/ssl/private_keys/hostname.pem >> https://hostname:8443/features* About to >> connect() to hostname port 8443 (#0)* >> ** Trying 132.249.232.5... connected* >> ** Connected to nostname (ip-address) port 8443 (#0)* >> ** Initializing NSS with certpath: sql:/etc/pki/nssdb* >> ** CAfile: /etc/pki/tls/certs/ca-bundle.crt* >> * CApath: none* >> ** NSS error -5938* >> ** Closing connection #0* >> ** SSL connect error* >> *curl: (35) SSL connect error* >> >> I'd appreciate any help. >> Thanks. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Foreman users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to foreman-user...@googlegroups.com . >> To post to this group, send email to forema...@googlegroups.com >> . >> Visit this group at http://groups.google.com/group/foreman-users. >> For more options, visit https://groups.google.com/d/optout. >> > >

Can you add the cacert parameter to curl and see if it's working ? -

curl -v --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname.pem --key
/var/lib/puppet/ssl/private_keys/hostname.pem https://hostname:8443/features
<https://hostname:8443/features
>*

From the output of curl it seems it's using the wrong CA file.

If it works double check that /etc/foreman-proxy/settings.yml contains the
right path to cert

··· 2015-01-14 23:29 GMT+01:00 tyon :

As far as I understand I don’t need to do it manually.
Foreman :: Manual

If the smart proxy host is not managed by Puppet, you will need to
generate a certificate - skip forward to the generate section.

My DNS server is managed by Puppet and already has certs installed.
Anyway just to double check I deleted them, sent request to Puppet, sign
them there and tried again. No good.

Any ideas?

My DNS server is managed by Puppet and already has certificates installed.
I can delete

On Wednesday, January 14, 2015 at 1:52:59 PM UTC-8, claude juif wrote:

Hi,

Did you copy those certificate from puppetCA server after generate them ?
(using puppet cert generate command ?) It seems you have a private key
mismatch.

Regards

2015-01-14 22:26 GMT+01:00 tyon surb...@ucdavis.edu:

Hi all,

I have successfully installed Foreman and Foreman-proxy on my Puppet
server(CentOS 6.6) and integrated them. This machine has the following
smart proxy features: TFTP, DNS, DHCP, Puppet, Puppet CA, and BMC
I have DNS installed on another machine (CentOS 6.6, bind). I installed
foreman-proxy on my DNS machine. I was able to add smart proxy from my DNS
machine in my Foreman UI on my puppet server without ssl.

When I try to add it with ssl I have the following errors in the
/var/log/foreman/production.log file on my Puppet server:

Failed to save: Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://hostname:8443/features https://hostname:8443/features, Please
check the proxy is configured and running on the host.

On the other side on my DNS server using foreman-proxy in foreground
mode I can see:

[2015-01-14 11:25:41] ERROR OpenSSL::SSL::SSLError:
SSL_CTX_use_PrivateKey:: key values mismatch

  • /usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize’*

My DNS server is managed by my Puppet server. The certificate is signed
by Puppet server.

It looks like a permission issue on my DNS server (because local smart
proxy on Puppet server works). What I checked on my DNS server:

cat /etc/foreman-proxy/settings.yml

:ssl_certificate: /var/lib/puppet/ssl/certs/ca.pem:ssl_ca_file:
/var/lib/puppet/ssl/certs/hostname.pem:ssl_private_key:
/var/lib/puppet/ssl/private_keys/hostname.pem# Hosts which the proxy
accepts connections from# commenting the following lines would mean every
verified SSL connection allowed#:trusted_hosts: (I tried with localhost
and Puppet server)

:https_port: 8443

  • id foreman-proxy*
    uid=494(foreman-proxy) gid=494(foreman-proxy)
    groups=494(foreman-proxy),52(puppet)

ls -la /var/lib/puppet/ssl/certs/hostname.pem
-rw-r–r-- 1 puppet puppet 1992 Jan 14 10:02
/var/lib/puppet/ssl/certs/hostname.pem

ls -la /var/lib/puppet/ssl/private_keys/hostname.pem -rw-r----- 1
puppet puppet 3243 Jan 14 10:00
/var/lib/puppet/ssl/private_keys/hostname.pem

ls -la /var/lib/puppet/ssl/

drwxr-x— 2 puppet puppet 4096 Jan 14 10:00 private_keys

I tried with stopped firewall as well. The same result.
I don’t have foreman user on my DNS server, only foreman-proxy

My foreman-proxy versions are:
On Puppet server: foreman-proxy-1.7.0-1.el6.noarch
On DNS server: foreman-proxy-1.7.1-1.el6.noarch

On my DNS server (the same result with -k flag):
curl -v --cert /var/lib/puppet/ssl/certs/hostname.pem --key
/var/lib/puppet/ssl/private_keys/hostname.pem
https://hostname:8443/features
https://hostname:8443/features* About to
connect() to hostname port 8443 (#0)*
** Trying 132.249.232.5… connected*
** Connected to nostname (ip-address) port 8443 (#0)*
** Initializing NSS with certpath: sql:/etc/pki/nssdb*
** CAfile: /etc/pki/tls/certs/ca-bundle.crt*

  • CApath: none*
    ** NSS error -5938*
    ** Closing connection #0*
    ** SSL connect error*
    curl: (35) SSL connect error

I’d appreciate any help.
Thanks.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Hi Konstantin,

I actually have 2 smart proxies linked to my foreman instance and it's
working really well.

What is the exact error you had ? What do you mean by exchange the SSL
between all proxies ?

Basically on the puppetCA(foreman) server, you have to generate a
certificate for all of your proxies. Copied them over to each proxy.
(ca.pem, hostname-key.pem, hostname-cert.pem).

On each proxy you also need to add the trusted host parameters pointing to
your foreman instance.

By the way, how didi you install foreman proxy ? With the foreman-installer
? or with packages ?

Regards,

··· 2015-01-15 2:25 GMT+01:00 'Konstantin Orekhov' via Foreman users < foreman-users@googlegroups.com>:

We have the same problem. First we noticed that back when we ran Foreman
1.4.x (do not have data for earlier versions as we didn’t have multiple
proxies at that time), but all subsequent versions (running 1.7.1 now) have
the same problem.

It appears that adding a new proxy somehow invalidates the certs of
previously configured proxies from Foreman perspective as if it expects
all proxies to have a cert of that lastly-added one. Basically, none of
the previous proxies work now - one can click
It is very strange and it does not seem to be really cert-related, but
more like a logic somewhere in Foreman code that deals with proxies, IMHO.
Using the proposed curl verification method, I can talk over SSL to any of
the proxies, but Foreman would complain that cert is missing:

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm01.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm02.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm03.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

The only way to workaround this issue I found so far is to exchange the
SSL (both public and private) keys and certs between all proxies, which is
obviously not a proper thing to do.

Please let me if I misunderstand or missing something here.
Thanks!


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Hi Konstantin,

Yes plz feel free to start a new topic so we can help you.

I can't reproduce your problem, i have foreman 1.7.1 with 2 smart proxies,
and i have no problem with cert or other things. When i tried to add a 3
proxy for testing purpose, it works straight.

By the way what do you mean by exchange certificate between all proxies ?
Basically, i can see no way where generating a new cert invalidate
previously generated certificate.

··· 2015-01-17 1:35 GMT+01:00 'Konstantin Orekhov' via Foreman users < foreman-users@googlegroups.com>:

I think it would be better for me to start another topic on this as it
appears we have a different issue with proxies.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Hey claude,

thank you for your help, but no joy

curl -v --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname.pem --key
/var/lib/puppet/ssl/private_keys/hostname.pem https://hostname:8443/features

  • About to connect() to hostname port 8443 (#0)
  • Trying XXX.XXX.XXX.X… connected
  • Connected to hostname (XXX.XXX.XXX.X) port 8443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /var/lib/puppet/ssl/certs/ca.pem
    CApath: none
  • NSS error -5938
  • Closing connection #0
  • SSL connect error
    curl: (35) SSL connect error
··· On Wednesday, January 14, 2015 at 3:45:50 PM UTC-8, claude juif wrote: > > Can you add the cacert parameter to curl and see if it's working ? - > > *curl -v --cacert /var/lib/puppet/ssl/certs/ca.pem --cert > /var/lib/puppet/ssl/certs/hostname.pem --key > /var/lib/puppet/ssl/private_keys/hostname.pem https://hostname:8443/features > * > > From the output of curl it seems it's using the wrong CA file. > > If it works double check that /etc/foreman-proxy/settings.yml contains the > right path to cert > > 2015-01-14 23:29 GMT+01:00 tyon <surb...@ucdavis.edu >: > >> As far as I understand I don't need to do it manually. >> http://theforeman.org/manuals/1.7/index.html#4.3.11SSL >> >> If the smart proxy host is not managed by Puppet, you will need to >> generate a certificate - skip forward to the generate section. >> >> My DNS server is managed by Puppet and already has certs installed. >> Anyway just to double check I deleted them, sent request to Puppet, sign >> them there and tried again. No good. >> >> Any ideas? >> >> My DNS server is managed by Puppet and already has certificates >> installed. I can delete >> >> On Wednesday, January 14, 2015 at 1:52:59 PM UTC-8, claude juif wrote: >>> >>> Hi, >>> >>> Did you copy those certificate from puppetCA server after generate them >>> ? (using puppet cert generate command ?) It seems you have a private key >>> mismatch. >>> >>> Regards >>> >>> >>> 2015-01-14 22:26 GMT+01:00 tyon : >>> >>>> Hi all, >>>> >>>> I have successfully installed Foreman and Foreman-proxy on my Puppet >>>> server(CentOS 6.6) and integrated them. This machine has the following >>>> smart proxy features: TFTP, DNS, DHCP, Puppet, Puppet CA, and BMC >>>> I have DNS installed on another machine (CentOS 6.6, bind). I installed >>>> foreman-proxy on my DNS machine. I was able to add smart proxy from my DNS >>>> machine in my Foreman UI on my puppet server without ssl. >>>> >>>> When I try to add it with ssl I have the following errors in the >>>> /var/log/foreman/production.log file on my Puppet server: >>>> >>>> *Failed to save: Unable to communicate with the proxy: ERF12-2530 >>>> [ProxyAPI::ProxyException]: Unable to detect features >>>> ([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0 >>>> state=SSLv2/v3 read server hello A) for proxy >>>> https://hostname:8443/features , Please >>>> check the proxy is configured and running on the host.* >>>> >>>> On the other side on my DNS server using foreman-proxy in foreground >>>> mode I can see: >>>> >>>> *[2015-01-14 11:25:41] ERROR OpenSSL::SSL::SSLError: >>>> SSL_CTX_use_PrivateKey:: key values mismatch* >>>> * /usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize'* >>>> >>>> My DNS server is managed by my Puppet server. The certificate is signed >>>> by Puppet server. >>>> >>>> It looks like a permission issue on my DNS server (because local smart >>>> proxy on Puppet server works). What I checked on my DNS server: >>>> >>>> >>>> *cat /etc/foreman-proxy/settings.yml* >>>> >>>> >>>> *:ssl_certificate: /var/lib/puppet/ssl/certs/ca.pem:ssl_ca_file: >>>> /var/lib/puppet/ssl/certs/hostname.pem:ssl_private_key: >>>> /var/lib/puppet/ssl/private_keys/hostname.pem# Hosts which the proxy >>>> accepts connections from# commenting the following lines would mean every >>>> verified SSL connection allowed#:trusted_hosts: (I tried with localhost >>>> and Puppet server)* >>>> >>>> >>>> *:https_port: 8443* >>>> * id foreman-proxy* >>>> *uid=494(foreman-proxy) gid=494(foreman-proxy) >>>> groups=494(foreman-proxy),52(puppet)* >>>> >>>> >>>> *ls -la /var/lib/puppet/ssl/certs/hostname.pem* >>>> *-rw-r--r-- 1 puppet puppet 1992 Jan 14 10:02 >>>> /var/lib/puppet/ssl/certs/hostname.pem* >>>> >>>> *ls -la /var/lib/puppet/ssl/private_keys/hostname.pem -rw-r----- 1 >>>> puppet puppet 3243 Jan 14 10:00 >>>> /var/lib/puppet/ssl/private_keys/hostname.pem* >>>> >>>> >>>> *ls -la /var/lib/puppet/ssl/* >>>> >>>> *drwxr-x--- 2 puppet puppet 4096 Jan 14 10:00 private_keys* >>>> >>>> I tried with stopped firewall as well. The same result. >>>> I don't have foreman user on my DNS server, only foreman-proxy >>>> >>>> My foreman-proxy versions are: >>>> On Puppet server: foreman-proxy-1.7.0-1.el6.noarch >>>> On DNS server: foreman-proxy-1.7.1-1.el6.noarch >>>> >>>> >>>> On my DNS server (the same result with -k flag): >>>> *curl -v --cert /var/lib/puppet/ssl/certs/hostname.pem --key >>>> /var/lib/puppet/ssl/private_keys/hostname.pem >>>> https://hostname:8443/features* About to >>>> connect() to hostname port 8443 (#0)* >>>> ** Trying 132.249.232.5... connected* >>>> ** Connected to nostname (ip-address) port 8443 (#0)* >>>> ** Initializing NSS with certpath: sql:/etc/pki/nssdb* >>>> ** CAfile: /etc/pki/tls/certs/ca-bundle.crt* >>>> * CApath: none* >>>> ** NSS error -5938* >>>> ** Closing connection #0* >>>> ** SSL connect error* >>>> *curl: (35) SSL connect error* >>>> >>>> I'd appreciate any help. >>>> Thanks. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Foreman users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to foreman-user...@googlegroups.com. >>>> To post to this group, send email to forema...@googlegroups.com. >>>> Visit this group at http://groups.google.com/group/foreman-users. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Foreman users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to foreman-user...@googlegroups.com . >> To post to this group, send email to forema...@googlegroups.com >> . >> Visit this group at http://groups.google.com/group/foreman-users. >> For more options, visit https://groups.google.com/d/optout. >> > >

I assume puppet agent -t is working right ?

error -5938 is PR_END_OF_FILE_ERROR.

"This error is only emitted by the SSL library when a read during SSL
handshake returns a 0 byte count, meaning the peer closed the TCP
connection.
"

I think you should have a look at the server log
(/var/log/foreman/production.log). Something is wrong on the server side.
(No proxy between ?)

And just to be clear hostname.pem is dns fqdn and https://hostname:8443
is https://puppetfqdn:8443 ?

··· 2015-01-15 0:57 GMT+01:00 tyon :

Hey claude,

thank you for your help, but no joy

curl -v --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname.pem --key
/var/lib/puppet/ssl/private_keys/hostname.pem
https://hostname:8443/features

  • About to connect() to hostname port 8443 (#0)
  • Trying XXX.XXX.XXX.X… connected
  • Connected to hostname (XXX.XXX.XXX.X) port 8443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /var/lib/puppet/ssl/certs/ca.pem
    CApath: none
  • NSS error -5938
  • Closing connection #0
  • SSL connect error
    curl: (35) SSL connect error

On Wednesday, January 14, 2015 at 3:45:50 PM UTC-8, claude juif wrote:

Can you add the cacert parameter to curl and see if it’s working ? -

curl -v --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname.pem --key
/var/lib/puppet/ssl/private_keys/hostname.pem https://hostname:8443/features
https://hostname:8443/features*

From the output of curl it seems it’s using the wrong CA file.

If it works double check that /etc/foreman-proxy/settings.yml contains
the right path to cert

2015-01-14 23:29 GMT+01:00 tyon surb...@ucdavis.edu:

As far as I understand I don’t need to do it manually.
Foreman :: Manual

If the smart proxy host is not managed by Puppet, you will need to
generate a certificate - skip forward to the generate section.

My DNS server is managed by Puppet and already has certs installed.
Anyway just to double check I deleted them, sent request to Puppet, sign
them there and tried again. No good.

Any ideas?

My DNS server is managed by Puppet and already has certificates
installed. I can delete

On Wednesday, January 14, 2015 at 1:52:59 PM UTC-8, claude juif wrote:

Hi,

Did you copy those certificate from puppetCA server after generate them
? (using puppet cert generate command ?) It seems you have a private key
mismatch.

Regards

2015-01-14 22:26 GMT+01:00 tyon surb...@ucdavis.edu:

Hi all,

I have successfully installed Foreman and Foreman-proxy on my Puppet
server(CentOS 6.6) and integrated them. This machine has the following
smart proxy features: TFTP, DNS, DHCP, Puppet, Puppet CA, and BMC
I have DNS installed on another machine (CentOS 6.6, bind). I
installed foreman-proxy on my DNS machine. I was able to add smart proxy
from my DNS machine in my Foreman UI on my puppet server without ssl.

When I try to add it with ssl I have the following errors in the
/var/log/foreman/production.log file on my Puppet server:

Failed to save: Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://hostname:8443/features https://hostname:8443/features, Please
check the proxy is configured and running on the host.

On the other side on my DNS server using foreman-proxy in foreground
mode I can see:

[2015-01-14 11:25:41] ERROR OpenSSL::SSL::SSLError:
SSL_CTX_use_PrivateKey:: key values mismatch

  • /usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize’*

My DNS server is managed by my Puppet server. The certificate is
signed by Puppet server.

It looks like a permission issue on my DNS server (because local smart
proxy on Puppet server works). What I checked on my DNS server:

cat /etc/foreman-proxy/settings.yml

:ssl_certificate: /var/lib/puppet/ssl/certs/ca.pem:ssl_ca_file:
/var/lib/puppet/ssl/certs/hostname.pem:ssl_private_key:
/var/lib/puppet/ssl/private_keys/hostname.pem# Hosts which the proxy
accepts connections from# commenting the following lines would mean every
verified SSL connection allowed#:trusted_hosts: (I tried with localhost
and Puppet server)

:https_port: 8443

  • id foreman-proxy*
    uid=494(foreman-proxy) gid=494(foreman-proxy)
    groups=494(foreman-proxy),52(puppet)

ls -la /var/lib/puppet/ssl/certs/hostname.pem
-rw-r–r-- 1 puppet puppet 1992 Jan 14 10:02
/var/lib/puppet/ssl/certs/hostname.pem

ls -la /var/lib/puppet/ssl/private_keys/hostname.pem -rw-r----- 1
puppet puppet 3243 Jan 14 10:00
/var/lib/puppet/ssl/private_keys/hostname.pem

ls -la /var/lib/puppet/ssl/

drwxr-x— 2 puppet puppet 4096 Jan 14 10:00 private_keys

I tried with stopped firewall as well. The same result.
I don’t have foreman user on my DNS server, only foreman-proxy

My foreman-proxy versions are:
On Puppet server: foreman-proxy-1.7.0-1.el6.noarch
On DNS server: foreman-proxy-1.7.1-1.el6.noarch

On my DNS server (the same result with -k flag):
curl -v --cert /var/lib/puppet/ssl/certs/hostname.pem --key
/var/lib/puppet/ssl/private_keys/hostname.pem
https://hostname:8443/features
https://hostname:8443/features* About to
connect() to hostname port 8443 (#0)*
** Trying 132.249.232.5… connected*
** Connected to nostname (ip-address) port 8443 (#0)*
** Initializing NSS with certpath: sql:/etc/pki/nssdb*
** CAfile: /etc/pki/tls/certs/ca-bundle.crt*

  • CApath: none*
    ** NSS error -5938*
    ** Closing connection #0*
    ** SSL connect error*
    curl: (35) SSL connect error

I’d appreciate any help.
Thanks.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Hi!

Konstantin, is your problem that you are unable to safe a remote new
smart-proxy from Puppet/Foreman server? Because my local one (on Puppet)
works fine.

Claude, I don't think Puppet server has clients private keys. I can find
only requests and signed certificates on my Puppet server. I think private
keys are generated and saved only on clients. Please correct me if I'm
wrong.

So my question for Konstantin: what directory you copy cert/private key
from client? Do you point to this directory in Foreman proxy settings file?

Claude, did you install you foreman-proxy with foreman installer? I used a
rpm package. foreman-proxy-1.7.1-1.el6.noarch

I tried to restart foreman proxy many times on my DNS server, it didn't
help. The problem is definitely related with my installation on DNS server,
because I cannot successfully test it with curl even from localhost (my DNS
server).

I don't have any errors in my proxy.log file on both machines.

My DNS server:
W, [2015-01-15T08:51:01.885364 #4180] WARN – : Couldn't find settings
file /etc/foreman-proxy/settings.d/foreman_proxy.yml. Using default
settings.

I, [2015-01-15T08:51:01.886431 #4180] INFO – : 'foreman_proxy' settings
were initialized with default values: :enabled: true

I, [2015-01-15T08:51:01.894369 #4180] INFO – : 'facts' module is
disabled.

I, [2015-01-15T08:51:01.902487 #4180] INFO – : 'templates' module is
disabled.

I, [2015-01-15T08:51:01.903152 #4180] INFO – : 'tftp' module is
disabled.

I, [2015-01-15T08:51:01.903619 #4180] INFO – : 'dhcp' module is
disabled.

I, [2015-01-15T08:51:01.904281 #4180] INFO – : 'puppetca' module is
disabled.

I, [2015-01-15T08:51:01.905342 #4180] INFO – : 'puppet' module is
disabled.

I, [2015-01-15T08:51:01.905923 #4180] INFO – : 'bmc' module is disabled.
I, [2015-01-15T08:51:01.906660 #4180] INFO – : 'realm' module is
disabled.

My Puppet server:
I, [2015-01-15T08:43:21.601876 #11151] INFO – : 'foreman_proxy' settings
were initialized with default values: :enabled: true

I, [2015-01-15T08:43:21.685245 #11151] INFO – : 'facts' module is
disabled.

I, [2015-01-15T08:43:21.705146 #11151] INFO – : 'templates' module is
disabled.

I, [2015-01-15T08:43:21.752811 #11151] INFO – : 'dhcp' settings were
initialized with default values: :dhcp_provider: isc

I, [2015-01-15T08:43:24.446693 #11151] INFO – : 'puppet' settings were
initialized with default values: :puppetdir: /etc/puppet

I, [2015-01-15T08:43:24.652776 #11151] INFO – : 'realm' module is
disabled.

Only errors which I can see:

on my DNS server when I start foreman-proxy in foreground mode and try to
safe proxy on my Puppet server:

[2015-01-15 08:51:42] ERROR OpenSSL::SSL::SSLError:
SSL_CTX_use_PrivateKey:: key values mismatch
/usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize'

on my Puppet server in foreman/production.log file:

Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://ns1.domain.name:8443/features

Please check the proxy is configured and running on the host.

I'm using it without SSL for now but it is not what I want :frowning:

··· On Thursday, January 15, 2015 at 2:32:29 AM UTC-8, claude juif wrote: > > Hi Konstantin, > > I actually have 2 smart proxies linked to my foreman instance and it's > working really well. > > What is the exact error you had ? What do you mean by exchange the SSL > between all proxies ? > > Basically on the puppetCA(foreman) server, you have to generate a > certificate for all of your proxies. Copied them over to each proxy. > (ca.pem, hostname-key.pem, hostname-cert.pem). > > On each proxy you also need to add the trusted host parameters pointing to > your foreman instance. > > By the way, how didi you install foreman proxy ? With the > foreman-installer ? or with packages ? > > Regards, > > 2015-01-15 2:25 GMT+01:00 'Konstantin Orekhov' via Foreman users < > forema...@googlegroups.com >: > >> We have the same problem. First we noticed that back when we ran Foreman >> 1.4.x (do not have data for earlier versions as we didn't have multiple >> proxies at that time), but all subsequent versions (running 1.7.1 now) have >> the same problem. >> >> It appears that adding a new proxy somehow invalidates the certs of >> previously configured proxies from Foreman perspective as if it expects >> *all* proxies to have a cert of that lastly-added one. Basically, none of >> the previous proxies work now - one can click >> It is very strange and it does not seem to be really cert-related, but >> more like a logic somewhere in Foreman code that deals with proxies, IMHO. >> Using the proposed curl verification method, I can talk over SSL to any of >> the proxies, but Foreman would complain that cert is missing: >> >> [root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert >> /var/lib/puppet/ssl/certs/`hostname -f`.pem --key >> /var/lib/puppet/ssl/private_keys/`hostname -f`.pem -H "Content-Type: >> application/json" -H "Accept:application/json" >> https://ppm01.mydomain:8443/features >> ["abrt","bmc","puppet"] >> >> [root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert >> /var/lib/puppet/ssl/certs/`hostname -f`.pem --key >> /var/lib/puppet/ssl/private_keys/`hostname -f`.pem -H "Content-Type: >> application/json" -H "Accept:application/json" >> https://ppm02.mydomain:8443/features >> ["abrt","bmc","puppet"] >> >> [root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert >> /var/lib/puppet/ssl/certs/`hostname -f`.pem --key >> /var/lib/puppet/ssl/private_keys/`hostname -f`.pem -H "Content-Type: >> application/json" -H "Accept:application/json" >> https://ppm03.mydomain:8443/features >> ["abrt","bmc","puppet"] >> >> The only way to workaround this issue I found so far is to exchange the >> SSL (both public and private) keys and certs between all proxies, which is >> obviously not a proper thing to do. >> >> Please let me if I misunderstand or missing something here. >> Thanks! >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Foreman users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to foreman-user...@googlegroups.com . >> To post to this group, send email to forema...@googlegroups.com >> . >> Visit this group at http://groups.google.com/group/foreman-users. >> For more options, visit https://groups.google.com/d/optout. >> > >

> Hi!
>
> Konstantin, is your problem that you are unable to safe a remote new
> smart-proxy from Puppet/Foreman server? Because my local one (on Puppet)
> works fine.
>
> Claude, I don't think Puppet server has clients private keys. I can find
> only requests and signed certificates on my Puppet server. I think private
> keys are generated and saved only on clients. Please correct me if I'm
> wrong.
>

Puppet server has private key. When you do a puppet cert generate on the
puppetCA, you have 3 files : cert, private key and public key. Please
ensure both private keys are the same : eg PuppetCA and DNS Server by
viewing them in a text editor.

It works exactly the same way as generating a self signed certificate by
hand.

··· 2015-01-15 18:12 GMT+01:00 tyon :

So my question for Konstantin: what directory you copy cert/private key
from client? Do you point to this directory in Foreman proxy settings file?

Claude, did you install you foreman-proxy with foreman installer? I used a
rpm package. foreman-proxy-1.7.1-1.el6.noarch

I tried to restart foreman proxy many times on my DNS server, it didn’t
help. The problem is definitely related with my installation on DNS server,
because I cannot successfully test it with curl even from localhost (my DNS
server).

I don’t have any errors in my proxy.log file on both machines.

My DNS server:
W, [2015-01-15T08:51:01.885364 #4180] WARN – : Couldn’t find settings
file /etc/foreman-proxy/settings.d/foreman_proxy.yml. Using default
settings.

I, [2015-01-15T08:51:01.886431 #4180] INFO – : ‘foreman_proxy’ settings
were initialized with default values: :enabled: true

I, [2015-01-15T08:51:01.894369 #4180] INFO – : ‘facts’ module is
disabled.

I, [2015-01-15T08:51:01.902487 #4180] INFO – : ‘templates’ module is
disabled.

I, [2015-01-15T08:51:01.903152 #4180] INFO – : ‘tftp’ module is
disabled.

I, [2015-01-15T08:51:01.903619 #4180] INFO – : ‘dhcp’ module is
disabled.

I, [2015-01-15T08:51:01.904281 #4180] INFO – : ‘puppetca’ module is
disabled.

I, [2015-01-15T08:51:01.905342 #4180] INFO – : ‘puppet’ module is
disabled.

I, [2015-01-15T08:51:01.905923 #4180] INFO – : ‘bmc’ module is
disabled.

I, [2015-01-15T08:51:01.906660 #4180] INFO – : ‘realm’ module is
disabled.

My Puppet server:
I, [2015-01-15T08:43:21.601876 #11151] INFO – : 'foreman_proxy’
settings were initialized with default values: :enabled: true

I, [2015-01-15T08:43:21.685245 #11151] INFO – : ‘facts’ module is
disabled.

I, [2015-01-15T08:43:21.705146 #11151] INFO – : ‘templates’ module is
disabled.

I, [2015-01-15T08:43:21.752811 #11151] INFO – : ‘dhcp’ settings were
initialized with default values: :dhcp_provider: isc

I, [2015-01-15T08:43:24.446693 #11151] INFO – : ‘puppet’ settings were
initialized with default values: :puppetdir: /etc/puppet

I, [2015-01-15T08:43:24.652776 #11151] INFO – : ‘realm’ module is
disabled.

Only errors which I can see:

on my DNS server when I start foreman-proxy in foreground mode and try
to safe proxy on my Puppet server:

[2015-01-15 08:51:42] ERROR OpenSSL::SSL::SSLError:
SSL_CTX_use_PrivateKey:: key values mismatch
/usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize’

on my Puppet server in foreman/production.log file:

Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://ns1.domain.name:8443/features
https://ns1.domain.name:8443/features

Please check the proxy is configured and running on the host.

I’m using it without SSL for now but it is not what I want :frowning:

On Thursday, January 15, 2015 at 2:32:29 AM UTC-8, claude juif wrote:

Hi Konstantin,

I actually have 2 smart proxies linked to my foreman instance and it’s
working really well.

What is the exact error you had ? What do you mean by exchange the SSL
between all proxies ?

Basically on the puppetCA(foreman) server, you have to generate a
certificate for all of your proxies. Copied them over to each proxy.
(ca.pem, hostname-key.pem, hostname-cert.pem).

On each proxy you also need to add the trusted host parameters pointing
to your foreman instance.

By the way, how didi you install foreman proxy ? With the
foreman-installer ? or with packages ?

Regards,

2015-01-15 2:25 GMT+01:00 ‘Konstantin Orekhov’ via Foreman users <
forema...@googlegroups.com>:

We have the same problem. First we noticed that back when we ran Foreman
1.4.x (do not have data for earlier versions as we didn’t have multiple
proxies at that time), but all subsequent versions (running 1.7.1 now) have
the same problem.

It appears that adding a new proxy somehow invalidates the certs of
previously configured proxies from Foreman perspective as if it expects
all proxies to have a cert of that lastly-added one. Basically, none of
the previous proxies work now - one can click
It is very strange and it does not seem to be really cert-related, but
more like a logic somewhere in Foreman code that deals with proxies, IMHO.
Using the proposed curl verification method, I can talk over SSL to any of
the proxies, but Foreman would complain that cert is missing:

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm01.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm02.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm03.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

The only way to workaround this issue I found so far is to exchange the
SSL (both public and private) keys and certs between all proxies, which is
obviously not a proper thing to do.

Please let me if I misunderstand or missing something here.
Thanks!


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Yes, puppet agent -t works (DNS server)

puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Loading facts
Info: Caching catalog for ns1.domain.name
Info: Applying configuration version '1421279051'
Notice: Finished catalog run in 6.62 seconds

Sorry, I didn't mention it before my /var/log/foreman/production.log on
Puppet server:

Parameters: {"utf8"=>"✓",
"authenticity_token"=>"ckB6EqKPnwbAslAaV7YQMIZHysUz6GyJMOJHSNylPgw=",
"smart_proxy"=>{"name"=>"NS-Proxy", "url"=>"https://ns1.domain.name:8443"}}

Failed to save: Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://ns1.domain.name:8443/features, Please check the proxy is configured
and running on the host.

What do you mean no proxy between? I have proxy running on my Puppet server
and on my DNS server. Proxy on Puppet server works with ssl, proxy on DNS
server is starting with ssl, but I cannot connect.

I test curl on my DNS server. hostname.pem is dns fqdn and
https://hostname:8443… is https://dnsfqdn:8443 too. Or do you mean
something else?

··· On Wednesday, January 14, 2015 at 4:15:26 PM UTC-8, claude juif wrote: > > I assume puppet agent -t is working right ? > > error -5938 is PR_END_OF_FILE_ERROR. > > "*This error is only emitted by the SSL library when a read during SSL > handshake returns a 0 byte count, meaning the peer closed the TCP > connection.*" > > I think you should have a look at the server log > (/var/log/foreman/production.log). Something is wrong on the server side. > (No proxy between ?) > > And just to be clear hostname.pem is dns fqdn and https://hostname:8443... > is https://puppetfqdn:8443 ? > > 2015-01-15 0:57 GMT+01:00 tyon <surb...@ucdavis.edu >: > >> Hey claude, >> >> thank you for your help, but no joy >> >> curl -v --cacert /var/lib/puppet/ssl/certs/ca.pem --cert >> /var/lib/puppet/ssl/certs/hostname.pem --key >> /var/lib/puppet/ssl/private_keys/hostname.pem >> https://hostname:8443/features >> * About to connect() to hostname port 8443 (#0) >> * Trying XXX.XXX.XXX.X... connected >> * Connected to hostname (XXX.XXX.XXX.X) port 8443 (#0) >> * Initializing NSS with certpath: sql:/etc/pki/nssdb >> * CAfile: /var/lib/puppet/ssl/certs/ca.pem >> CApath: none >> * NSS error -5938 >> * Closing connection #0 >> * SSL connect error >> curl: (35) SSL connect error >> >> On Wednesday, January 14, 2015 at 3:45:50 PM UTC-8, claude juif wrote: >>> >>> Can you add the cacert parameter to curl and see if it's working ? - >>> >>> *curl -v --cacert /var/lib/puppet/ssl/certs/ca.pem --cert >>> /var/lib/puppet/ssl/certs/hostname.pem --key >>> /var/lib/puppet/ssl/private_keys/hostname.pem https://hostname:8443/features >>> * >>> >>> From the output of curl it seems it's using the wrong CA file. >>> >>> If it works double check that /etc/foreman-proxy/settings.yml contains >>> the right path to cert >>> >>> 2015-01-14 23:29 GMT+01:00 tyon : >>> >>>> As far as I understand I don't need to do it manually. >>>> http://theforeman.org/manuals/1.7/index.html#4.3.11SSL >>>> >>>> If the smart proxy host is not managed by Puppet, you will need to >>>> generate a certificate - skip forward to the generate section. >>>> >>>> My DNS server is managed by Puppet and already has certs installed. >>>> Anyway just to double check I deleted them, sent request to Puppet, >>>> sign them there and tried again. No good. >>>> >>>> Any ideas? >>>> >>>> My DNS server is managed by Puppet and already has certificates >>>> installed. I can delete >>>> >>>> On Wednesday, January 14, 2015 at 1:52:59 PM UTC-8, claude juif wrote: >>>>> >>>>> Hi, >>>>> >>>>> Did you copy those certificate from puppetCA server after generate >>>>> them ? (using puppet cert generate command ?) It seems you have a private >>>>> key mismatch. >>>>> >>>>> Regards >>>>> >>>>> >>>>> 2015-01-14 22:26 GMT+01:00 tyon : >>>>> >>>>>> Hi all, >>>>>> >>>>>> I have successfully installed Foreman and Foreman-proxy on my Puppet >>>>>> server(CentOS 6.6) and integrated them. This machine has the following >>>>>> smart proxy features: TFTP, DNS, DHCP, Puppet, Puppet CA, and BMC >>>>>> I have DNS installed on another machine (CentOS 6.6, bind). I >>>>>> installed foreman-proxy on my DNS machine. I was able to add smart proxy >>>>>> from my DNS machine in my Foreman UI on my puppet server without ssl. >>>>>> >>>>>> When I try to add it with ssl I have the following errors in the >>>>>> /var/log/foreman/production.log file on my Puppet server: >>>>>> >>>>>> *Failed to save: Unable to communicate with the proxy: ERF12-2530 >>>>>> [ProxyAPI::ProxyException]: Unable to detect features >>>>>> ([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0 >>>>>> state=SSLv2/v3 read server hello A) for proxy >>>>>> https://hostname:8443/features , Please >>>>>> check the proxy is configured and running on the host.* >>>>>> >>>>>> On the other side on my DNS server using foreman-proxy in foreground >>>>>> mode I can see: >>>>>> >>>>>> *[2015-01-14 11:25:41] ERROR OpenSSL::SSL::SSLError: >>>>>> SSL_CTX_use_PrivateKey:: key values mismatch* >>>>>> * /usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize'* >>>>>> >>>>>> My DNS server is managed by my Puppet server. The certificate is >>>>>> signed by Puppet server. >>>>>> >>>>>> It looks like a permission issue on my DNS server (because local >>>>>> smart proxy on Puppet server works). What I checked on my DNS server: >>>>>> >>>>>> >>>>>> *cat /etc/foreman-proxy/settings.yml* >>>>>> >>>>>> >>>>>> *:ssl_certificate: /var/lib/puppet/ssl/certs/ca.pem:ssl_ca_file: >>>>>> /var/lib/puppet/ssl/certs/hostname.pem:ssl_private_key: >>>>>> /var/lib/puppet/ssl/private_keys/hostname.pem# Hosts which the proxy >>>>>> accepts connections from# commenting the following lines would mean every >>>>>> verified SSL connection allowed#:trusted_hosts: (I tried with localhost >>>>>> and Puppet server)* >>>>>> >>>>>> >>>>>> *:https_port: 8443* >>>>>> * id foreman-proxy* >>>>>> *uid=494(foreman-proxy) gid=494(foreman-proxy) >>>>>> groups=494(foreman-proxy),52(puppet)* >>>>>> >>>>>> >>>>>> *ls -la /var/lib/puppet/ssl/certs/hostname.pem* >>>>>> *-rw-r--r-- 1 puppet puppet 1992 Jan 14 10:02 >>>>>> /var/lib/puppet/ssl/certs/hostname.pem* >>>>>> >>>>>> *ls -la /var/lib/puppet/ssl/private_keys/hostname.pem -rw-r----- 1 >>>>>> puppet puppet 3243 Jan 14 10:00 >>>>>> /var/lib/puppet/ssl/private_keys/hostname.pem* >>>>>> >>>>>> >>>>>> *ls -la /var/lib/puppet/ssl/* >>>>>> >>>>>> *drwxr-x--- 2 puppet puppet 4096 Jan 14 10:00 private_keys* >>>>>> >>>>>> I tried with stopped firewall as well. The same result. >>>>>> I don't have foreman user on my DNS server, only foreman-proxy >>>>>> >>>>>> My foreman-proxy versions are: >>>>>> On Puppet server: foreman-proxy-1.7.0-1.el6.noarch >>>>>> On DNS server: foreman-proxy-1.7.1-1.el6.noarch >>>>>> >>>>>> >>>>>> On my DNS server (the same result with -k flag): >>>>>> *curl -v --cert /var/lib/puppet/ssl/certs/hostname.pem --key >>>>>> /var/lib/puppet/ssl/private_keys/hostname.pem >>>>>> https://hostname:8443/features* About to >>>>>> connect() to hostname port 8443 (#0)* >>>>>> ** Trying 132.249.232.5... connected* >>>>>> ** Connected to nostname (ip-address) port 8443 (#0)* >>>>>> ** Initializing NSS with certpath: sql:/etc/pki/nssdb* >>>>>> ** CAfile: /etc/pki/tls/certs/ca-bundle.crt* >>>>>> * CApath: none* >>>>>> ** NSS error -5938* >>>>>> ** Closing connection #0* >>>>>> ** SSL connect error* >>>>>> *curl: (35) SSL connect error* >>>>>> >>>>>> I'd appreciate any help. >>>>>> Thanks. >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Foreman users" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to foreman-user...@googlegroups.com. >>>>>> To post to this group, send email to forema...@googlegroups.com. >>>>>> Visit this group at http://groups.google.com/group/foreman-users. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Foreman users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to foreman-user...@googlegroups.com. >>>> To post to this group, send email to forema...@googlegroups.com. >>>> Visit this group at http://groups.google.com/group/foreman-users. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Foreman users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to foreman-user...@googlegroups.com . >> To post to this group, send email to forema...@googlegroups.com >> . >> Visit this group at http://groups.google.com/group/foreman-users. >> For more options, visit https://groups.google.com/d/optout. >> > >

If certificates are good, and puppet agent work i have no idea why this is
not working. Have you tried to restart foreman-proxy service on the DNS
server ?

As you tried curl against the same host and the foreman-proxy reset TCP
connection, i just want to give it a try.

Can you also give us the result of : grep ERROR
/var/log/foreman-proxy/proxy.log after restart and after trying to register
the proxy again ?

··· 2015-01-15 1:50 GMT+01:00 tyon :

Yes, puppet agent -t works (DNS server)

puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Loading facts
Info: Caching catalog for ns1.domain.name http://ns1.domain.name
Info: Applying configuration version '1421279051’
Notice: Finished catalog run in 6.62 seconds

Sorry, I didn’t mention it before my /var/log/foreman/production.log on
Puppet server:

Parameters: {“utf8”=>“✓”,
“authenticity_token”=>“ckB6EqKPnwbAslAaV7YQMIZHysUz6GyJMOJHSNylPgw=”,
“smart_proxy”=>{“name”=>“NS-Proxy”, “url”=>“https://ns1.domain.name:8443
https://ns1.domain.name:8443”}}

Failed to save: Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://ns1.domain.name:8443/features
https://ns1.domain.name:8443/features, Please check the proxy is
configured and running on the host.

What do you mean no proxy between? I have proxy running on my Puppet
server and on my DNS server. Proxy on Puppet server works with ssl, proxy
on DNS server is starting with ssl, but I cannot connect.

I test curl on my DNS server. hostname.pem is dns fqdn and
https://hostname:8443… is https://dnsfqdn:8443 too. Or do you mean
something else?

On Wednesday, January 14, 2015 at 4:15:26 PM UTC-8, claude juif wrote:

I assume puppet agent -t is working right ?

error -5938 is PR_END_OF_FILE_ERROR.

This error is only emitted by the SSL library when a read during SSL
handshake returns a 0 byte count, meaning the peer closed the TCP
connection.

I think you should have a look at the server log
(/var/log/foreman/production.log). Something is wrong on the server
side. (No proxy between ?)

And just to be clear hostname.pem is dns fqdn and https://hostname:8443
is https://puppetfqdn:8443 ?

2015-01-15 0:57 GMT+01:00 tyon surb...@ucdavis.edu:

Hey claude,

thank you for your help, but no joy

curl -v --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname.pem --key
/var/lib/puppet/ssl/private_keys/hostname.pem
https://hostname:8443/features

  • About to connect() to hostname port 8443 (#0)
  • Trying XXX.XXX.XXX.X… connected
  • Connected to hostname (XXX.XXX.XXX.X) port 8443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /var/lib/puppet/ssl/certs/ca.pem
    CApath: none
  • NSS error -5938
  • Closing connection #0
  • SSL connect error
    curl: (35) SSL connect error

On Wednesday, January 14, 2015 at 3:45:50 PM UTC-8, claude juif wrote:

Can you add the cacert parameter to curl and see if it’s working ? -

curl -v --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname.pem --key
/var/lib/puppet/ssl/private_keys/hostname.pem https://hostname:8443/features
https://hostname:8443/features*

From the output of curl it seems it’s using the wrong CA file.

If it works double check that /etc/foreman-proxy/settings.yml contains
the right path to cert

2015-01-14 23:29 GMT+01:00 tyon surb...@ucdavis.edu:

As far as I understand I don’t need to do it manually.
Foreman :: Manual

If the smart proxy host is not managed by Puppet, you will need to
generate a certificate - skip forward to the generate section.

My DNS server is managed by Puppet and already has certs installed.
Anyway just to double check I deleted them, sent request to Puppet,
sign them there and tried again. No good.

Any ideas?

My DNS server is managed by Puppet and already has certificates
installed. I can delete

On Wednesday, January 14, 2015 at 1:52:59 PM UTC-8, claude juif wrote:

Hi,

Did you copy those certificate from puppetCA server after generate
them ? (using puppet cert generate command ?) It seems you have a private
key mismatch.

Regards

2015-01-14 22:26 GMT+01:00 tyon surb...@ucdavis.edu:

Hi all,

I have successfully installed Foreman and Foreman-proxy on my Puppet
server(CentOS 6.6) and integrated them. This machine has the following
smart proxy features: TFTP, DNS, DHCP, Puppet, Puppet CA, and BMC
I have DNS installed on another machine (CentOS 6.6, bind). I
installed foreman-proxy on my DNS machine. I was able to add smart proxy
from my DNS machine in my Foreman UI on my puppet server without ssl.

When I try to add it with ssl I have the following errors in the
/var/log/foreman/production.log file on my Puppet server:

Failed to save: Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://hostname:8443/features https://hostname:8443/features, Please
check the proxy is configured and running on the host.

On the other side on my DNS server using foreman-proxy in foreground
mode I can see:

[2015-01-14 11:25:41] ERROR OpenSSL::SSL::SSLError:
SSL_CTX_use_PrivateKey:: key values mismatch

  • /usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize’*

My DNS server is managed by my Puppet server. The certificate is
signed by Puppet server.

It looks like a permission issue on my DNS server (because local
smart proxy on Puppet server works). What I checked on my DNS server:

cat /etc/foreman-proxy/settings.yml

:ssl_certificate: /var/lib/puppet/ssl/certs/ca.pem:ssl_ca_file:
/var/lib/puppet/ssl/certs/hostname.pem:ssl_private_key:
/var/lib/puppet/ssl/private_keys/hostname.pem# Hosts which the proxy
accepts connections from# commenting the following lines would mean every
verified SSL connection allowed#:trusted_hosts: (I tried with localhost
and Puppet server)

:https_port: 8443

  • id foreman-proxy*
    uid=494(foreman-proxy) gid=494(foreman-proxy)
    groups=494(foreman-proxy),52(puppet)

ls -la /var/lib/puppet/ssl/certs/hostname.pem
-rw-r–r-- 1 puppet puppet 1992 Jan 14 10:02
/var/lib/puppet/ssl/certs/hostname.pem

ls -la /var/lib/puppet/ssl/private_keys/hostname.pem -rw-r----- 1
puppet puppet 3243 Jan 14 10:00
/var/lib/puppet/ssl/private_keys/hostname.pem

ls -la /var/lib/puppet/ssl/

drwxr-x— 2 puppet puppet 4096 Jan 14 10:00 private_keys

I tried with stopped firewall as well. The same result.
I don’t have foreman user on my DNS server, only foreman-proxy

My foreman-proxy versions are:
On Puppet server: foreman-proxy-1.7.0-1.el6.noarch
On DNS server: foreman-proxy-1.7.1-1.el6.noarch

On my DNS server (the same result with -k flag):
curl -v --cert /var/lib/puppet/ssl/certs/hostname.pem --key
/var/lib/puppet/ssl/private_keys/hostname.pem
https://hostname:8443/features
https://hostname:8443/features* About to
connect() to hostname port 8443 (#0)*
** Trying 132.249.232.5… connected*
** Connected to nostname (ip-address) port 8443 (#0)*
** Initializing NSS with certpath: sql:/etc/pki/nssdb*
** CAfile: /etc/pki/tls/certs/ca-bundle.crt*

  • CApath: none*
    ** NSS error -5938*
    ** Closing connection #0*
    ** SSL connect error*
    curl: (35) SSL connect error

I’d appreciate any help.
Thanks.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

>
>
>
> 2015-01-15 18:12 GMT+01:00 tyon <surb...@ucdavis.edu <javascript:>>:
>
>> Hi!
>>
>> Konstantin, is your problem that you are unable to safe a remote new
>> smart-proxy from Puppet/Foreman server? Because my local one (on Puppet)
>> works fine.
>>
>> Claude, I don't think Puppet server has clients private keys. I can find
>> only requests and signed certificates on my Puppet server. I think private
>> keys are generated and saved only on clients. Please correct me if I'm
>> wrong.
>>
>
> Claude, can you please point me to the directory where Puppet server has
clients private keys?
I can see only Puppet private key on my Puppet server:

ls -la /var/lib/puppet/ssl/private_keys/
total 12
drwxr-x— 2 puppet puppet 4096 Mar 7 2014 .
drwxrwx–x 8 puppet puppet 4096 Oct 24 2013 …
-rw-r----- 1 puppet puppet 3247 Jan 16 2014
puppet.uctechnology.ucdavis.edu.pem

And of course it's different from my DNS private key.

ls -la /var/lib/puppet/ssl/private_keys/
total 12
drwxr-x— 2 puppet puppet 4096 Jan 15 11:41 .
drwxrwx–x 7 puppet puppet 4096 Jan 14 14:19 …
-rw-r----- 1 puppet puppet 3243 Jan 14 14:18
ns1.uctechnology.ucdavis.edu.pem

No other private keys I didn't find on my Puppet server.

As I mentioned before I didn't execute 'cert generate ns1.domain.name'
command on my Puppet server because my DNS server is managed by Puppet
already.

Thank you for your help.

··· On Thursday, January 15, 2015 at 10:45:47 AM UTC-8, claude juif wrote:

Puppet server has private key. When you do a puppet cert generate on the
puppetCA, you have 3 files : cert, private key and public key. Please
ensure both private keys are the same : eg PuppetCA and DNS Server by
viewing them in a text editor.

It works exactly the same way as generating a self signed certificate by
hand.

So my question for Konstantin: what directory you copy cert/private key
from client? Do you point to this directory in Foreman proxy settings file?

Claude, did you install you foreman-proxy with foreman installer? I used
a rpm package. foreman-proxy-1.7.1-1.el6.noarch

I tried to restart foreman proxy many times on my DNS server, it didn’t
help. The problem is definitely related with my installation on DNS server,
because I cannot successfully test it with curl even from localhost (my DNS
server).

I don’t have any errors in my proxy.log file on both machines.

My DNS server:
W, [2015-01-15T08:51:01.885364 #4180] WARN – : Couldn’t find settings
file /etc/foreman-proxy/settings.d/foreman_proxy.yml. Using default
settings.

I, [2015-01-15T08:51:01.886431 #4180] INFO – : 'foreman_proxy’
settings were initialized with default values: :enabled: true

I, [2015-01-15T08:51:01.894369 #4180] INFO – : ‘facts’ module is
disabled.

I, [2015-01-15T08:51:01.902487 #4180] INFO – : ‘templates’ module is
disabled.

I, [2015-01-15T08:51:01.903152 #4180] INFO – : ‘tftp’ module is
disabled.

I, [2015-01-15T08:51:01.903619 #4180] INFO – : ‘dhcp’ module is
disabled.

I, [2015-01-15T08:51:01.904281 #4180] INFO – : ‘puppetca’ module is
disabled.

I, [2015-01-15T08:51:01.905342 #4180] INFO – : ‘puppet’ module is
disabled.

I, [2015-01-15T08:51:01.905923 #4180] INFO – : ‘bmc’ module is
disabled.

I, [2015-01-15T08:51:01.906660 #4180] INFO – : ‘realm’ module is
disabled.

My Puppet server:
I, [2015-01-15T08:43:21.601876 #11151] INFO – : 'foreman_proxy’
settings were initialized with default values: :enabled: true

I, [2015-01-15T08:43:21.685245 #11151] INFO – : ‘facts’ module is
disabled.

I, [2015-01-15T08:43:21.705146 #11151] INFO – : ‘templates’ module is
disabled.

I, [2015-01-15T08:43:21.752811 #11151] INFO – : ‘dhcp’ settings were
initialized with default values: :dhcp_provider: isc

I, [2015-01-15T08:43:24.446693 #11151] INFO – : ‘puppet’ settings were
initialized with default values: :puppetdir: /etc/puppet

I, [2015-01-15T08:43:24.652776 #11151] INFO – : ‘realm’ module is
disabled.

Only errors which I can see:

on my DNS server when I start foreman-proxy in foreground mode and try
to safe proxy on my Puppet server:

[2015-01-15 08:51:42] ERROR OpenSSL::SSL::SSLError:
SSL_CTX_use_PrivateKey:: key values mismatch
/usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize’

on my Puppet server in foreman/production.log file:

Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://ns1.domain.name:8443/features
https://ns1.domain.name:8443/features

Please check the proxy is configured and running on the host.

I’m using it without SSL for now but it is not what I want :frowning:

On Thursday, January 15, 2015 at 2:32:29 AM UTC-8, claude juif wrote:

Hi Konstantin,

I actually have 2 smart proxies linked to my foreman instance and it’s
working really well.

What is the exact error you had ? What do you mean by exchange the SSL
between all proxies ?

Basically on the puppetCA(foreman) server, you have to generate a
certificate for all of your proxies. Copied them over to each proxy.
(ca.pem, hostname-key.pem, hostname-cert.pem).

On each proxy you also need to add the trusted host parameters pointing
to your foreman instance.

By the way, how didi you install foreman proxy ? With the
foreman-installer ? or with packages ?

Regards,

2015-01-15 2:25 GMT+01:00 ‘Konstantin Orekhov’ via Foreman users <
forema...@googlegroups.com>:

We have the same problem. First we noticed that back when we ran
Foreman 1.4.x (do not have data for earlier versions as we didn’t have
multiple proxies at that time), but all subsequent versions (running 1.7.1
now) have the same problem.

It appears that adding a new proxy somehow invalidates the certs of
previously configured proxies from Foreman perspective as if it expects
all proxies to have a cert of that lastly-added one. Basically, none of
the previous proxies work now - one can click
It is very strange and it does not seem to be really cert-related, but
more like a logic somewhere in Foreman code that deals with proxies, IMHO.
Using the proposed curl verification method, I can talk over SSL to any of
the proxies, but Foreman would complain that cert is missing:

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm01.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm02.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm03.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

The only way to workaround this issue I found so far is to exchange the
SSL (both public and private) keys and certs between all proxies, which is
obviously not a proper thing to do.

Please let me if I misunderstand or missing something here.
Thanks!


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-user...@googlegroups.com <javascript:>.
To post to this group, send email to forema...@googlegroups.com
<javascript:>.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

>
>
>>
>>
>>
>>
>>> Hi!
>>>
>>> Konstantin, is your problem that you are unable to safe a remote new
>>> smart-proxy from Puppet/Foreman server? Because my local one (on Puppet)
>>> works fine.
>>>
>>> Claude, I don't think Puppet server has clients private keys. I can find
>>> only requests and signed certificates on my Puppet server. I think private
>>> keys are generated and saved only on clients. Please correct me if I'm
>>> wrong.
>>>
>>
>> Claude, can you please point me to the directory where Puppet server has
> clients private keys?
> I can see only Puppet private key on my Puppet server:
>
> ls -la /var/lib/puppet/ssl/private_keys/
> total 12
> drwxr-x— 2 puppet puppet 4096 Mar 7 2014 .
> drwxrwx–x 8 puppet puppet 4096 Oct 24 2013 …
> -rw-r----- 1 puppet puppet 3247 Jan 16 2014
> puppet.uctechnology.ucdavis.edu.pem

>
> And of course it's different from my DNS private key.
>
> ls -la /var/lib/puppet/ssl/private_keys/
> total 12
> drwxr-x— 2 puppet puppet 4096 Jan 15 11:41 .
> drwxrwx–x 7 puppet puppet 4096 Jan 14 14:19 …
> -rw-r----- 1 puppet puppet 3243 Jan 14 14:18
> ns1.uctechnology.ucdavis.edu.pem
>
> No other private keys I didn't find on my Puppet server.
>

You're right, it's just because i generate them on the puppetCA server, the
private key is not needed on the server side.

Can you try this command in the /var/lib/puppet/ssl directory and check if
the modulus output are the same ?

openssl rsa -noout -modulus -in private_keys/ns1.uctechnology.ucdavis.edu.
pem
openssl x509 -noout -modulus -in certs/ns1.uctechnology.ucdavis.edu.pem

Can you also check :
openssl verify -verbose -CAfile certs/ca.pem certs/
ns1.uctechnology.ucdavis.edu.pem

It should return OK

If modulus are not the same or if the last return any other message than
ok, you have something wrong on certificate, on the DNS side.

You can also do the last command with the certs/ca*.pem on the server side
to see if it's not on the server side.*

··· 2015-01-15 20:57 GMT+01:00 tyon : > On Thursday, January 15, 2015 at 10:45:47 AM UTC-8, claude juif wrote: >> 2015-01-15 18:12 GMT+01:00 tyon :

As I mentioned before I didn’t execute 'cert generate ns1.domain.name
http://ns1.domain.name
command on my Puppet server because my DNS
server is managed by Puppet already.

Thank you for your help.

Puppet server has private key. When you do a puppet cert generate on the
puppetCA, you have 3 files : cert, private key and public key. Please
ensure both private keys are the same : eg PuppetCA and DNS Server by
viewing them in a text editor.

It works exactly the same way as generating a self signed certificate by
hand.

So my question for Konstantin: what directory you copy cert/private key
from client? Do you point to this directory in Foreman proxy settings file?

Claude, did you install you foreman-proxy with foreman installer? I used
a rpm package. foreman-proxy-1.7.1-1.el6.noarch

I tried to restart foreman proxy many times on my DNS server, it didn’t
help. The problem is definitely related with my installation on DNS server,
because I cannot successfully test it with curl even from localhost (my DNS
server).

I don’t have any errors in my proxy.log file on both machines.

My DNS server:
W, [2015-01-15T08:51:01.885364 #4180] WARN – : Couldn’t find settings
file /etc/foreman-proxy/settings.d/foreman_proxy.yml. Using default
settings.

I, [2015-01-15T08:51:01.886431 #4180] INFO – : 'foreman_proxy’
settings were initialized with default values: :enabled: true

I, [2015-01-15T08:51:01.894369 #4180] INFO – : ‘facts’ module is
disabled.

I, [2015-01-15T08:51:01.902487 #4180] INFO – : ‘templates’ module is
disabled.

I, [2015-01-15T08:51:01.903152 #4180] INFO – : ‘tftp’ module is
disabled.

I, [2015-01-15T08:51:01.903619 #4180] INFO – : ‘dhcp’ module is
disabled.

I, [2015-01-15T08:51:01.904281 #4180] INFO – : ‘puppetca’ module is
disabled.

I, [2015-01-15T08:51:01.905342 #4180] INFO – : ‘puppet’ module is
disabled.

I, [2015-01-15T08:51:01.905923 #4180] INFO – : ‘bmc’ module is
disabled.

I, [2015-01-15T08:51:01.906660 #4180] INFO – : ‘realm’ module is
disabled.

My Puppet server:
I, [2015-01-15T08:43:21.601876 #11151] INFO – : 'foreman_proxy’
settings were initialized with default values: :enabled: true

I, [2015-01-15T08:43:21.685245 #11151] INFO – : ‘facts’ module is
disabled.

I, [2015-01-15T08:43:21.705146 #11151] INFO – : ‘templates’ module is
disabled.

I, [2015-01-15T08:43:21.752811 #11151] INFO – : ‘dhcp’ settings were
initialized with default values: :dhcp_provider: isc

I, [2015-01-15T08:43:24.446693 #11151] INFO – : ‘puppet’ settings
were initialized with default values: :puppetdir: /etc/puppet

I, [2015-01-15T08:43:24.652776 #11151] INFO – : ‘realm’ module is
disabled.

Only errors which I can see:

on my DNS server when I start foreman-proxy in foreground mode and
try to safe proxy on my Puppet server:

[2015-01-15 08:51:42] ERROR OpenSSL::SSL::SSLError:
SSL_CTX_use_PrivateKey:: key values mismatch
/usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize’

on my Puppet server in foreman/production.log file:

Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://ns1.domain.name:8443/features
https://ns1.domain.name:8443/features

Please check the proxy is configured and running on the host.

I’m using it without SSL for now but it is not what I want :frowning:

On Thursday, January 15, 2015 at 2:32:29 AM UTC-8, claude juif wrote:

Hi Konstantin,

I actually have 2 smart proxies linked to my foreman instance and it’s
working really well.

What is the exact error you had ? What do you mean by exchange the SSL
between all proxies ?

Basically on the puppetCA(foreman) server, you have to generate a
certificate for all of your proxies. Copied them over to each proxy.
(ca.pem, hostname-key.pem, hostname-cert.pem).

On each proxy you also need to add the trusted host parameters pointing
to your foreman instance.

By the way, how didi you install foreman proxy ? With the
foreman-installer ? or with packages ?

Regards,

2015-01-15 2:25 GMT+01:00 ‘Konstantin Orekhov’ via Foreman users <
forema...@googlegroups.com>:

We have the same problem. First we noticed that back when we ran
Foreman 1.4.x (do not have data for earlier versions as we didn’t have
multiple proxies at that time), but all subsequent versions (running 1.7.1
now) have the same problem.

It appears that adding a new proxy somehow invalidates the certs of
previously configured proxies from Foreman perspective as if it expects
all proxies to have a cert of that lastly-added one. Basically, none of
the previous proxies work now - one can click
It is very strange and it does not seem to be really cert-related, but
more like a logic somewhere in Foreman code that deals with proxies, IMHO.
Using the proposed curl verification method, I can talk over SSL to any of
the proxies, but Foreman would complain that cert is missing:

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm01.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm02.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm03.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

The only way to workaround this issue I found so far is to exchange
the SSL (both public and private) keys and certs between all proxies, which
is obviously not a proper thing to do.

Please let me if I misunderstand or missing something here.
Thanks!


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

>
>
>
> 2015-01-15 20:57 GMT+01:00 tyon <surb...@ucdavis.edu <javascript:>>:
>
>>
>>
>>>
>>>
>>>
>>>
>>>> Hi!
>>>>
>>>> Konstantin, is your problem that you are unable to safe a remote new
>>>> smart-proxy from Puppet/Foreman server? Because my local one (on Puppet)
>>>> works fine.
>>>>
>>>> Claude, I don't think Puppet server has clients private keys. I can
>>>> find only requests and signed certificates on my Puppet server. I think
>>>> private keys are generated and saved only on clients. Please correct me if
>>>> I'm wrong.
>>>>
>>>
>>> Claude, can you please point me to the directory where Puppet server has
>> clients private keys?
>> I can see only Puppet private key on my Puppet server:
>>
>> ls -la /var/lib/puppet/ssl/private_keys/
>> total 12
>> drwxr-x— 2 puppet puppet 4096 Mar 7 2014 .
>> drwxrwx–x 8 puppet puppet 4096 Oct 24 2013 …
>> -rw-r----- 1 puppet puppet 3247 Jan 16 2014
>> puppet.uctechnology.ucdavis.edu.pem

>>
>> And of course it's different from my DNS private key.
>>
>> ls -la /var/lib/puppet/ssl/private_keys/
>> total 12
>> drwxr-x— 2 puppet puppet 4096 Jan 15 11:41 .
>> drwxrwx–x 7 puppet puppet 4096 Jan 14 14:19 …
>> -rw-r----- 1 puppet puppet 3243 Jan 14 14:18
>> ns1.uctechnology.ucdavis.edu.pem
>>
>> No other private keys I didn't find on my Puppet server.
>>
>
>
I just checked on both sides. Modulus are the same and output is OK.

Claude, you mentioned you have a working installation. How do you install
your proxy? (package, foreman-installer?) Was your node managed by Puppet
before you installed proxy there?

What's your foreman-proxy/settings.yml on the client side?

I really appreciate your help.

··· On Thursday, January 15, 2015 at 2:10:02 PM UTC-8, claude juif wrote: >> On Thursday, January 15, 2015 at 10:45:47 AM UTC-8, claude juif wrote: >>> 2015-01-15 18:12 GMT+01:00 tyon :

You’re right, it’s just because i generate them on the puppetCA server,
the private key is not needed on the server side.

Can you try this command in the /var/lib/puppet/ssl directory and check if
the modulus output are the same ?

openssl rsa -noout -modulus -in private_keys/ns1.uctechnology.ucdavis.edu.
pem
openssl x509 -noout -modulus -in certs/ns1.uctechnology.ucdavis.edu.pem

Can you also check :
openssl verify -verbose -CAfile certs/ca.pem certs/
ns1.uctechnology.ucdavis.edu.pem

It should return OK

If modulus are not the same or if the last return any other message than
ok, you have something wrong on certificate, on the DNS side.

You can also do the last command with the certs/ca*.pem on the server
side to see if it’s not on the server side.*

As I mentioned before I didn’t execute 'cert generate ns1.domain.name
http://ns1.domain.name
command on my Puppet server because my DNS
server is managed by Puppet already.

Thank you for your help.

Puppet server has private key. When you do a puppet cert generate on the
puppetCA, you have 3 files : cert, private key and public key. Please
ensure both private keys are the same : eg PuppetCA and DNS Server by
viewing them in a text editor.

It works exactly the same way as generating a self signed certificate by
hand.

So my question for Konstantin: what directory you copy cert/private key
from client? Do you point to this directory in Foreman proxy settings file?

Claude, did you install you foreman-proxy with foreman installer? I
used a rpm package. foreman-proxy-1.7.1-1.el6.noarch

I tried to restart foreman proxy many times on my DNS server, it didn’t
help. The problem is definitely related with my installation on DNS server,
because I cannot successfully test it with curl even from localhost (my DNS
server).

I don’t have any errors in my proxy.log file on both machines.

My DNS server:
W, [2015-01-15T08:51:01.885364 #4180] WARN – : Couldn’t find
settings file /etc/foreman-proxy/settings.d/foreman_proxy.yml. Using
default settings.

I, [2015-01-15T08:51:01.886431 #4180] INFO – : 'foreman_proxy’
settings were initialized with default values: :enabled: true

I, [2015-01-15T08:51:01.894369 #4180] INFO – : ‘facts’ module is
disabled.

I, [2015-01-15T08:51:01.902487 #4180] INFO – : ‘templates’ module is
disabled.

I, [2015-01-15T08:51:01.903152 #4180] INFO – : ‘tftp’ module is
disabled.

I, [2015-01-15T08:51:01.903619 #4180] INFO – : ‘dhcp’ module is
disabled.

I, [2015-01-15T08:51:01.904281 #4180] INFO – : ‘puppetca’ module is
disabled.

I, [2015-01-15T08:51:01.905342 #4180] INFO – : ‘puppet’ module is
disabled.

I, [2015-01-15T08:51:01.905923 #4180] INFO – : ‘bmc’ module is
disabled.

I, [2015-01-15T08:51:01.906660 #4180] INFO – : ‘realm’ module is
disabled.

My Puppet server:
I, [2015-01-15T08:43:21.601876 #11151] INFO – : 'foreman_proxy’
settings were initialized with default values: :enabled: true

I, [2015-01-15T08:43:21.685245 #11151] INFO – : ‘facts’ module is
disabled.

I, [2015-01-15T08:43:21.705146 #11151] INFO – : ‘templates’ module
is disabled.

I, [2015-01-15T08:43:21.752811 #11151] INFO – : ‘dhcp’ settings were
initialized with default values: :dhcp_provider: isc

I, [2015-01-15T08:43:24.446693 #11151] INFO – : ‘puppet’ settings
were initialized with default values: :puppetdir: /etc/puppet

I, [2015-01-15T08:43:24.652776 #11151] INFO – : ‘realm’ module is
disabled.

Only errors which I can see:

on my DNS server when I start foreman-proxy in foreground mode and
try to safe proxy on my Puppet server:

[2015-01-15 08:51:42] ERROR OpenSSL::SSL::SSLError:
SSL_CTX_use_PrivateKey:: key values mismatch
/usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize’

on my Puppet server in foreman/production.log file:

Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://ns1.domain.name:8443/features
https://ns1.domain.name:8443/features

Please check the proxy is configured and running on the host.

I’m using it without SSL for now but it is not what I want :frowning:

On Thursday, January 15, 2015 at 2:32:29 AM UTC-8, claude juif wrote:

Hi Konstantin,

I actually have 2 smart proxies linked to my foreman instance and it’s
working really well.

What is the exact error you had ? What do you mean by exchange the SSL
between all proxies ?

Basically on the puppetCA(foreman) server, you have to generate a
certificate for all of your proxies. Copied them over to each proxy.
(ca.pem, hostname-key.pem, hostname-cert.pem).

On each proxy you also need to add the trusted host parameters
pointing to your foreman instance.

By the way, how didi you install foreman proxy ? With the
foreman-installer ? or with packages ?

Regards,

2015-01-15 2:25 GMT+01:00 ‘Konstantin Orekhov’ via Foreman users <
forema...@googlegroups.com>:

We have the same problem. First we noticed that back when we ran
Foreman 1.4.x (do not have data for earlier versions as we didn’t have
multiple proxies at that time), but all subsequent versions (running 1.7.1
now) have the same problem.

It appears that adding a new proxy somehow invalidates the certs of
previously configured proxies from Foreman perspective as if it expects
all proxies to have a cert of that lastly-added one. Basically, none of
the previous proxies work now - one can click
It is very strange and it does not seem to be really cert-related,
but more like a logic somewhere in Foreman code that deals with proxies,
IMHO. Using the proposed curl verification method, I can talk over SSL to
any of the proxies, but Foreman would complain that cert is missing:

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem
–cert /var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm01.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem
–cert /var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm02.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem
–cert /var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H “Content-Type:
application/json” -H "Accept:application/json"
https://ppm03.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

The only way to workaround this issue I found so far is to exchange
the SSL (both public and private) keys and certs between all proxies, which
is obviously not a proper thing to do.

Please let me if I misunderstand or missing something here.
Thanks!


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-user...@googlegroups.com <javascript:>.
To post to this group, send email to forema...@googlegroups.com
<javascript:>.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

>
>
>>
>>
>>
>>
>>>
>>>
>>>>
>>>>
>>>>
>>>>
>>>>> Hi!
>>>>>
>>>>> Konstantin, is your problem that you are unable to safe a remote new
>>>>> smart-proxy from Puppet/Foreman server? Because my local one (on Puppet)
>>>>> works fine.
>>>>>
>>>>> Claude, I don't think Puppet server has clients private keys. I can
>>>>> find only requests and signed certificates on my Puppet server. I think
>>>>> private keys are generated and saved only on clients. Please correct me if
>>>>> I'm wrong.
>>>>>
>>>>
>>>> Claude, can you please point me to the directory where Puppet server
>>> has clients private keys?
>>> I can see only Puppet private key on my Puppet server:
>>>
>>> ls -la /var/lib/puppet/ssl/private_keys/
>>> total 12
>>> drwxr-x— 2 puppet puppet 4096 Mar 7 2014 .
>>> drwxrwx–x 8 puppet puppet 4096 Oct 24 2013 …
>>> -rw-r----- 1 puppet puppet 3247 Jan 16 2014
>>> puppet.uctechnology.ucdavis.edu.pem

>>>
>>> And of course it's different from my DNS private key.
>>>
>>> ls -la /var/lib/puppet/ssl/private_keys/
>>> total 12
>>> drwxr-x— 2 puppet puppet 4096 Jan 15 11:41 .
>>> drwxrwx–x 7 puppet puppet 4096 Jan 14 14:19 …
>>> -rw-r----- 1 puppet puppet 3243 Jan 14 14:18
>>> ns1.uctechnology.ucdavis.edu.pem
>>>
>>> No other private keys I didn't find on my Puppet server.
>>>
>>
>>
> I just checked on both sides. Modulus are the same and output is OK.
>
> Claude, you mentioned you have a working installation. How do you install
> your proxy? (package, foreman-installer?) Was your node managed by Puppet
> before you installed proxy there?
>
> What's your foreman-proxy/settings.yml on the client side?
>

I installed via foreman-installer as you can find on the foreman manual,
but i generate certificate using puppet cert generate command, move them,
because my foreman-proxy is not managed by puppet.

foreman version is 1.7.1. My settings.yaml is pretty much the same as
yours, i've just added trusted host.

File managed with puppet

Module: 'foreman_proxy'

:settings_directory: /etc/foreman-proxy/settings.d

SSL Setup

if enabled, all communication would be verfied via SSL

NOTE that both certificates need to be signed by the same CA in order for

this
to work

see SSL - Smart Proxy - Foreman for more

information
:ssl_ca_file: /var/lib/puppet/ssl/certs/ca.pem
:ssl_certificate: /var/lib/puppet/ssl/certs/fm-proxy.domain.pem
:ssl_private_key: /var/lib/puppet/ssl/private_keys/fm-proxy.domain.pem

the hosts which the proxy accepts connections from

commenting the following lines would mean every verified SSL connection

allowe
d
:trusted_hosts:

  • puppet.domain

And finally when you say :

*:ssl_certificate: /var/lib/puppet/ssl/certs/ca.**pem *<-- You should
write hostname.pem here

:ssl_ca_file: /var/lib/puppet/ssl/certs/hostname.pem <-- and ca.pem here
:ssl_private_key: /var/lib/puppet/ssl/private_keys/hostname.pem

But maybe it is just a typo .

··· 2015-01-15 23:22 GMT+01:00 tyon : > On Thursday, January 15, 2015 at 2:10:02 PM UTC-8, claude juif wrote: >> 2015-01-15 20:57 GMT+01:00 tyon : >>> On Thursday, January 15, 2015 at 10:45:47 AM UTC-8, claude juif wrote: >>>> 2015-01-15 18:12 GMT+01:00 tyon :

I really appreciate your help.

You’re right, it’s just because i generate them on the puppetCA server,
the private key is not needed on the server side.

Can you try this command in the /var/lib/puppet/ssl directory and check
if the modulus output are the same ?

openssl rsa -noout -modulus -in private_keys/ns1.uctechnology.ucdavis.edu
.pem
openssl x509 -noout -modulus -in certs/ns1.uctechnology.ucdavis.edu.pem

Can you also check :
openssl verify -verbose -CAfile certs/ca.pem certs/ns1.uctechnology.
ucdavis.edu.pem

It should return OK

If modulus are not the same or if the last return any other message than
ok, you have something wrong on certificate, on the DNS side.

You can also do the last command with the certs/ca*.pem on the server
side to see if it’s not on the server side.*

As I mentioned before I didn’t execute 'cert generate ns1.domain.name
http://ns1.domain.name
command on my Puppet server because my DNS
server is managed by Puppet already.

Thank you for your help.

Puppet server has private key. When you do a puppet cert generate on
the puppetCA, you have 3 files : cert, private key and public key. Please
ensure both private keys are the same : eg PuppetCA and DNS Server by
viewing them in a text editor.

It works exactly the same way as generating a self signed certificate
by hand.

So my question for Konstantin: what directory you copy cert/private
key from client? Do you point to this directory in Foreman proxy settings
file?

Claude, did you install you foreman-proxy with foreman installer? I
used a rpm package. foreman-proxy-1.7.1-1.el6.noarch

I tried to restart foreman proxy many times on my DNS server, it
didn’t help. The problem is definitely related with my installation on DNS
server, because I cannot successfully test it with curl even from localhost
(my DNS server).

I don’t have any errors in my proxy.log file on both machines.

My DNS server:
W, [2015-01-15T08:51:01.885364 #4180] WARN – : Couldn’t find
settings file /etc/foreman-proxy/settings.d/foreman_proxy.yml. Using
default settings.

I, [2015-01-15T08:51:01.886431 #4180] INFO – : 'foreman_proxy’
settings were initialized with default values: :enabled: true

I, [2015-01-15T08:51:01.894369 #4180] INFO – : ‘facts’ module is
disabled.

I, [2015-01-15T08:51:01.902487 #4180] INFO – : ‘templates’ module
is disabled.

I, [2015-01-15T08:51:01.903152 #4180] INFO – : ‘tftp’ module is
disabled.

I, [2015-01-15T08:51:01.903619 #4180] INFO – : ‘dhcp’ module is
disabled.

I, [2015-01-15T08:51:01.904281 #4180] INFO – : ‘puppetca’ module is
disabled.

I, [2015-01-15T08:51:01.905342 #4180] INFO – : ‘puppet’ module is
disabled.

I, [2015-01-15T08:51:01.905923 #4180] INFO – : ‘bmc’ module is
disabled.

I, [2015-01-15T08:51:01.906660 #4180] INFO – : ‘realm’ module is
disabled.

My Puppet server:
I, [2015-01-15T08:43:21.601876 #11151] INFO – : 'foreman_proxy’
settings were initialized with default values: :enabled: true

I, [2015-01-15T08:43:21.685245 #11151] INFO – : ‘facts’ module is
disabled.

I, [2015-01-15T08:43:21.705146 #11151] INFO – : ‘templates’ module
is disabled.

I, [2015-01-15T08:43:21.752811 #11151] INFO – : ‘dhcp’ settings
were initialized with default values: :dhcp_provider: isc

I, [2015-01-15T08:43:24.446693 #11151] INFO – : ‘puppet’ settings
were initialized with default values: :puppetdir: /etc/puppet

I, [2015-01-15T08:43:24.652776 #11151] INFO – : ‘realm’ module is
disabled.

Only errors which I can see:

on my DNS server when I start foreman-proxy in foreground mode and
try to safe proxy on my Puppet server:

[2015-01-15 08:51:42] ERROR OpenSSL::SSL::SSLError:
SSL_CTX_use_PrivateKey:: key values mismatch
/usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize’

on my Puppet server in foreman/production.log file:

Unable to communicate with the proxy: ERF12-2530
[ProxyAPI::ProxyException]: Unable to detect features
([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0
state=SSLv2/v3 read server hello A) for proxy
https://ns1.domain.name:8443/features
https://ns1.domain.name:8443/features

Please check the proxy is configured and running on the host.

I’m using it without SSL for now but it is not what I want :frowning:

On Thursday, January 15, 2015 at 2:32:29 AM UTC-8, claude juif wrote:

Hi Konstantin,

I actually have 2 smart proxies linked to my foreman instance and
it’s working really well.

What is the exact error you had ? What do you mean by exchange the
SSL between all proxies ?

Basically on the puppetCA(foreman) server, you have to generate a
certificate for all of your proxies. Copied them over to each proxy.
(ca.pem, hostname-key.pem, hostname-cert.pem).

On each proxy you also need to add the trusted host parameters
pointing to your foreman instance.

By the way, how didi you install foreman proxy ? With the
foreman-installer ? or with packages ?

Regards,

2015-01-15 2:25 GMT+01:00 ‘Konstantin Orekhov’ via Foreman users <
forema...@googlegroups.com>:

We have the same problem. First we noticed that back when we ran
Foreman 1.4.x (do not have data for earlier versions as we didn’t have
multiple proxies at that time), but all subsequent versions (running 1.7.1
now) have the same problem.

It appears that adding a new proxy somehow invalidates the certs of
previously configured proxies from Foreman perspective as if it expects
all proxies to have a cert of that lastly-added one. Basically, none of
the previous proxies work now - one can click
It is very strange and it does not seem to be really cert-related,
but more like a logic somewhere in Foreman code that deals with proxies,
IMHO. Using the proposed curl verification method, I can talk over SSL to
any of the proxies, but Foreman would complain that cert is missing:

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem
–cert /var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H
"Content-Type: application/json" -H "Accept:application/json"
https://ppm01.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem
–cert /var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H
"Content-Type: application/json" -H "Accept:application/json"
https://ppm02.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

[root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem
–cert /var/lib/puppet/ssl/certs/hostname -f.pem --key
/var/lib/puppet/ssl/private_keys/hostname -f.pem -H
"Content-Type: application/json" -H "Accept:application/json"
https://ppm03.mydomain:8443/features
[“abrt”,“bmc”,“puppet”]

The only way to workaround this issue I found so far is to exchange
the SSL (both public and private) keys and certs between all proxies, which
is obviously not a proper thing to do.

Please let me if I misunderstand or missing something here.
Thanks!


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-user...@googlegroups.com.
To post to this group, send email to forema...@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

You are right! I cannot believe I'm such a dummy!! I changed it, it works!

Thank you so much! Solved!

··· On Thursday, January 15, 2015 at 3:40:37 PM UTC-8, claude juif wrote: > > > > 2015-01-15 23:22 GMT+01:00 tyon <surb...@ucdavis.edu >: > >> >> >> On Thursday, January 15, 2015 at 2:10:02 PM UTC-8, claude juif wrote: >>> >>> >>> >>> 2015-01-15 20:57 GMT+01:00 tyon : >>> >>>> >>>> >>>> On Thursday, January 15, 2015 at 10:45:47 AM UTC-8, claude juif wrote: >>>>> >>>>> >>>>> >>>>> 2015-01-15 18:12 GMT+01:00 tyon : >>>>> >>>>>> Hi! >>>>>> >>>>>> Konstantin, is your problem that you are unable to safe a remote new >>>>>> smart-proxy from Puppet/Foreman server? Because my local one (on Puppet) >>>>>> works fine. >>>>>> >>>>>> Claude, I don't think Puppet server has clients private keys. I can >>>>>> find only requests and signed certificates on my Puppet server. I think >>>>>> private keys are generated and saved only on clients. Please correct me if >>>>>> I'm wrong. >>>>>> >>>>> >>>>> Claude, can you please point me to the directory where Puppet server >>>> has clients private keys? >>>> I can see only Puppet private key on my Puppet server: >>>> >>>> *ls -la /var/lib/puppet/ssl/private_keys/* >>>> *total 12* >>>> *drwxr-x--- 2 puppet puppet 4096 Mar 7 2014 .* >>>> *drwxrwx--x 8 puppet puppet 4096 Oct 24 2013 ..* >>>> *-rw-r----- 1 puppet puppet 3247 Jan 16 2014 >>>> puppet.uctechnology.ucdavis.edu.pem* >>>> >>>> And of course it's different from my DNS private key. >>>> >>>> ls -la /var/lib/puppet/ssl/private_keys/ >>>> total 12 >>>> drwxr-x--- 2 puppet puppet 4096 Jan 15 11:41 . >>>> drwxrwx--x 7 puppet puppet 4096 Jan 14 14:19 .. >>>> -rw-r----- 1 puppet puppet 3243 Jan 14 14:18 >>>> ns1.uctechnology.ucdavis.edu.pem >>>> >>>> No other private keys I didn't find on my Puppet server. >>>> >>> >>> >> I just checked on both sides. Modulus are the same and output is OK. >> >> Claude, you mentioned you have a working installation. How do you install >> your proxy? (package, foreman-installer?) Was your node managed by Puppet >> before you installed proxy there? >> >> What's your foreman-proxy/settings.yml on the client side? >> > > I installed via foreman-installer as you can find on the foreman manual, > but i generate certificate using puppet cert generate command, move them, > because my foreman-proxy is not managed by puppet. > > foreman version is 1.7.1. My settings.yaml is pretty much the same as > yours, i've just added trusted host. > > ### File managed with puppet ### > ## Module: 'foreman_proxy' > > :settings_directory: /etc/foreman-proxy/settings.d > > # SSL Setup > > # if enabled, all communication would be verfied via SSL > # NOTE that both certificates need to be signed by the same CA in order > for this > to work > # see http://theforeman.org/projects/smart-proxy/wiki/SSL for more > information > :ssl_ca_file: /var/lib/puppet/ssl/certs/ca.pem > :ssl_certificate: /var/lib/puppet/ssl/certs/fm-proxy.domain.pem > :ssl_private_key: /var/lib/puppet/ssl/private_keys/fm-proxy.domain.pem > > # the hosts which the proxy accepts connections from > # commenting the following lines would mean every verified SSL connection > allowe > d > :trusted_hosts: > - puppet.domain > > > And finally when you say : > > *:ssl_certificate: /var/lib/puppet/ssl/certs/ca.**pem **<-- You should > write hostname.pem here* > :ssl_ca_file: /var/lib/puppet/ssl/certs/hostname.pem *<-- and ca.pem here* > :ssl_private_key: /var/lib/puppet/ssl/private_keys/hostname.pem > > But maybe it is just a typo . > > > >> I really appreciate your help. >> >> >>> You're right, it's just because i generate them on the puppetCA server, >>> the private key is not needed on the server side. >>> >>> Can you try this command in the /var/lib/puppet/ssl directory and check >>> if the modulus output are the same ? >>> >>> openssl rsa -noout -modulus -in private_keys/ns1.uctechnology. >>> ucdavis.edu.pem >>> openssl x509 -noout -modulus -in certs/ns1.uctechnology.ucdavis.edu.pem >>> >>> Can you also check : >>> openssl verify -verbose -CAfile certs/ca.pem certs/ns1.uctechnology. >>> ucdavis.edu.pem >>> >>> It should return OK >>> >>> If modulus are not the same or if the last return any other message than >>> ok, you have something wrong on certificate, on the DNS side. >>> >>> You can also do the last command with the certs/ca*.pem on the server >>> side to see if it's not on the server side.* >>> >>> >>>> As I mentioned before I didn't execute '*cert generate ns1.domain.name >>>> '* command on my Puppet server because my DNS >>>> server is managed by Puppet already. >>>> >>>> Thank you for your help. >>>> >>>>> Puppet server has private key. When you do a puppet cert generate on >>>>> the puppetCA, you have 3 files : cert, private key and public key. Please >>>>> ensure both private keys are the same : eg PuppetCA and DNS Server by >>>>> viewing them in a text editor. >>>>> >>>>> >>>>> It works exactly the same way as generating a self signed certificate >>>>> by hand. >>>>> >>>>> >>>>> >>>>>> >>>>>> So my question for Konstantin: what directory you copy cert/private >>>>>> key from client? Do you point to this directory in Foreman proxy settings >>>>>> file? >>>>>> >>>>>> Claude, did you install you foreman-proxy with foreman installer? I >>>>>> used a rpm package. foreman-proxy-1.7.1-1.el6.noarch >>>>>> >>>>>> I tried to restart foreman proxy many times on my DNS server, it >>>>>> didn't help. The problem is definitely related with my installation on DNS >>>>>> server, because I cannot successfully test it with curl even from localhost >>>>>> (my DNS server). >>>>>> >>>>>> I don't have any errors in my proxy.log file on both machines. >>>>>> >>>>>> My DNS server: >>>>>> *W, [2015-01-15T08:51:01.885364 #4180] WARN -- : Couldn't find >>>>>> settings file /etc/foreman-proxy/settings.d/foreman_proxy.yml. Using >>>>>> default settings.* >>>>>> *I, [2015-01-15T08:51:01.886431 #4180] INFO -- : 'foreman_proxy' >>>>>> settings were initialized with default values: :enabled: true* >>>>>> *I, [2015-01-15T08:51:01.894369 #4180] INFO -- : 'facts' module is >>>>>> disabled.* >>>>>> *I, [2015-01-15T08:51:01.902487 #4180] INFO -- : 'templates' module >>>>>> is disabled.* >>>>>> *I, [2015-01-15T08:51:01.903152 #4180] INFO -- : 'tftp' module is >>>>>> disabled.* >>>>>> *I, [2015-01-15T08:51:01.903619 #4180] INFO -- : 'dhcp' module is >>>>>> disabled.* >>>>>> *I, [2015-01-15T08:51:01.904281 #4180] INFO -- : 'puppetca' module >>>>>> is disabled.* >>>>>> *I, [2015-01-15T08:51:01.905342 #4180] INFO -- : 'puppet' module is >>>>>> disabled.* >>>>>> *I, [2015-01-15T08:51:01.905923 #4180] INFO -- : 'bmc' module is >>>>>> disabled.* >>>>>> *I, [2015-01-15T08:51:01.906660 #4180] INFO -- : 'realm' module is >>>>>> disabled.* >>>>>> >>>>>> My Puppet server: >>>>>> *I, [2015-01-15T08:43:21.601876 #11151] INFO -- : 'foreman_proxy' >>>>>> settings were initialized with default values: :enabled: true* >>>>>> *I, [2015-01-15T08:43:21.685245 #11151] INFO -- : 'facts' module is >>>>>> disabled.* >>>>>> *I, [2015-01-15T08:43:21.705146 #11151] INFO -- : 'templates' module >>>>>> is disabled.* >>>>>> *I, [2015-01-15T08:43:21.752811 #11151] INFO -- : 'dhcp' settings >>>>>> were initialized with default values: :dhcp_provider: isc* >>>>>> *I, [2015-01-15T08:43:24.446693 #11151] INFO -- : 'puppet' settings >>>>>> were initialized with default values: :puppetdir: /etc/puppet* >>>>>> *I, [2015-01-15T08:43:24.652776 #11151] INFO -- : 'realm' module is >>>>>> disabled.* >>>>>> >>>>>> Only errors which I can see: >>>>>> >>>>>> on my DNS server when I start foreman-proxy in *foreground mode* and >>>>>> try to safe proxy on my Puppet server: >>>>>> >>>>>> [2015-01-15 08:51:42] ERROR OpenSSL::SSL::SSLError: >>>>>> SSL_CTX_use_PrivateKey:: key values mismatch >>>>>> /usr/lib/ruby/1.8/openssl/ssl-internal.rb:172:in `initialize' >>>>>> >>>>>> on my Puppet server in foreman/production.log file: >>>>>> >>>>>> *Unable to communicate with the proxy: ERF12-2530 >>>>>> [ProxyAPI::ProxyException]: Unable to detect features >>>>>> ([OpenSSL::SSL::SSLError]: SSL_connect SYSCALL returned=5 errno=0 >>>>>> state=SSLv2/v3 read server hello A) for proxy >>>>>> https://ns1.domain.name:8443/features >>>>>> * >>>>>> *Please check the proxy is configured and running on the host.* >>>>>> >>>>>> I'm using it without SSL for now but it is not what I want :( >>>>>> >>>>>> On Thursday, January 15, 2015 at 2:32:29 AM UTC-8, claude juif wrote: >>>>>>> >>>>>>> Hi Konstantin, >>>>>>> >>>>>>> I actually have 2 smart proxies linked to my foreman instance and >>>>>>> it's working really well. >>>>>>> >>>>>>> What is the exact error you had ? What do you mean by exchange the >>>>>>> SSL between all proxies ? >>>>>>> >>>>>>> Basically on the puppetCA(foreman) server, you have to generate a >>>>>>> certificate for all of your proxies. Copied them over to each proxy. >>>>>>> (ca.pem, hostname-key.pem, hostname-cert.pem). >>>>>>> >>>>>>> On each proxy you also need to add the trusted host parameters >>>>>>> pointing to your foreman instance. >>>>>>> >>>>>>> By the way, how didi you install foreman proxy ? With the >>>>>>> foreman-installer ? or with packages ? >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> 2015-01-15 2:25 GMT+01:00 'Konstantin Orekhov' via Foreman users < >>>>>>> forema...@googlegroups.com>: >>>>>>> >>>>>>>> We have the same problem. First we noticed that back when we ran >>>>>>>> Foreman 1.4.x (do not have data for earlier versions as we didn't have >>>>>>>> multiple proxies at that time), but all subsequent versions (running 1.7.1 >>>>>>>> now) have the same problem. >>>>>>>> >>>>>>>> It appears that adding a new proxy somehow invalidates the certs of >>>>>>>> previously configured proxies from Foreman perspective as if it expects >>>>>>>> *all* proxies to have a cert of that lastly-added one. Basically, none of >>>>>>>> the previous proxies work now - one can click >>>>>>>> It is very strange and it does not seem to be really cert-related, >>>>>>>> but more like a logic somewhere in Foreman code that deals with proxies, >>>>>>>> IMHO. Using the proposed curl verification method, I can talk over SSL to >>>>>>>> any of the proxies, but Foreman would complain that cert is missing: >>>>>>>> >>>>>>>> [root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem >>>>>>>> --cert /var/lib/puppet/ssl/certs/`hostname -f`.pem --key >>>>>>>> /var/lib/puppet/ssl/private_keys/`hostname -f`.pem -H >>>>>>>> "Content-Type: application/json" -H "Accept:application/json" >>>>>>>> https://ppm01.mydomain:8443/features >>>>>>>> ["abrt","bmc","puppet"] >>>>>>>> >>>>>>>> [root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem >>>>>>>> --cert /var/lib/puppet/ssl/certs/`hostname -f`.pem --key >>>>>>>> /var/lib/puppet/ssl/private_keys/`hostname -f`.pem -H >>>>>>>> "Content-Type: application/json" -H "Accept:application/json" >>>>>>>> https://ppm02.mydomain:8443/features >>>>>>>> ["abrt","bmc","puppet"] >>>>>>>> >>>>>>>> [root@ppm01 ~]# curl --cacert /var/lib/puppet/ssl/certs/ca.pem >>>>>>>> --cert /var/lib/puppet/ssl/certs/`hostname -f`.pem --key >>>>>>>> /var/lib/puppet/ssl/private_keys/`hostname -f`.pem -H >>>>>>>> "Content-Type: application/json" -H "Accept:application/json" >>>>>>>> https://ppm03.mydomain:8443/features >>>>>>>> ["abrt","bmc","puppet"] >>>>>>>> >>>>>>>> The only way to workaround this issue I found so far is to exchange >>>>>>>> the SSL (both public and private) keys and certs between all proxies, which >>>>>>>> is obviously not a proper thing to do. >>>>>>>> >>>>>>>> Please let me if I misunderstand or missing something here. >>>>>>>> Thanks! >>>>>>>> >>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "Foreman users" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to foreman-user...@googlegroups.com. >>>>>>>> To post to this group, send email to forema...@googlegroups.com. >>>>>>>> Visit this group at http://groups.google.com/group/foreman-users. >>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>> >>>>>>> >>>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Foreman users" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to foreman-user...@googlegroups.com. >>>>>> To post to this group, send email to forema...@googlegroups.com. >>>>>> Visit this group at http://groups.google.com/group/foreman-users. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Foreman users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to foreman-user...@googlegroups.com. >>>> To post to this group, send email to forema...@googlegroups.com. >>>> Visit this group at http://groups.google.com/group/foreman-users. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Foreman users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to foreman-user...@googlegroups.com . >> To post to this group, send email to forema...@googlegroups.com >> . >> Visit this group at http://groups.google.com/group/foreman-users. >> For more options, visit https://groups.google.com/d/optout. >> > >