Problem:
While installing a Smart Proxy with foreman-installer --scenario foreman-proxy-content --foreman-proxy-register-in-foreman true, the registration step fails with:
ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([OpenSSL::SSL::SSLError]: SSL_read: tlsv1 alert unknown ca)
**Expected outcome:
Smart Proxy registered automatically to Foreman Server**
Foreman and Proxy versions:
3.15
Foreman and Proxy plugin versions:
3.15
Distribution and version:
RHEL 9.7 5.14.0-611.8.1.el9_7.x86_64
**Other relevant data:
**
2025-11-28 11:58:38 [ERROR ] [configure] Error making POST request to Foreman at https:///api/v2/smart_proxies: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([OpenSSL::SSL::SSLError]: SSL_read: tlsv1 alert unknown ca) for proxy https://:9090/v2/features Please check the proxy is configured and running on the host.
2025-11-28 11:58:38 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[]/ensure: change from ‘absent’ to ‘present’ failed: Error making POST request to Foreman at https:///api/v2/smart_proxies: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([OpenSSL::SSL::SSLError]: SSL_read: tlsv1 alert unknown ca) for proxy https://:9090/v2/features Please check the proxy is configured and running on the host.
2025-11-28 11:58:40 [NOTICE] [configure] System configuration has finished.
Error 1: Puppet Foreman_smartproxy resource ‘’ failed. Logs:
Foreman_smartproxy(provider=rest_v3)
Making get request to https:///api/v2/smart_proxies?search=name%3D%22%22
Received response 200
Making post request to https:///api/v2/smart_proxies
Received response 422
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[]/ensure
change from ‘absent’ to ‘present’ failed: Error making POST request to Foreman at https:///api/v2/smart_proxies: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([OpenSSL::SSL::SSLError]: SSL_read: tlsv1 alert unknown ca) for proxy https://:9090/v2/features Please check the proxy is configured and running on the host.
1 error was detected during installation.
Please address the errors and re-run the installer to ensure the system is properly configured.
Failing to do so is likely to result in broken functionality.
The full log is at /var/log/foreman-installer/foreman-proxy-content.log
I generated cert.tar file as per the documentation:
[root@ aws\]# foreman-proxy-certs-generate \\ --foreman-proxy-fqdn \\ --certs-tar \~/smart-proxy-certs.tar \\ --server-cert /root/cert/aws/.crt \\ --server-key /root/cert/aws/.key \\ --server-ca-cert /root/cert/aws/-chain.pem Preparing installation Done Success! To finish the installation, follow these steps: 1. Register the Smart Proxy to the Katello instance. 2. Ensure that the foreman-installer-katello package is installed on the system. 3. Copy the following file /root/smart-proxy-certs.tar to the system at the following location /root/smart-proxy-certs.tar scp /root/smart-proxy-certs.tar root@:/root/smart-proxy-certs.tar 4. Run the following commands on the Smart Proxy (possibly with customized parameters): foreman-installer \\ --scenario foreman-proxy-content \\ --certs-tar-file “/root/smart-proxy-certs.tar” \\ --foreman-proxy-foreman-base-url “https://” \\ --foreman-proxy-trusted-hosts “” \\ --foreman-proxy-trusted-hosts “” \\ --foreman-proxy-oauth-consumer-key “” \\ --foreman-proxy-oauth-consumer-secret “”
it seems you have not provided the smart-proxy’s fqdn via the –-foreman-proxy-fqdn <your_smart_proxy_fqdn> parameter to the certs-generate, so they remained empty in the installer command in point 4. (see -–foreman-proxy-foreman-base-url “https://”), so the installer failed to detect its features at https://:9090/v2/features (it should have been https://<your_smart_proxy_fqdn>:9090/v2/features).
Unless you deleted the FQDN only from the post to keep them private.
Your post is pretty unreadable. Please use preformatted text blocks for your shell output or commands.
Where did you find the command foreman-installer --scenario foreman-proxy-content --foreman-proxy-register-in-foreman true? That’s not in the docs. It won’t work.
–foreman-proxy-register-in-foreman true - I found it in one of the posts when I was 1st looking for same or similar problem, other than that all commands are as per documentation.
[root@foremanbkp-proxy01 scripts]# ./install_smart_proxy.sh
2025-11-28 14:48:46 [NOTICE] [root] Loading installer configuration. This will take some time.
2025-11-28 14:48:51 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2025-11-28 14:48:51 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
2025-11-28 14:48:53 [NOTICE] [checks] System checks passed
2025-11-28 14:49:04 [NOTICE] [configure] Starting system configuration.
2025-11-28 14:49:13 [NOTICE] [configure] 250 configuration steps out of 1075 steps complete.
2025-11-28 14:49:15 [NOTICE] [configure] 500 configuration steps out of 1077 steps complete.
2025-11-28 14:49:15 [NOTICE] [configure] 750 configuration steps out of 1082 steps complete.
2025-11-28 14:49:31 [NOTICE] [configure] 1000 configuration steps out of 1082 steps complete.
2025-11-28 14:49:36 [ERROR ] [configure] Error making POST request to Foreman at https://foremanbkp.foremanrg-01.mgob01.francecentral.ccp.cloud.example.com/api/v2/smart_proxies: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([OpenSSL::SSL::SSLError]: SSL_read: tlsv1 alert unknown ca) for proxy https://foremanbkp-proxy01.tchaws.example.com:9090/v2/features Please check the proxy is configured and running on the host.
2025-11-28 14:49:36 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foremanbkp-proxy01.tchaws.example.com]/ensure: change from 'absent' to 'present' failed: Error making POST request to Foreman at https://foremanbkp.foremanrg-01.mgob01.francecentral.ccp.cloud.example.com/api/v2/smart_proxies: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([OpenSSL::SSL::SSLError]: SSL_read: tlsv1 alert unknown ca) for proxy https://foremanbkp-proxy01.tchaws.example.com:9090/v2/features Please check the proxy is configured and running on the host.
2025-11-28 14:49:39 [NOTICE] [configure] System configuration has finished.
Error 1: Puppet Foreman_smartproxy resource 'foremanbkp-proxy01.tchaws.example.com' failed. Logs:
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foremanbkp-proxy01.tchaws.example.com]
Adding autorequire relationship with Anchor[foreman::providers::oauth]
Starting to evaluate the resource (1070 of 1083)
Evaluated in 1.87 seconds
Foreman_smartproxy(provider=rest_v3)
Making get request to https://foremanbkp.foremanrg-01.mgob01.francecentral.ccp.cloud.example.com/api/v2/smart_proxies?search=name%3D%22foremanbkp-proxy01.tchaws.example.com%22
Received response 200 from request to https://foremanbkp.foremanrg-01.mgob01.francecentral.ccp.cloud.example.com/api/v2/smart_proxies?search=name%3D%22foremanbkp-proxy01.tchaws.example.com%22
Making post request to https://foremanbkp.foremanrg-01.mgob01.francecentral.ccp.cloud.example.com/api/v2/smart_proxies
Received response 422 from request to https://foremanbkp.foremanrg-01.mgob01.francecentral.ccp.cloud.example.com/api/v2/smart_proxies
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foremanbkp-proxy01.tchaws.example.com]/ensure
change from 'absent' to 'present' failed: Error making POST request to Foreman at https://foremanbkp.foremanrg-01.mgob01.francecentral.ccp.cloud.example.com/api/v2/smart_proxies: Unable to communicate with the proxy: ERF12-2530 [ProxyAPI::ProxyException]: Unable to detect features ([OpenSSL::SSL::SSLError]: SSL_read: tlsv1 alert unknown ca) for proxy https://foremanbkp-proxy01.tchaws.example.com:9090/v2/features Please check the proxy is configured and running on the host.
1 error was detected during installation.
Please address the errors and re-run the installer to ensure the system is properly configured.
Failing to do so is likely to result in broken functionality.
The full log is at /var/log/foreman-installer/foreman-proxy-content.log
I hope now is the terminal output more readable and clearer, sorry for previous scrambled posts …
That is not the first command in the docs. You have to run foreman-proxy-certs-generate first to generate the tar file. The tar file you are using does not contain the correct certificates.
I also highly recommend to check the cert with katello-certs-check first to make sure it’s correct.
Hello, of course I generated the TAR file as per the doc:
Certificate Generation Command
[root@foremanbkp ~]# foreman-proxy-certs-generate \
--foreman-proxy-fqdn foremanbkp-proxy01.tchaws.example.com \
--certs-tar ~/foremanbkp-proxy01.tchaws.example.com-certs.tar \
--server-cert /root/cert/aws/foremanbkp-proxy01.tchaws.example.com.crt \
--server-key /root/cert/aws/foremanbkp-proxy01.tchaws.example.com.key \
--server-ca-cert /root/cert/aws/foremanbkp-proxy01.tchaws.example.com-chain.pem \
--certs-update-server
Marking certificate /root/ssl-build/foremanbkp-proxy01.tchaws.example.com/foremanbkp-proxy01.tchaws.example.com-apache for update
Marking certificate /root/ssl-build/foremanbkp-proxy01.tchaws.example.com/foremanbkp-proxy01.tchaws.example.com-foreman-proxy for update
Preparing installation Done
Success!
To finish the installation, follow these steps:
1. Register the Smart Proxy to the Katello instance.
2. Ensure that the foreman-installer-katello package is installed on the system.
3. Copy the following file /root/foremanbkp-proxy01.tchaws.example.com-certs.tar to the system foremanbkp-proxy01.tchaws.example.com at the following location /root/foremanbkp-proxy01.tchaws.example.com-certs.tar
scp /root/foremanbkp-proxy01.tchaws.example.com-certs.tar root@foremanbkp-proxy01.tchaws.example.com:/root/foremanbkp-proxy01.tchaws.example.com-certs.tar
4. Run the following commands on the Smart Proxy:
foreman-installer \
--scenario foreman-proxy-content \
--certs-tar-file "/root/foremanbkp-proxy01.tchaws.example.com-certs.tar" \
--foreman-proxy-foreman-base-url "https://foremanbkp.foremanrg-01.mgob01.francecentral.ccp.cloud.example.com" \
--foreman-proxy-trusted-hosts "foremanbkp.foremanrg-01.mgob01.francecentral.ccp.cloud.example.com" \
--foreman-proxy-trusted-hosts "foremanbkp-proxy01.tchaws.example.com" \
--foreman-proxy-oauth-consumer-key "<REDACTED-OAUTH-KEY>" \
--foreman-proxy-oauth-consumer-secret "<REDACTED-OAUTH-SECRET>"
And i did run the check too:
Katello Certificate Check
[root@foremanbkp ~]# katello-certs-check -t foreman-proxy \
-c /root/smart-proxy_cert/foremanbkp-proxy01.tchaws.example.com.crt \
-k /root/smart-proxy_cert/foremanbkp-proxy01.tchaws.example.com.key \
-b /root/smart-proxy_cert/foremanbkp-proxy01.tchaws.example.com-chain.pem
Checking server certificate encoding:
[OK]
Checking expiration of certificate:
[OK]
Checking expiration of CA bundle:
[OK]
Checking if server certificate has CA:TRUE flag
[OK]
Checking for private key passphrase:
[OK]
Checking to see if the private key matches the certificate:
[OK]
Checking CA bundle against the certificate file:
[OK]
Checking CA bundle size: 2
[OK]
Checking if CA bundle has trust rules: 0
[OK]
Checking Subject Alt Name on certificate
[OK]
Checking if any Subject Alt Name on certificate matches the Subject CN
[OK]
Checking Key Usage extension on certificate for Key Encipherment
[OK]
Checking for use of shortname as CN
[OK]
Checking CA signing algorithm for sha1:
[OK]
Validation succeeded
To use them inside a NEW $FOREMAN_PROXY, run this command:
foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY" \
--certs-tar "~/$FOREMAN_PROXY-certs.tar" \
--server-cert "/root/smart-proxy_cert/foremanbkp-proxy01.tchaws.example.com.crt" \
--server-key "/root/smart-proxy_cert/foremanbkp-proxy01.tchaws.example.com.key" \
--server-ca-cert "/root/smart-proxy_cert/foremanbkp-proxy01.tchaws.example.com-chain.pem"
To use them inside an EXISTING $FOREMAN_PROXY, run this command INSTEAD:
foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY" \
--certs-tar "~/$FOREMAN_PROXY-certs.tar" \
--server-cert "/root/smart-proxy_cert/foremanbkp-proxy01.tchaws.example.com.crt" \
--server-key "/root/smart-proxy_cert/foremanbkp-proxy01.tchaws.example.com.key" \
--server-ca-cert "/root/smart-proxy_cert/foremanbkp-proxy01.tchaws.example.com-chain.pem" \
--certs-update-server
Still do not know what I missed… installation on Proxy server constantly failing …
And the main katello/foreman server uses the identical chain file as the proxy?
You can run katello-certs-checks with the katello server cert and key and foremanbkp-proxy01.tchaws.example.com-chain.pem chain and it verifies it as O.K.?
You did not - at any time - tried other foreman-installer options to configure the smart proxy?
You have configured the custom certificate on the foreman server only following the docs and you did not - at any time - configured certificates on the main server with other foreman-installer options?
This is what I was not sure! Therefore I uninstalled foreman rpm’s and started from scratch! And that then fixed the problem:
[root@foremanbkp-proxy01 ~]# ./scripts/install_smart_proxy.sh
2025-12-01 14:43:28 [NOTICE] [root] Loading installer configuration. This will take some time.
2025-12-01 14:43:32 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2025-12-01 14:43:32 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
2025-12-01 14:43:34 [NOTICE] [checks] System checks passed
2025-12-01 14:43:47 [NOTICE] [configure] Starting system configuration.
2025-12-01 14:43:57 [NOTICE] [configure] 250 configuration steps out of 1075 steps complete.
2025-12-01 14:43:58 [NOTICE] [configure] 500 configuration steps out of 1077 steps complete.
2025-12-01 14:43:59 [NOTICE] [configure] 750 configuration steps out of 1082 steps complete.
2025-12-01 14:44:15 [NOTICE] [configure] 1000 configuration steps out of 1082 steps complete.
2025-12-01 14:44:23 [NOTICE] [configure] System configuration has finished.
Success!
* Foreman Proxy is running at https://foremanbkp-proxy01.example.net:9090
The full log is at /var/log/foreman-installer/foreman-proxy-content.log
Proxy auto-registered to Foreman Server and all seems to be fine now …
