Sadly that was not the case as the auth.conf settings were correct.
The log below is from when I take a look at the smartproxy and do a
'refresh' under 'Overview'.
D, [2016-08-11T12:32:39.293885 #4126] DEBUG – : accept: 127.0.1.1:43135
D, [2016-08-11T12:32:39.302268 #4126] DEBUG – : Rack::Handler::WEBrick is
invoked.
I, [2016-08-11T12:32:39.305790 #4126] INFO – : 127.0.1.1 - - [11/Aug/2016
12:32:39] "GET /features HTTP/1.1" 200 28 0.0016
D, [2016-08-11T12:32:39.348274 #4126] DEBUG – : close: 127.0.1.1:43135
D, [2016-08-11T12:32:39.507620 #4126] DEBUG – : accept: 127.0.1.1:43136
D, [2016-08-11T12:32:39.516140 #4126] DEBUG – : Rack::Handler::WEBrick is
invoked.
I, [2016-08-11T12:32:39.519116 #4126] INFO – : 127.0.1.1 - - [11/Aug/2016
12:32:39] "GET /features HTTP/1.1" 200 28 0.0014
D, [2016-08-11T12:32:39.561403 #4126] DEBUG – : close: 127.0.1.1:43136
D, [2016-08-11T12:32:41.856553 #4126] DEBUG – : accept: 127.0.1.1:43137
D, [2016-08-11T12:32:41.866290 #4126] DEBUG – : Rack::Handler::WEBrick is
invoked.
I, [2016-08-11T12:32:41.869393 #4126] INFO – : 127.0.1.1 - - [11/Aug/2016
12:32:41] "GET /version HTTP/1.1" 200 111 0.0016
D, [2016-08-11T12:32:41.911321 #4126] DEBUG – : close: 127.0.1.1:43137
D, [2016-08-11T12:32:41.964039 #4126] DEBUG – : accept: 127.0.1.1:43138
D, [2016-08-11T12:32:41.972325 #4126] DEBUG – : Rack::Handler::WEBrick is
invoked.
I, [2016-08-11T12:32:41.976452 #4126] INFO – : 127.0.1.1 - - [11/Aug/2016
12:32:41] "GET /serverName HTTP/1.1" 200 22 0.0012
D, [2016-08-11T12:32:42.019565 #4126] DEBUG – : close: 127.0.1.1:43138
D, [2016-08-11T12:32:42.083428 #4126] DEBUG – : accept: 127.0.1.1:43139
D, [2016-08-11T12:32:42.093115 #4126] DEBUG – : Rack::Handler::WEBrick is
invoked.
D, [2016-08-11T12:32:42.204642 #4126] DEBUG – : accept: 127.0.1.1:43140
D, [2016-08-11T12:32:42.222001 #4126] DEBUG – : Rack::Handler::WEBrick is
invoked.
D, [2016-08-11T12:32:42.232320 #4126] DEBUG – : Found puppetca at
/usr/bin/puppet
E, [2016-08-11T12:32:42.238822 #4126] ERROR – : Failed to list puppet
environments: Failed to query Puppet find environments v2 API: 403
{"message":"Not Authorized: Forbidden request:
vm-puppet.test.local(127.0.1.1) access to /v2.0/environments [find] at
:119","issue_kind":"FAILED_AUTHORIZATION"}
D, [2016-08-11T12:32:42.240370 #4126] DEBUG – : Failed to list puppet
environments: Failed to query Puppet find environments v2 API: 403
{"message":"Not Authorized: Forbidden request:
vm-puppet.test.local(127.0.1.1) access to /v2.0/environments [find] at
:119","issue_kind":"FAILED_AUTHORIZATION"}
D, [2016-08-11T12:32:42.241132 #4126] DEBUG – : Found sudo at /usr/bin/sudo
I, [2016-08-11T12:32:42.243169 #4126] INFO – : 127.0.1.1 - - [11/Aug/2016
12:32:42] "GET /environments HTTP/1.1" 406 259 0.1476
D, [2016-08-11T12:32:42.245180 #4126] DEBUG – : Executing /usr/bin/sudo -S
/usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --list --all
D, [2016-08-11T12:32:42.324395 #4126] DEBUG – : accept: 127.0.1.1:43141
D, [2016-08-11T12:32:42.328380 #4126] DEBUG – : close: 127.0.1.1:43139
D, [2016-08-11T12:32:42.338478 #4126] DEBUG – : Rack::Handler::WEBrick is
invoked.
D, [2016-08-11T12:32:42.342691 #4126] DEBUG – : Found puppetca at
/usr/bin/puppet
D, [2016-08-11T12:32:42.343444 #4126] DEBUG – : Found sudo at /usr/bin/sudo
D, [2016-08-11T12:32:42.343724 #4126] DEBUG – : Executing /usr/bin/sudo -S
/usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --list --all
D, [2016-08-11T12:32:42.442358 #4126] DEBUG – : accept: 127.0.1.1:43142
D, [2016-08-11T12:32:42.453290 #4126] DEBUG – : Rack::Handler::WEBrick is
invoked.
I, [2016-08-11T12:32:42.458155 #4126] INFO – : 127.0.1.1 - - [11/Aug/2016
12:32:42] "GET /autosign HTTP/1.1" 200 43 0.0029
D, [2016-08-11T12:32:42.500448 #4126] DEBUG – : close: 127.0.1.1:43142
D, [2016-08-11T12:32:42.550761 #4126] DEBUG – : accept: 127.0.1.1:43144
D, [2016-08-11T12:32:42.561485 #4126] DEBUG – : Rack::Handler::WEBrick is
invoked.
D, [2016-08-11T12:32:42.564804 #4126] DEBUG – : Found puppetca at
/usr/bin/puppet
D, [2016-08-11T12:32:42.565490 #4126] DEBUG – : Found sudo at /usr/bin/sudo
D, [2016-08-11T12:32:42.565792 #4126] DEBUG – : Executing /usr/bin/sudo -S
/usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --list --all
D, [2016-08-11T12:32:42.642081 #4126] DEBUG – : accept: 127.0.1.1:43145
D, [2016-08-11T12:32:42.647242 #4126] DEBUG – : Rack::Handler::WEBrick is
invoked.
I, [2016-08-11T12:32:42.649139 #4126] INFO – : 127.0.1.1 - - [11/Aug/2016
12:32:42] "GET /autosign HTTP/1.1" 200 43 0.0011
D, [2016-08-11T12:32:42.690069 #4126] DEBUG – : close: 127.0.1.1:43145
I, [2016-08-11T12:32:46.533046 #4126] INFO – : 127.0.1.1 - - [11/Aug/2016
12:32:46] "GET HTTP/1.1" 200 32262 4.1927
D, [2016-08-11T12:32:46.578293 #4126] DEBUG – : close: 127.0.1.1:43141
I, [2016-08-11T12:32:46.721213 #4126] INFO – : 127.0.1.1 - - [11/Aug/2016
12:32:46] "GET HTTP/1.1" 200 32262 4.4905
I, [2016-08-11T12:32:46.740028 #4126] INFO – : 127.0.1.1 - - [11/Aug/2016
12:32:46] "GET HTTP/1.1" 200 32262 4.1770
D, [2016-08-11T12:32:46.764896 #4126] DEBUG – : close: 127.0.1.1:43140
D, [2016-08-11T12:32:46.785443 #4126] DEBUG – : close: 127.0.1.1:43144
/etc/puppet/auth.conf
by optional modifiers, and finally, a series of allow or deny
directives.
···
#
# Example Stanza
# ---------------------------------
# path /path/to/resource # simple prefix match
# # path ~ regex # alternately, regex match
# [environment envlist]
# [method methodlist]
# [auth[enthicated] {yes|no|on|off|any}]
# allow [host|backreference|*|regex]
# deny [host|backreference|*|regex]
# allow_ip [ip|cidr|ip_wildcard|*]
# deny_ip [ip|cidr|ip_wildcard|*]
#
# The path match can either be a simple prefix match or a regular
# expression. `path /file` would match both `/file_metadata` and
# `/file_content`. Regex matches allow the use of backreferences
# in the allow/deny directives.
#
# The regex syntax is the same as for Ruby regex, and captures
backreferences
# for use in the `allow` and `deny` lines of that stanza
#
# Examples:
#
# path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`.
# allow * # Allow all authenticated nodes (since auth
# # defaults to `yes`).
#
# path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog
(by
# allow $1 # certname), but not any other node's
catalog.
#
# path ~ ^/file_(metadata|content)/extra_files/ # Only allow certain nodes
to
# auth yes # access the "extra_files"
# allow /^(.+)\.example\.com$/ # mount point; note this
must
# allow_ip 192.168.100.0/24 # go ABOVE the "/file"
rule,
# # since it is more
specific.
#
# environment:: restrict an ACL to a comma-separated list of environments
# method:: restrict an ACL to a comma-separated list of HTTP methods
# auth:: restrict an ACL to an authenticated or unauthenticated request
# the default when unspecified is to restrict the ACL to authenticated
requests
# (ie exactly as if auth yes was present).
#
Authenticated ACLs - these rules apply only when the client
has a valid certificate and is thus authenticated
allow nodes to retrieve their own catalog
path ~ ^/catalog/([^/]+)$
method find
allow $1
allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1
allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *
allow all nodes to store their own reports
path ~ ^/report/([^/]+)$
method save
allow $1
Allow all nodes to access all file services; this is necessary for
pluginsync, file serving from modules, and file serving from custom
mount points (see fileserver.conf). Note that the /file
prefix matches
requests to both the file_metadata and file_content paths. See “Examples”
above if you need more granular access control for custom mount points.
path /file
allow *
Unauthenticated ACLs, for clients without valid certificates;
authenticated
clients can also access these paths, though they rarely need to.
allow access to the CA certificate; unauthenticated nodes need this
in order to validate the puppet master’s certificate
path /certificate/ca
auth any
method find
allow *
allow nodes to retrieve the certificate they requested earlier
path /certificate/
auth any
method find
allow *
allow nodes to request a new certificate
path /certificate_request
auth any
method find, save
allow *
path /v2.0/environments
method find
allow *
deny everything else; this ACL is not strictly necessary, but
illustrates the default policy.
path /
auth any
On Wednesday, August 10, 2016 at 10:11:24 AM UTC-4, Michael Hurn wrote:
After upgrading from Foreman 1.11.1 & Puppet 3.8.3.
When I try to import classes I get an error popup:
Error: ERF12-2749 [ProxyAPI::ProxyException]: Unable to get environments from Puppet ([RestClient::NotAcceptable]: 406 Not Acceptable) for proxy https://vm-puppet.test.local:8443/puppet
when hitting the Import from PuppetProxy button on the page:
https://vm-puppet.test.local/puppetclasses
In the /var/log/foreman-proxy/proxy.log I get:
D, [2016-08-10T13:26:10.898951 #15759] DEBUG – : accept:
7.28.47.204:35287
D, [2016-08-10T13:26:10.910504 #15759] DEBUG – : Rack::Handler::WEBrick
is invoked.
E, [2016-08-10T13:26:11.054200 #15759] ERROR – : Failed to list puppet
environments: Failed to query Puppet find environments v3 API: 404 Not
Found: Could not find environment ‘puppet’
D, [2016-08-10T13:26:11.054344 #15759] DEBUG – : Failed to list puppet
environments: Failed to query Puppet find environments v3 API: 404 Not
Found: Could not find environment ‘puppet’
I, [2016-08-10T13:26:11.054800 #15759] INFO – : 7.28.47.204 - -
[10/Aug/2016 13:26:11] “GET /environments HTTP/1.1” 406 135 0.1426
D, [2016-08-10T13:26:11.097846 #15759] DEBUG – : close: 7.28.47.204:35287