Unable to get environments from Puppet

Support
1

Hello,

I have generated certificates in foreman server according to the
> puppetmaster hostname. The smart proxy (puppetmaster) has added to the
> smart proxy list in foreman GUI. Error is resolved.

> After that when am trying to add Puppet classes am getting below error
> on Foreman GUI.

*Error: *ERF12-2749 [ProxyAPI::ProxyException]: Unable to get environments
from Puppet ([RestClient::NotAcceptable]: 406 Not Acceptable) for proxy
https://puppetmaster.exapmle.com:8443/puppet

Below is error in /var/log/foreman-proxy/proxy.log

E, [2016-07-29T15:03:44.169966 #30702] ERROR – : Failed to list puppet
environments: SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed
I, [2016-07-29T15:03:44.170369 #30702] INFO – : 1x.1xx.xxx.xxx - -
[29/Jul/2016:15:03:44 -0400] "GET /puppet/environments HTTP/1.1" 406 131
0.0063
E, [2016-07-29T15:17:08.632367 #30702] ERROR – : OpenSSL::SSL::SSLError:
SSL_accept returned=1 errno=0 state=SSLv2/v3 read client hello A: unknown
protocol
/usr/share/ruby/openssl/ssl.rb:226:in `accept'

*Below has other error when I have tried curl *
curl -v https://puppetmaster.exapmle.com:8443/puppet

  • About to connect() to puppetmaster.example.com port 8443 (#0)
  • Trying xx.xxx.xxx.xxx
  • Connected to puppetmaster.example.com (xx.xx.xxx.xxx) port 8443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • Server certificate:
  •   start date: Jul 28 13:52:01 2016 GMT

  •   expire date: Jul 28 13:52:01 2021 GMT

  •   common name: puppetmaster.exapmle.com

  •   issuer: CN=Puppet CA: foremanserver.exapmle.com
  • NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
  • Peer's certificate issuer has been marked as not trusted by the user.
    ** Closing connection 0*
    curl: (60) Peer's certificate issuer has been marked as not trusted by the
    user.
    More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

··· * subject: CN=puppetmaster.exapmle.com ****************************************************************************************************************************************************************************************************************************** ls -ld /etc/puppetlabs/ drwxr-xr-x 8 puppet puppet 98 Jun 29 10:20 /etc/puppetlabs/ ls -ld /etc/puppetlabs/puppet/ drwxr-xr-x 3 puppet puppet 131 Jul 29 15:22 /etc/puppetlabs/puppet/ ls -ld /etc/puppetlabs/puppet/ssl/ drwxrwx--x 8 puppet puppet 119 Jul 14 15:21 /etc/puppetlabs/puppet/ssl/ ls -ld /etc/puppetlabs/puppet/ssl/certs/ca.pem -rw-r--r-- 1 puppet puppet 1997 Jul 29 09:50 /etc/puppetlabs/puppet/ssl/certs/ca.pem

sestatus
SELinux status: disabled

Foreman user is in puppet group [ puppet:x:249:foreman-proxy]

I have also tried sudo -u foreman-proxy cat
/var/lib/puppet/ssl/certs/ca.pem its working.

puppet --version (on puppetmaster where foreman smart proxy is running)
4.5.2

I have tried telnet from foreman server to puppet master it is connecting.
Foreman proxy is running on puppetmaster.

*/etc/puppetlabs/puppet/auth.conf *
path /puppet/v3/environments
method find
allow *

path /puppet/v3/resource_type
method search
allow *

Please advice
Sai Krishna

2

Can anyone please advice.

3

> Hello,
>
>
> I have generated certificates in foreman server according to the
> puppetmaster hostname. The smart proxy (puppetmaster) has added to
> the smart proxy list in foreman GUI. Error is resolved.
>
>
>
> After that when am trying to add Puppet classes am getting
> below error on Foreman GUI.
>
>
> *Error: *ERF12-2749 [ProxyAPI::ProxyException]: Unable to get
> environments from Puppet ([RestClient::NotAcceptable]: 406 Not
> Acceptable) for proxy https://puppetmaster.exapmle.com
> <http://puppetmaster.exapmle.com/>:8443/puppet
>
> Below is error in /var/log/foreman-proxy/proxy.log
>
> E, [2016-07-29T15:03:44.169966 #30702] ERROR – : Failed to list puppet
> environments: SSL_connect returned=1 errno=0 state=SSLv3 read server
> certificate B: certificate verify failed
> I, [2016-07-29T15:03:44.170369 #30702] INFO – : 1x.1xx.xxx.xxx - -
> [29/Jul/2016:15:03:44 -0400] "GET /puppet/environments HTTP/1.1" 406 131
> 0.0063
> E, [2016-07-29T15:17:08.632367 #30702] ERROR – :
> OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv2/v3
> read client hello A: unknown protocol
> /usr/share/ruby/openssl/ssl.rb:226:in `accept'

What configuration do you have set in
/etc/foreman-proxy/settings.d/puppet_proxy_puppet_api.yml?

This is the smart proxy unable to communicate with Puppet Server.

> *Below has other error when I have tried curl *
> curl -v https://puppetmaster.exapmle.com:8443/puppet
> <https://puppetmaster.exapmle.com:8443/puppet>
[…]
> * NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
> * Peer's certificate issuer has been marked as not trusted by the user.
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.

You would need to follow this advice, and set --key, --cert etc to
access the smart proxy API. I don't think you need to do this, Foreman
does it fine.

··· On 01/08/16 15:34, Sai Krishna wrote:


Dominic Cleal
dominic@cleal.org

4

Hello,

> What configuration do you have set in
> /etc/foreman-proxy/settings.d/puppet_proxy_puppet_api.yml?
>

In external puppet master
/etc/foreman-proxy/settings.d/puppet_proxy_puppet_api.yml

··· --- # URL of the puppet master itself for API requests. :puppet_url: https://puppetmaster.com:8140 # # SSL certificates used to access the puppet API :puppet_ssl_ca: /etc/puppetlabs/puppet/ssl/certs/ca.pem :puppet_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/puppetmaster..com.pem :puppet_ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/puppetmaster.com.pem

In foreman server
/etc/foreman-proxy/settings.d/puppet_proxy_puppet_api.yml

URL of the puppet master itself for API requests.

:puppet_url: https://foremanserver.com:8140

SSL certificates used to access the puppet API

:puppet_ssl_ca: /etc/puppetlabs/puppet/ssl/certs/ca.pem
:puppet_ssl_cert: /etc/puppetlabs/puppet/ssl/certs/foremanserver.com.pem
:puppet_ssl_key:
/etc/puppetlabs/puppet/ssl/private_keys/foremanserver.com.pem

Thanks for your quick reply. above are the setting in the config file. is
there anything wrong why there it is unable to pull the environments and
having ssl issue?

5

Found these errors at /var/log/foreman-proxy/proxy.log
Have made (All in one instalation puppetmaster, foreman, CA) foreman server
as the CA and have generated new certs for external puppet master server {
puppet cert generate puppetmaster.com } have replaced those certs
(ca.pem,puppetmaster.com.pema and private ssl puppetmaster.com.pem) in
external puppetmaster server.

> E, [2016-08-04T10:52:11.884954 #28768] ERROR – : Failed to list puppet
>>> environments: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read
>>> finished A
>>> I, [2016-08-04T10:52:11.885523 #28768] INFO – : xxxx.xxx.xxx - -
>>> [04/Aug/2016:10:52:11 -0400] "GET /puppet/environments HTTP/1.1" 406 102
>>> 0.1353
>>>
>>> E, [2016-08-04T10:53:20.756483 #28768] ERROR – :
>>> OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read
>>> client certificate A: sslv3 alert bad certificate
>>> /usr/share/ruby/openssl/ssl.rb:226:in accept&#39; &gt;&gt;&gt; E, [2016-08-04T11:03:00.619440 #28768] ERROR -- : &gt;&gt;&gt; OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read &gt;&gt;&gt; client certificate A: tlsv1 alert unknown ca &gt;&gt;&gt; /usr/share/ruby/openssl/ssl.rb:226:inaccept'
>>
>>
Please advice
Sai Krishna

6

Below are the errors while running puppet on puppetmaster server.

> puppet agent --no-daemonize --test --verbose
> Warning: Unable to fetch my node definition, but the agent run will
> continue:
> Warning: SSL_connect returned=1 errno=0 state=error: certificate verify
> failed: [unable to get certificate CRL for /CN=puppetmaster.com]
> Info: Retrieving pluginfacts
> Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate
> additional resources using 'eval_generate': SSL_connect returned=1 errno=0
> state=error: certificate verify failed: [unable to get certificate CRL for
> /CN=puppetmaster.com]
> Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate:
> Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect
> returned=1 errno=0 state=error: certificate verify failed: [unable to get
> certificate CRL for /CN=puppetmaster…com]
> Info: Retrieving plugin
> Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate
> additional resources using 'eval_generate': SSL_connect returned=1 errno=0
> state=error: certificate verify failed: [unable to get certificate CRL for
> /CN=puppetmaster…com]
> Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could
> not retrieve file metadata for puppet:///plugins: SSL_connect returned=1
> errno=0 state=error: certificate verify failed: [unable to get certificate
> CRL for /CN=puppetmaster.com]
> Info: Loading facts
> Error: Could not retrieve catalog from remote server: SSL_connect
> returned=1 errno=0 state=error: certificate verify failed: [unable to get
> certificate CRL for /CN=puppetmaster…com]
> Warning: Not using cache on failed catalog
> Error: Could not retrieve catalog; skipping run
> Error: Could not send report: SSL_connect returned=1 errno=0 state=error:
> certificate verify failed: [unable to get certificate CRL for
> /CN=puppetmaster…com]

Please advice.
Sai Krishna