Hello,
I have generated certificates in foreman server according to the
> puppetmaster hostname. The smart proxy (puppetmaster) has added to the
> smart proxy list in foreman GUI. Error is resolved.
> After that when am trying to add Puppet classes am getting below error
> on Foreman GUI.
*Error: *ERF12-2749 [ProxyAPI::ProxyException]: Unable to get environments
from Puppet ([RestClient::NotAcceptable]: 406 Not Acceptable) for proxy
https://puppetmaster.exapmle.com:8443/puppet
Below is error in /var/log/foreman-proxy/proxy.log
E, [2016-07-29T15:03:44.169966 #30702] ERROR – : Failed to list puppet
environments: SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed
I, [2016-07-29T15:03:44.170369 #30702] INFO – : 1x.1xx.xxx.xxx - -
[29/Jul/2016:15:03:44 -0400] "GET /puppet/environments HTTP/1.1" 406 131
0.0063
E, [2016-07-29T15:17:08.632367 #30702] ERROR – : OpenSSL::SSL::SSLError:
SSL_accept returned=1 errno=0 state=SSLv2/v3 read client hello A: unknown
protocol
/usr/share/ruby/openssl/ssl.rb:226:in `accept'
*Below has other error when I have tried curl *
curl -v https://puppetmaster.exapmle.com:8443/puppet
- About to connect() to puppetmaster.example.com port 8443 (#0)
- Trying xx.xxx.xxx.xxx…
- Connected to puppetmaster.example.com (xx.xx.xxx.xxx) port 8443 (#0)
- Initializing NSS with certpath: sql:/etc/pki/nssdb
- CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none - Server certificate:
-
start date: Jul 28 13:52:01 2016 GMT
-
expire date: Jul 28 13:52:01 2021 GMT
-
common name: puppetmaster.exapmle.com
-
issuer: CN=Puppet CA: foremanserver.exapmle.com
- NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
-
Peer's certificate issuer has been marked as not trusted by the user.
** Closing connection 0*
curl: (60) Peer's certificate issuer has been marked as not trusted by the
user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
···
* subject: CN=puppetmaster.exapmle.com ****************************************************************************************************************************************************************************************************************************** ls -ld /etc/puppetlabs/ drwxr-xr-x 8 puppet puppet 98 Jun 29 10:20 /etc/puppetlabs/ ls -ld /etc/puppetlabs/puppet/ drwxr-xr-x 3 puppet puppet 131 Jul 29 15:22 /etc/puppetlabs/puppet/ ls -ld /etc/puppetlabs/puppet/ssl/ drwxrwx--x 8 puppet puppet 119 Jul 14 15:21 /etc/puppetlabs/puppet/ssl/ ls -ld /etc/puppetlabs/puppet/ssl/certs/ca.pem -rw-r--r-- 1 puppet puppet 1997 Jul 29 09:50 /etc/puppetlabs/puppet/ssl/certs/ca.pemsestatus
SELinux status: disabled
Foreman user is in puppet group [ puppet:x:249:foreman-proxy]
I have also tried sudo -u foreman-proxy cat
/var/lib/puppet/ssl/certs/ca.pem its working.
puppet --version (on puppetmaster where foreman smart proxy is running)
4.5.2
I have tried telnet from foreman server to puppet master it is connecting.
Foreman proxy is running on puppetmaster.
*/etc/puppetlabs/puppet/auth.conf *
path /puppet/v3/environments
method find
allow *
path /puppet/v3/resource_type
method search
allow *
Please advice
Sai Krishna