Unable to import environments and classes with foreman-proxy 1.16-RC2


while installing a new installation for experimental purposes before our upgrade to Puppet 5 & Foreman 1.16, I'm running into a problem.

Here's a quick overview of my setup since I split my services on different hosts

1 x foreman host (foreman 1.16-RC2)
1 x puppet master (puppet server 5) + registered foreman-proxy 1.16-RC2 1 x puppet ca (puppet server 5) + registered foreman-proxy 1.16-RC2 1 x apache loadbalancer (offloads SSL, sends traffic to puppetmaster & puppetca with the needed headers)

The problem is that I am unable to call the Puppet api through the foreman-proxy, for example to import the classes in Foreman. When doing that, I get the following error message:

2017-11-28 21:06:39,914 ERROR [qtp133375752-56] [p.t.a.rules] Forbidden
request: access to /puppet/v3/environments (method :get)
(authenticated: false) denied by rule 'puppetlabs environments'.

The 'puppetlabs environments' rule is defined in
/etc/puppetlabs/puppetserver/conf.d/auth.conf and looks like this:

match-request: {
path: "/puppet/v3/environments"
type: path
method: get
allow: "*"
sort-order: 500
name: "puppetlabs environments"

This looks good and is also what's specified in the documentation.

I was able to fix the problem, by in the same file
(/etc/puppetlabs/puppetserver/conf.d/auth.conf) changing
allow-header-cert-info to false.
This is however not something I want since it's very unsafe (it would allow un-authorized requests to my Puppet master).

I kept debugging (both http:8139 and https:8140) and found out that with the allow-header-cert-info the following does not work:

curl localhost:8139/puppet/v3/environments
Forbidden request: /puppet/v3/environments (method :get). Please see the
server logs for details.

... and this does work (adding correct headers):

curl -H "X-Client-DN: CN=authorized-host-by-ca" -H "X-Client-Verify:
SUCCESS" localhost:8139/puppet/v3/environments


I added the logging of the request headers in the logback.xml to see what data the foreman-proxy sends:

<pattern>%h %l %u [%t] "%r" %s %b "%i{Referer}" "%i{User-Agent}" %D
%i{X-Client-DN} %i{X-Client-Verify}</pattern>

With the changed access logging, this is the failed foreman-proxy request: - - [28/Nov/2017:21:06:44 +0000] "GET /puppet/v3/environments
HTTP/1.1" 403 97 "-" "Ruby" 7 - -

... and this was the previous succeeding curl request: - - [28/Nov/2017:21:26:34 +0000] "GET /puppet/v3/environments
HTTP/1.1" 200 1047 "-" "curl/7.52.1" 438 CN=authorized-host-by-ca SUCCESS

So as far as I understand, it looks like foreman-proxy is not sending the X-Client-DN and X-Client-Verify header data.

Could it be possible that this is unexpected behaviour? Am I missing something?
How should I make this work without setting allow-header-cert-info to false?

As a reference, here's the foreman-installer command used for installation of the puppetmaster host:

foreman-installer \
--no-enable-foreman \
--no-enable-foreman-cli \
--no-enable-foreman-plugin-setup \
--enable-foreman-proxy \
--enable-puppet \
--foreman-proxy-trusted-hosts=foreman.example.lan \
--foreman-proxy-tftp=false \
--foreman-proxy-dhcp=false \
--foreman-proxy-dhcp-range="false" \
--foreman-proxy-dns=false \
--foreman-proxy-puppetca=false \
--foreman-proxy-foreman-base-url=https://foreman.example.lan \
--foreman-proxy-oauth-consumer-key=masked-key \
--foreman-proxy-oauth-consumer-secret=masked-secret \
--puppet-server-ca=false \
--puppet-server-certname=puppetmaster.example.lan \
--puppet-server-foreman-url=https://foreman.example.lan \
--puppet-server-http=true \
--puppet-server-http-port=8139 \
--puppet-client-certname=puppetmaster.example.lan \
Thank you,