Unable to integrate Chef with Katello

Philippe_Conway · August 24, 2018, 6:37pm

Hello Everyone,

I am trying to get Katello 3.7 to integrate with Chef. We are running Chef Server 12.2.

I receive the following error from Katello/Foreman when trying to do a discovery of Chef Environments:

Aug 24 18:25:31 katello1p /usr/sbin/katello-service: *** start finished successfuly ***
Aug 24 18:25:40 katello1p smart-proxy: 2018-08-24 18:25:40 - Errno::EACCES - Permission denied - /etc/chef/client.pem:

I ran the following command to install the Chef Plugin with Katello:

foreman-installer --enable-foreman-plugin-chef --enable-foreman-proxy-plugin-chef --enable-foreman-plugin-tasks --foreman-proxy-plugin-chef-server-url="https://chef1.example.com/organizations/mycompany" --foreman-proxy-plugin-chef-client-name="mycompany-validator" --foreman-proxy-plugin-chef-private-key="/etc/chef/client.pem" --no-enable-puppet --foreman-server-ssl-crl=""

This is what my /etc/foreman-proxy/settings.d/chef.yml file looks like:

---
:enabled: true
:chef_authenticate_nodes: true
:chef_server_url: https://chef1.example.com/organizations/mycompany
# smart-proxy client node needs to have some admin right on chef-server
# in order to retrive all nodes public keys
# e.g. 'host.example.net'
:chef_smartproxy_clientname: mycompany-validator
# e.g. /etc/chef/client.pem
:chef_smartproxy_privatekey: /etc/chef/client.pem

# turning of chef_ssl_verify is not recommended as it turn off authentication
# you can try set path to chef server certificate by chef_ssl_pem_file
# before setting chef_ssl_verify to false
# note that chef_ssl_pem_file must contain both private key and certificate
# because chef-api 0.5 requires it
:chef_ssl_verify: true
:chef_ssl_pem_file: /etc/foreman-proxy/chef_ssl.

I’m not sure what I am doing wrong here. Any help would be appreciated.

Thank you.

Marek_Hulan · August 24, 2018, 7:29pm

Hello, make sure your client.pem is readable by foreman-proxy user. Check permissions and SELinux. IIRC there’s also a bug when used both together with orchestration of host deletion, that was not yet resolved.

Philippe_Conway · August 24, 2018, 9:37pm

Thank you!

Now I am getting a new error see in the logs:

Aug 24 21:30:25 katello1p /usr/sbin/katello-service: *** start finished successfuly ***
Aug 24 21:30:30 katello1p smart-proxy: 2018-08-24 21:30:30 - OpenSSL::PKey::RSAError - Neither PUB key nor PRIV key: nested asn1 error:

Any idea what cert it is talking about? Is it the chef_smartproxy_privatekey? Or chef_ssl_pem_file?

Marek_Hulan · August 24, 2018, 9:54pm

Given the error message, it’s probably chef_smartproxy_privatekey. It seems to be something different than RSA.key, did you put chef key there?

Philippe_Conway · August 24, 2018, 10:07pm

So I pointed the chef_smartproxy_private key to the /etc/chef/client.pem key that all of our servers use to talk to the Chef server. Is that the key it needs? Or does it need a different key?

Philippe_Conway · August 24, 2018, 10:22pm

Okay so I believe this error was from the:chef_ssl_pem_file: in /etc/foreman-proxy/settings.d/chef.yml.

I went ahead and set: :chef_smartproxy_privatekey: back to /etc/chef/client.pem

And :chef_ssl_pem_file: to a Chef User’s PEM file, and now receive the error:

smart-proxy: 2018-08-24 22:15:14 - OpenSSL::X509::CertificateError - nested asn1 error:

So I’m assuming I’m on the right track? I guess my question is, who’s SSL file do I need for :chef_ssl_pem_file:?