Unable to push facts with Foreman

Support
, , , ,
1

Hello everyone! I’m having issues with pushing facts to Foreman, where I get the following error:

[root@puppet ~]# sudo -u puppet /etc/puppetlabs/puppet/node.rb <redacted domain> --push-facts
During fact upload occured an exception: SSL_connect returned=1 errno=0 state=error: tlsv1 alert unknown ca
During fact upload occured an exception: Could not send facts to Foreman: SSL_connect returned=1 errno=0 state=error: tlsv1 alert unknown ca
[root@puppet ~]#

But I can verify that the following does work between Foreman and Puppet:

[root@puppet ~]# puppet agent --test
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for <redacted domain>
Info: Applying configuration version '1574664355'
Notice: Applied catalog in 0.34 seconds
[root@puppet ~]#

I am using the following SSL settings:

foreman-installer \
  --foreman-server-ssl-cert="/etc/puppetlabs/puppet/rapidssl/<redacted domain>.crt" \
  --foreman-server-ssl-certs-dir="/etc/puppetlabs/puppet/rapidssl" \
  --foreman-server-ssl-key="/etc/puppetlabs/puppet/rapidssl/<redacted domain>.key" \
  --foreman-server-ssl-ca="/etc/puppetlabs/puppet/rapidssl/<redacted domain>.ca" \
  --foreman-server-ssl-chain="/etc/puppetlabs/puppet/rapidssl/<redacted domain>.bundle" \
  --puppet-server-foreman-ssl-ca="/etc/puppetlabs/puppet/rapidssl/<redacted domain>.ca" \
  --foreman-proxy-foreman-ssl-ca="/etc/puppetlabs/puppet/rapidssl/<redacted domain>.ca"

We’d appreciate any and all help on this issue, thank you.

2

This parameter is normally not used. We should probably drop it. I’d reset it with --reset-foreman-server-ssl-certs-dir

We use client certificates for authentication. If you set these both, the client certs also need to be signed by that CA. Since you’re not specifying client certs for Puppet and Foreman Proxy to use, you are still sending Puppet signed client certs. You should leave --foreman-server-ssl-ca the default. You can use --reset-foreman-server-ssl-ca now.

1 Like
3

Hello @ekohl,

Thank you so kindly, this has made Foreman work for us for the most part and I’m immensely appreciative for that! I’ve been at this for way too long otherwise.

Thank you so much :smiley: