however checking these settings hasn't turned up anything.
···
On Wednesday, February 18, 2015 at 1:08:51 PM UTC+11, Matthew Wilmott wrote:
>
> Hi all,
>
> I'm having an issue with ssl redirects and the provision url in
> foreman/smart proxy.
>
> Im using Foreman Version 1.6.1-1 on a Centos6.5 host.
>
> When I try hitting curl -L
> http://172.x.x.a/unattended/provision?spoof=172.x.x.b it redirects to the
> ssl port. This even occurs when performing the curl from the foreman host
> to itself.
>
> curl -v -L http://172.x.x.a/unattended/provision?spoof=172.x.x.b
> * About to connect() to 172.16.40.128 port 80 (#0)
> * Trying 172.x.x.a... connected
> * Connected to 172.x.x.a (172.x.x.a) port 80 (#0)
> > GET /unattended/provision?spoof=172.x.x.b HTTP/1.1
> > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
> NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> > Host: 172.x.x.a
> > Accept: */*
> >
> < HTTP/1.1 302 Found
> < Date: Wed, 18 Feb 2015 00:32:59 GMT
> < Server: Apache/2.2.15 (CentOS)
> < X-UA-Compatible: IE=Edge,chrome=1
> < Cache-Control: no-cache
> < X-Request-Id: 754f3ef7855c4fb872f60971e44aae65
> < X-Runtime: 0.006933
> < X-Rack-Cache: miss
> < X-Powered-By: Phusion Passenger 4.0.18
> < Location: https://172.x.x.a/unattended/provision
> < Status: 302 Found
> < Connection: close
> < Transfer-Encoding: chunked
> < Content-Type: text/html; charset=utf-8
> <
> * Closing connection #0
> * Issue another request to this URL: '
> https://172.x.x.a/unattended/provision'
>
> I've checked the unattended_url and it is set to http://172.x.x.a so Im
> at a loss as to why it isn't abiding by that.
>
> Im trying to provision ESXi 5.5 so https is out of the question during the
> pxe build.
>
> Currently the /etc/httpd/conf.d/foreman.conf resembles
>
>
> ServerName foreman etc etc
> ServerAlias foreman etc etc
> DocumentRoot /usr/share/foreman/public
> PassengerAppRoot /usr/share/foreman
> PassengerRuby /usr/bin/ruby193-ruby
>
> AddDefaultCharset UTF-8
>
>
>
>
> ServerName foreman etc etc
> ServerAlias foreman. etc etc
>
> DocumentRoot /usr/share/foreman/public
> PassengerAppRoot /usr/share/foreman
> PassengerRuby /usr/bin/ruby193-ruby
>
> # Use puppet certificates for SSL
>
> SSLEngine On
> SSLCertificateFile /var/lib/puppet/ssl/certs/foreman.pem
> SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/foreman.pem
> SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
> SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
> SSLVerifyClient optional
> SSLOptions +StdEnvVars
> SSLVerifyDepth 3
>
>
>
>
> Anyone got any ideas?
>
> Matt
>
When hitting the ssl address using curl it returns a 405. Hitting it in a
browser usually returns a blank page…
It seems ESX5.5 can use SSL to download the KS so there may be something
else going on as well.
Both the pxelinux and KS template render correctly in foreman.
···
On Wednesday, February 18, 2015 at 1:08:51 PM UTC+11, Matthew Wilmott wrote:
>
> Hi all,
>
> I'm having an issue with ssl redirects and the provision url in
> foreman/smart proxy.
>
> Im using Foreman Version 1.6.1-1 on a Centos6.5 host.
>
> When I try hitting curl -L
> http://172.x.x.a/unattended/provision?spoof=172.x.x.b it redirects to the
> ssl port. This even occurs when performing the curl from the foreman host
> to itself.
>
> curl -v -L http://172.x.x.a/unattended/provision?spoof=172.x.x.b
> * About to connect() to 172.16.40.128 port 80 (#0)
> * Trying 172.x.x.a... connected
> * Connected to 172.x.x.a (172.x.x.a) port 80 (#0)
> > GET /unattended/provision?spoof=172.x.x.b HTTP/1.1
> > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
> NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> > Host: 172.x.x.a
> > Accept: */*
> >
> < HTTP/1.1 302 Found
> < Date: Wed, 18 Feb 2015 00:32:59 GMT
> < Server: Apache/2.2.15 (CentOS)
> < X-UA-Compatible: IE=Edge,chrome=1
> < Cache-Control: no-cache
> < X-Request-Id: 754f3ef7855c4fb872f60971e44aae65
> < X-Runtime: 0.006933
> < X-Rack-Cache: miss
> < X-Powered-By: Phusion Passenger 4.0.18
> < Location: https://172.x.x.a/unattended/provision
> < Status: 302 Found
> < Connection: close
> < Transfer-Encoding: chunked
> < Content-Type: text/html; charset=utf-8
> <
> * Closing connection #0
> * Issue another request to this URL: '
> https://172.x.x.a/unattended/provision'
>
> I've checked the unattended_url and it is set to http://172.x.x.a so Im
> at a loss as to why it isn't abiding by that.
>
> Im trying to provision ESXi 5.5 so https is out of the question during the
> pxe build.
>
> Currently the /etc/httpd/conf.d/foreman.conf resembles
>
>
> ServerName foreman etc etc
> ServerAlias foreman etc etc
> DocumentRoot /usr/share/foreman/public
> PassengerAppRoot /usr/share/foreman
> PassengerRuby /usr/bin/ruby193-ruby
>
> AddDefaultCharset UTF-8
>
>
>
>
> ServerName foreman etc etc
> ServerAlias foreman. etc etc
>
> DocumentRoot /usr/share/foreman/public
> PassengerAppRoot /usr/share/foreman
> PassengerRuby /usr/bin/ruby193-ruby
>
> # Use puppet certificates for SSL
>
> SSLEngine On
> SSLCertificateFile /var/lib/puppet/ssl/certs/foreman.pem
> SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/foreman.pem
> SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
> SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
> SSLVerifyClient optional
> SSLOptions +StdEnvVars
> SSLVerifyDepth 3
>
>
>
>
> Anyone got any ideas?
>
> Matt
>
spoofing requires to be authenticated. If you want to really see the
template via http, you need to either do it from the IP address that is
assigned to that host, or provide valid token (according to your global
Foreman settings - tokens are default from 1.5 version AFAIK).
TFTP file exists for the mac and the pse boot itself is working. Just the
retrieval of the KS file being the issue.
Matt
···
On Wednesday, February 18, 2015 at 3:32:23 PM UTC+11, Matthew Wilmott wrote:
>
> When hitting the ssl address using curl it returns a 405. Hitting it in a
> browser usually returns a blank page....
>
> It seems ESX5.5 can use SSL to download the KS so there may be something
> else going on as well.
>
> Both the pxelinux and KS template render correctly in foreman.
> On Wednesday, February 18, 2015 at 1:08:51 PM UTC+11, Matthew Wilmott > wrote:
>>
>> Hi all,
>>
>> I'm having an issue with ssl redirects and the provision url in
>> foreman/smart proxy.
>>
>> Im using Foreman Version 1.6.1-1 on a Centos6.5 host.
>>
>> When I try hitting curl -L
>> http://172.x.x.a/unattended/provision?spoof=172.x.x.b it redirects to
>> the ssl port. This even occurs when performing the curl from the foreman
>> host to itself.
>>
>> curl -v -L http://172.x.x.a/unattended/provision?spoof=172.x.x.b
>> * About to connect() to 172.16.40.128 port 80 (#0)
>> * Trying 172.x.x.a... connected
>> * Connected to 172.x.x.a (172.x.x.a) port 80 (#0)
>> > GET /unattended/provision?spoof=172.x.x.b HTTP/1.1
>> > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
>> NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
>> > Host: 172.x.x.a
>> > Accept: */*
>> >
>> < HTTP/1.1 302 Found
>> < Date: Wed, 18 Feb 2015 00:32:59 GMT
>> < Server: Apache/2.2.15 (CentOS)
>> < X-UA-Compatible: IE=Edge,chrome=1
>> < Cache-Control: no-cache
>> < X-Request-Id: 754f3ef7855c4fb872f60971e44aae65
>> < X-Runtime: 0.006933
>> < X-Rack-Cache: miss
>> < X-Powered-By: Phusion Passenger 4.0.18
>> < Location: https://172.x.x.a/unattended/provision
>> < Status: 302 Found
>> < Connection: close
>> < Transfer-Encoding: chunked
>> < Content-Type: text/html; charset=utf-8
>> <
>> * Closing connection #0
>> * Issue another request to this URL: '
>> https://172.x.x.a/unattended/provision'
>>
>> I've checked the unattended_url and it is set to http://172.x.x.a so Im
>> at a loss as to why it isn't abiding by that.
>>
>> Im trying to provision ESXi 5.5 so https is out of the question during
>> the pxe build.
>>
>> Currently the /etc/httpd/conf.d/foreman.conf resembles
>>
>>
>> ServerName foreman etc etc
>> ServerAlias foreman etc etc
>> DocumentRoot /usr/share/foreman/public
>> PassengerAppRoot /usr/share/foreman
>> PassengerRuby /usr/bin/ruby193-ruby
>>
>> AddDefaultCharset UTF-8
>>
>>
>>
>>
>> ServerName foreman etc etc
>> ServerAlias foreman. etc etc
>>
>> DocumentRoot /usr/share/foreman/public
>> PassengerAppRoot /usr/share/foreman
>> PassengerRuby /usr/bin/ruby193-ruby
>>
>> # Use puppet certificates for SSL
>>
>> SSLEngine On
>> SSLCertificateFile /var/lib/puppet/ssl/certs/foreman.pem
>> SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/foreman.pem
>> SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
>> SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
>> SSLVerifyClient optional
>> SSLOptions +StdEnvVars
>> SSLVerifyDepth 3
>>
>>
>>
>>
>> Anyone got any ideas?
>>
>> Matt
>>
>
The "require_ssl" setting in Foreman's config file (default: true)
forces all requests to http://… to be redirected to https://… for
security. However, the non-spoof provisioning URLs are specifically
exempt from this redirection, as many installers don't have https
support. This means (as Lukas rightly says) that
/unattended/provision?spoof=… will work on https if you are logged
in; and /unattended/provision will work without https or
authentication, but only from the host in question (the request IP is
used as a lookup), or by supplying the correct id token.
The issue was the pxe template. I added "IPAPPEND 2" and "kssendmac" to the
kernel line and it started working…
Confirm the template was working via the spoof url when I was authenticated.
Thanks for all your efforts
Regards
Matt
···
On Thu, Feb 19, 2015 at 5:06 AM, Greg Sutcliffe wrote:
Some supporting info:
The “require_ssl” setting in Foreman’s config file (default: true)
forces all requests to http://… to be redirected to https://… for
security. However, the non-spoof provisioning URLs are specifically
exempt from this redirection, as many installers don’t have https
support. This means (as Lukas rightly says) that
/unattended/provision?spoof=… will work on https if you are logged
in; and /unattended/provision will work without https or
authentication, but only from the host in question (the request IP is
used as a lookup), or by supplying the correct id token.
