Upload-salt-reports stops after timeout with SSL Error

Hi,

I take this Posting in an own Post. May be it goes down when its inline of
the original Post
(https://groups.google.com/forum/#!topic/foreman-users/6kBUMI_S63k)

My Setup

  1. Foreman Instance (with its puppet CA)

  2. Saltmaster with Saltapi & SmartProxy

On its own machines.

If I call "upload-salt-reports" on the smartproxy, the following Error
occurs.

Traceback (most recent call last):

File "/usr/sbin/upload-salt-reports", line 142, in <module>

upload(jobs_to_upload())

File "/usr/sbin/upload-salt-reports", line 117, in upload

json.dumps(job), headers)

File "/usr/lib/python2.7/httplib.py", line 1001, in request

self._send_request(method, url, body, headers)

File "/usr/lib/python2.7/httplib.py", line 1035, in _send_request

self.endheaders(body)

File "/usr/lib/python2.7/httplib.py", line 997, in endheaders

self._send_output(message_body)

File "/usr/lib/python2.7/httplib.py", line 850, in _send_output

self.send(msg)

File "/usr/lib/python2.7/httplib.py", line 812, in send

self.connect()

File "/usr/lib/python2.7/httplib.py", line 1212, in connect

server_hostname=server_hostname)

File "/usr/lib/python2.7/ssl.py", line 350, in wrap_socket

_context=self)

File "/usr/lib/python2.7/ssl.py", line 566, in init

self.do_handshake()

File "/usr/lib/python2.7/ssl.py", line 788, in do_handshake

self._sslobj.do_handshake()

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:581)

If put some debug output to the upload-salt-reports

These are the parameters used to upload reports.

Host vmg-utf-foreman-100.to3.zone.loc

Port 443

SSLK
/var/lib/puppet/ssl/private_keys/vmg-utf-saltmaster-100.to3.zone.loc.pem

SSLC /var/lib/puppet/ssl/certs/vmg-utf-saltmaster-100.to3.zone.loc.pem

If I am right, it takes the config-values from /etc/salt/foreman.yaml

Hope someone can help me out.

– Tom

I have checked the vmg-utf-saltmaster-100.to3.zone.loc.pem's on
foremaninstance and on my salt-api instance, on both systems are the same.

When I try to connect with a REST Tool to
https://vmg-utf-foremann-000.to3.zone.loc/salt/api/v2/jobs/upload

and post a JOB Json which I've debugged from the upload-salt-reports, I get
an error

  1. {
  2. "error": {
  3. "message": "Access denied",
  4. "details": null
  5. }
  6. }

But I think it's because my mac system isn't a known host to foreman.

I've really no idea whats going wrong with the upload-salt-reports. Why
there is a ssl prob.
I can't see any access to the apaches log files on the foreman system, even
no errornous entries.

– Tom

Ok, I've tried to install the same Setup on one host! Foreman, Smartproxy
with Salt Plugins and Saltmaster + api

Same result. upload-salt-reports will not run.
In the first step with ssl error.

When configures to non-ssl in /etc/salt/forman.yaml
the Response from forman is "Access denied"

Just when I set the "Restrict registered smart proxies" to false, it
works…

<https://lh3.googleusercontent.com/-J_6R3rE3D0k/Vs81fPT046I/AAAAAAAAOjE/J4FdypoZriI/s1600/Screenshot%2B2016-02-25%2B18.07.47.png>

Even also with a curl call from the saltmaster/salt-api

curl --cacert /var/lib/puppet/ssl/certs/ca.pem -H "Content-Type:
application/json" --data @body.json
https://vmg-utf-foreman-100.to3.zone.loc/salt/api/v2/jobs/upload

{

"error": {"message":"Access denied","details":null}

}

so, what ca.pem should it be in /etc/salt/forman.yaml

http://theforeman.org/plugins/foreman_salt/4.0/index.html#2.1.2SaltMasterConfiguration

I've copied it from the formaninstance where I've generated the pems for my
saltmaster with

puppet cert generate vmg-utf-saltmaster-100.to3.zone.loc

Error Log from Apache

==> /var/log/apache2/foreman-ssl_access_ssl.log

192.168.77.31 - - [25/Feb/2016:14:46:41 +0100] "POST
/salt/api/v2/jobs/upload HTTP/1.1" 403 58 "-" "curl/7.38.0"

It must be a configuration problem…Found nothing similar…

Thanks for help.

– Tom

··· Am Donnerstag, 25. Februar 2016 13:22:09 UTC+1 schrieb Tom K.: > > I have checked the vmg-utf-saltmaster-100.to3.zone.loc.pem's on > foremaninstance and on my salt-api instance, on both systems are the same. > > When I try to connect with a REST Tool to > https://vmg-utf-foremann-000.to3.zone.loc/salt/api/v2/jobs/upload > > and post a JOB Json which I've debugged from the upload-salt-reports, I > get an error > > > 1. { > 2. "error": { > 3. "message": "Access denied", > 4. "details": null > 5. } > 6. } > > But I think it's because my mac system isn't a known host to foreman. > > I've really no idea whats going wrong with the upload-salt-reports. Why > there is a ssl prob. > I can't see any access to the apaches log files on the foreman system, > even no errornous entries. > > > -- Tom >

> From: "Tom K." <tn@to3.de>
> To: "Foreman users" <foreman-users@googlegroups.com>
> Sent: Thursday, February 25, 2016 12:11:01 PM
> Subject: [foreman-users] Re: upload-salt-reports stops after timeout with SSL Error
>
> Ok, I've tried to install the same Setup on one host! Foreman, Smartproxy
> with Salt Plugins and Saltmaster + api
>
> Same result. upload-salt-reports will not run.
> In the first step with ssl error.
>
> When configures to non-ssl in /etc/salt/forman.yaml
> the Response from forman is "Access denied"

What's the contents of /etc/salt/foreman.yaml? On an all-in-one-setup, I don't
see why it wouldn't work following the manual.

··· ----- Original Message -----

Just when I set the “Restrict registered smart proxies” to false, it
works…

https://lh3.googleusercontent.com/-J_6R3rE3D0k/Vs81fPT046I/AAAAAAAAOjE/J4FdypoZriI/s1600/Screenshot%2B2016-02-25%2B18.07.47.png


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Hi Stephen,

its content :

··· ---

:proto: http

:host: vmg-utf-foresalt-000.to3.zone.loc

:port: 80

:ssl_ca: /var/lib/puppet/ssl/certs/ca.pem

:ssl_key:
/var/lib/puppet/ssl/private_keys/vmg-utf-foresalt-000.to3.zone.loc.pem

:ssl_cert: /var/lib/puppet/ssl/certs/vmg-utf-foresalt-000.to3.zone.loc.pem

:timeout: 10

:salt: /usr/bin/salt

:upload_grains: true

Meanwhile I use it without ssl. The report upload seems to work, but where
should I see them?

Found nothing. :-/

But our goal is to deploy for different datacenters different saltmasters
(with smartproxy) and on top the foreman. So

I have to seperate them during installation.

That was my foreman-installer call :

foreman-installer --foreman-db-type=mysql --enable-foreman-compute-vmware
–enable-foreman-plugin-salt --enable-foreman-plugin-setup
–enable-foreman-proxy-plugin-salt --foreman-db-type=mysql
–foreman-admin-email=“t.k@homeserv.loc” --foreman-admin-first-name=Tom
–foreman-admin-last-name=K --foreman-admin-username=“t.k@homeserv.loc”
–foreman-admin-password=simsalabim
–foreman-foreman-url=https://vmg-utf-foresalt-000.to3.zone.loc
–foreman-proxy-foreman-base-url=https://vmg-utf-foresalt-000.to3.zone.loc
–foreman-proxy-trusted-hosts=vmg-utf-foresalt-000.to3.zone.loc

The very first problem was the standard installation with postgrep.
Postgres needs its action with a postgres user, during installation as
root, the installation can’t create the tables. “no role ‘root’ found” or
something like this. So I switched to mysql. Which works better. Everything
an a Debian…

What is ur preferred OS to install something like that?

– Tom

Am Donnerstag, 25. Februar 2016 22:46:39 UTC+1 schrieb stephen:

----- Original Message -----

From: “Tom K.” <t...@to3.de <javascript:>>
To: “Foreman users” <forema...@googlegroups.com <javascript:>>
Sent: Thursday, February 25, 2016 12:11:01 PM
Subject: [foreman-users] Re: upload-salt-reports stops after timeout
with SSL Error

Ok, I’ve tried to install the same Setup on one host! Foreman,
Smartproxy
with Salt Plugins and Saltmaster + api

Same result. upload-salt-reports will not run.
In the first step with ssl error.

When configures to non-ssl in /etc/salt/forman.yaml
the Response from forman is “Access denied”

What’s the contents of /etc/salt/foreman.yaml? On an all-in-one-setup, I
don’t
see why it wouldn’t work following the manual.

Just when I set the “Restrict registered smart proxies” to false, it
works…

<
https://lh3.googleusercontent.com/-J_6R3rE3D0k/Vs81fPT046I/AAAAAAAAOjE/J4FdypoZriI/s1600/Screenshot%2B2016-02-25%2B18.07.47.png>


You received this message because you are subscribed to the Google
Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to foreman-user...@googlegroups.com <javascript:>.
To post to this group, send email to forema...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Have you not added the Smart Proxy to the Infrastructure / Smart Proxies page?

> From: "Tom K." <tn@to3.de>
> To: "Foreman users" <foreman-users@googlegroups.com>
> Cc: stephen@redhat.com
> Sent: Friday, February 26, 2016 2:30:42 AM
> Subject: Re: [foreman-users] Re: upload-salt-reports stops after timeout with SSL Error
>
> Hi Stephen,
>
> its content :
>
> —
>
> :proto: http
>
> :host: vmg-utf-foresalt-000.to3.zone.loc
>
> :port: 80
>
> :ssl_ca: /var/lib/puppet/ssl/certs/ca.pem
>
> :ssl_key:
> /var/lib/puppet/ssl/private_keys/vmg-utf-foresalt-000.to3.zone.loc.pem
>
> :ssl_cert: /var/lib/puppet/ssl/certs/vmg-utf-foresalt-000.to3.zone.loc.pem
>
> :timeout: 10
>
> :salt: /usr/bin/salt
>
> :upload_grains: true
>
>
> Meanwhile I use it without ssl. The report upload seems to work, but where
> should I see them?
>
> Found nothing. :-/

Under Monitor / Configuration Management or Monitor / Reports depending on the version of Foreman.

Have you (re)started the foreman-tasks service? What's the output of upload-salt-reports? Have you
run some highstate on your salt minions? Is there any entries under the Monitor / Tasks menu?

SSL should work, but it's really up to you to configure this properly. It's basic SSL client authentication,
you need to generate a certificate using the same CA the Foreman does. That's the values (CA, key, cert)
that goes into the various configuration files. You have something misconfigured somewhere, but I have a really
hard time following all the many things you've tried.

··· ----- Original Message -----

But our goal is to deploy for different datacenters different saltmasters
(with smartproxy) and on top the foreman. So

I have to seperate them during installation.

That was my foreman-installer call :

foreman-installer --foreman-db-type=mysql --enable-foreman-compute-vmware
–enable-foreman-plugin-salt --enable-foreman-plugin-setup
–enable-foreman-proxy-plugin-salt --foreman-db-type=mysql
–foreman-admin-email=“t.k@homeserv.loc” --foreman-admin-first-name=Tom
–foreman-admin-last-name=K --foreman-admin-username=“t.k@homeserv.loc”
–foreman-admin-password=simsalabim
–foreman-foreman-url=https://vmg-utf-foresalt-000.to3.zone.loc
–foreman-proxy-foreman-base-url=https://vmg-utf-foresalt-000.to3.zone.loc
–foreman-proxy-trusted-hosts=vmg-utf-foresalt-000.to3.zone.loc

The very first problem was the standard installation with postgrep.
Postgres needs its action with a postgres user, during installation as
root, the installation can’t create the tables. “no role ‘root’ found” or
something like this. So I switched to mysql. Which works better. Everything
an a Debian…

What is ur preferred OS to install something like that?

– Tom

Am Donnerstag, 25. Februar 2016 22:46:39 UTC+1 schrieb stephen:

----- Original Message -----

From: “Tom K.” <t...@to3.de <javascript:>>
To: “Foreman users” <forema...@googlegroups.com <javascript:>>
Sent: Thursday, February 25, 2016 12:11:01 PM
Subject: [foreman-users] Re: upload-salt-reports stops after timeout
with SSL Error

Ok, I’ve tried to install the same Setup on one host! Foreman,
Smartproxy
with Salt Plugins and Saltmaster + api

Same result. upload-salt-reports will not run.
In the first step with ssl error.

When configures to non-ssl in /etc/salt/forman.yaml
the Response from forman is “Access denied”

What’s the contents of /etc/salt/foreman.yaml? On an all-in-one-setup, I
don’t
see why it wouldn’t work following the manual.

Just when I set the “Restrict registered smart proxies” to false, it
works…

<
https://lh3.googleusercontent.com/-J_6R3rE3D0k/Vs81fPT046I/AAAAAAAAOjE/J4FdypoZriI/s1600/Screenshot%2B2016-02-25%2B18.07.47.png>


You received this message because you are subscribed to the Google
Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to foreman-user...@googlegroups.com <javascript:>.
To post to this group, send email to forema...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.