Webhook/Shellhook not working as expected

I do not fully understand all this so I would not be surprised if I have the config wrong but here is what I have:

Created a Webhook/shellhook like so:
Subscribe to: Host Created
Target URL: https://fm.example.com:9090/shellhook/ShellHookTest01
Template:
HTTP Content Type: application/json
HTTP Headers: { “X-Shellhook-Arg-1”: “<%= @object.name -%>” }
ShellHookTest01 script:
#!/usr/bin/sh
hostName=“$(sudo -n hammer --output ‘csv’ host info --name “${1}” --fields ‘Name’)”
hostCV=“$(sudo -n hammer --output ‘csv’ host info --name “${1}” --fields ‘Content information/content view environments/content view/name’)”
hostLC=“$(sudo -n hammer --output ‘csv’ host info --name “${1}” --fields ‘Content information/content view environments/lifecycle environment/name’)”
Date=“$(date)”
echo ${Date}
echo “[ >>> ${hostName} <<< ]”
echo “[ >>> ${hostCV} <<< ]”
echo “[ >>> ${hostLC} <<< ]”

I have Do not veryify SSL and I am using a valid Username/Password.
/var/log/foreman/production.log output:

2025-01-22T14:42:48 [I|app|ca322119] Enqueued ForemanWebhooks::DeliverWebhookJob (Job ID: f9e0f03f-55a3-4aa8-b3ab-c9d432a7afdd) to Dynflow(default) with arguments: {:event_name=>"host_created.event.foreman", :payload=>"", :headers=>"{\n  \"X-Shellhook-Arg-1\": \"louis-test101-host01.example.net\"\n}", :url=>"https://fm01-main02a.example.net:9090/shellhook/SetHostCollection", :webhook_id=>2}
2025-01-22T18:42:26 [I|app|87cfc595] Performing ForemanWebhooks::DeliverWebhookJob (Job ID: da44714b-3645-4111-9c7f-7d0940393926) from Dynflow(default) enqueued at 2025-01-22T18:42:26Z with arguments: {:event_name=>"host_created.event.foreman", :payload=>"", :headers=>"{\n  \"X-Shellhook-Arg-1\": \"louis-test106-host01.example.net\"\n}", :url=>"https://fm01-main02a.example.net:9090/shellhook/SetHostCollection", :webhook_id=>2}
2025-01-22T18:42:26 [I|app|87cfc595] Performing 'SetHostCollection' webhook request for event 'host_created.event.foreman'
2025-01-22T18:42:26 [E|app|87cfc595] POST response was 403
2025-01-22T18:42:26 [E|app|87cfc595] Error performing ForemanWebhooks::DeliverWebhookJob (Job ID: da44714b-3645-4111-9c7f-7d0940393926) from Dynflow(default) in 12.13ms: RuntimeError (403: Forbidden):

/var/log/foreman-proxy/proxy.log just complains about the SSL Cert but if I am verifying it it should not matter???

Did you already increase the log level for the Smart Proxy to debug? This may help as the service will give you then more details. At least it helped me when running into problems when testing the feature.

Hi @Louis_Bohm,

The issue is indeed in authentication, since your proxy runs on https anyway, could you check in the webhook form Proxy Authorization field to see if it fixes the issue? It will probably want to check Verify SSL as well.

I did not before but I have now.

If I am reading this correctly, despite setting up the webhook with Verify SSL: NOT CHECKED. The /var/log/foreman-proxy/proxy.log is showing me:

2025-01-23T13:11:15 31315024 [I] Started POST /shellhook/SetHostCollection
2025-01-23T13:11:15 31315024 [E] No client SSL certificate supplied
2025-01-23T13:11:15 31315024 [W] Error details for No client SSL certificate supplied: <Exception>: No client SSL certificate supplied
2025-01-23T13:11:15 31315024 [W] No client SSL certificate supplied: <Exception>: No client SSL certificate supplied
2025-01-23T13:11:15 31315024 [I] Finished POST /shellhook/SetHostCollection with 403 (0.49 ms)

When using shellhooks (which runs via smart-proxy), you do not want to use username/password, but SSL authentication. The smart-proxy only knows certificate based authentication.
In your Webhook settings, under “credentials”, enable both SSL validation and Proxy Authorization. With that everything should work as expected.

I have had a username/password in the config but that was not enough. After a bit of looking at guessing I set the following
Verify SSL: UNChecked
Proxy Authorization: Checked
X509 Certification Authorities: Set this to the Katello CA.

This all allowed the ShellHook to do all its HTTPs stuff. Then the script failed on other things. I needed a .hammer and .cache directory created in foreman-proxy directory. Which I created. Now I am getting permission denied running hammer commands. I can add SUDO in front of the hammer commands but the user foreman-proxy is a daemon user and does not have a password.

The error I am seeing in the proxy.log is:
2025-01-23T13:49:04 67d29e0d [W] [3321423] Error: No such device or address @ rb_sysopen - /dev/tty

I see that there was a bug 5 years ago that was fixed like this. But I am using a version of hammer thats way newer:
hammer (3.11.0)

  • hammer_cli_foreman (3.11.0)
  • hammer_cli_foreman_ansible (0.7.0)
  • hammer_cli_foreman_remote_execution (unknown version)
  • hammer_cli_foreman_ssh (0.0.3)
  • hammer_cli_foreman_tasks (unknown version)
  • hammer_cli_foreman_webhooks (0.1.0)
  • hammer_cli_katello (1.13.0.pre.master)

After a lot of playing around I found that you cannot copy in the .hammer directory into foreman-proxy home dir. This causes ruby to try to do an Interactive login which fails on the tty.

The only simple way I found was to pass the user / password in the hammer command. This sucks because a login is in clear text in the shellhook script but it works.