Project

General

Profile

Actions
Copy link

Bug #23055

closed

Dynflow SSL Issue when using custom SSL Certificate

Added by TJ Hamamoto about 6 years ago. Updated about 3 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Smart Proxy Dynflow
Target version:
1.17.2
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

This would be my first ticket, so please let me know if I'm not doing something correctly.

Some background first:
We were using Foreman version 1.15.6 with Remote SSH Execution enabled. The SSL for the Web UI was set with our domain's Wildcard SSL Certificate and all was working just perfectly.
When we tried setting up a client that had Puppet version 5 we couldn't get the agent to run because of the puppet version conflict.
So we did the following,

1. Upgraded puppet from 3 to 4
2. Upgraded foreman from 1.15.6 to 1.16
3. Upgraded puppet from 4 to 5
(followed the instructions from the foreman site for each step)

Everything seemed to be working well; the smart proxy has a green checkmark, no warning logs and the clients are in-sync.
However when trying to issue a remote shell script, the script waits for a minute or two and then fails.
But when I look at the sub-task, the command does get executed. (I tested an scp command and it was successfully transferred)
The sub-task result displays as follows:

Failed to initialize: Dynflow::ExecutionPlan::Steps::Error - ERF42-3325 [Foreman::Exception]: The smart proxy task fa31b59e-0aac-484e-a8d8-c8078aee9a7e failed.

I then looked at foreman-proxy/proxy.log and found the following ERROR lines:

ERROR -- SSL_connect returned=1 errno=0 state=error: certificate verify failed (RestClient::SSLCertificateNotVerified)

Before this line, the SSL certificate that was displayed was the Puppet Cert.
To check, I've changed the apache SSL setting to use Puppet CA and executed the Remote Shell script again, and it worked.
So something must have changed. I tested the following to see if it works, but no luck.

1. Changed back Websockets SSL to Puppet Cert (Since I've changed this to Custom SSL based on the instructions for setting custom certs)
2. Uncommented and entered the :foreman_ssl_ca: lines in foreman-proxy/settings.d since it states that this is "Mainly useful when Foreman uses different certificates for its web UI and for smart-proxy requests."
3. Did a mix of Puppet/Custom SSL certs for :foreman_ssl_ca: lines and :ssl_ca_file: combination since it didn't exactly state which is for the web UI and which is for the smart-proxy.
4. Also tried only changing the :foreman_ssl_cert: and :foreman_ssl_key:, leaving :foreman_ssl_ca: as the Puppet CA since the ca file is the same in apache settings also.

I restarted the foreman-proxy service each time I tried, but the only change I got from doing the above was that the task immediately failed and showed that "There are no foreman proxies available". (Or something similar, I forgot to make a note of the exact message for this one)
So it looks to me that I can't change the Web UI's SSL and also use Remote SSH Execution at the same time.

If you need more information, please let me know.
Thank you.

Actions
Copy link

Also available in: Atom PDF