The Foreman::Controller::SmartProxyAuth attempts to use smart proxy certificate authentication by looking for client certificates. It does so by looking at the ssl_client_cert_env setting. In a reverse proxy setup (Apache from EL7) with a standalone Foreman process (using Puma) I set the following in /etc/foreman/settings.yaml:

# Configure reverse proxy headers
:ssl_client_dn_env: HTTP_SSL_CLIENT_S_DN
:ssl_client_verify_env: HTTP_SSL_CLIENT_VERIFY
:ssl_client_cert_env: HTTP_SSL_CLIENT_CERT

When you navigate to a page with a browser that doesn't present any certificates but is authenticated, the result is that request.env[Setting[:ssl_client_cert_env]] returns (none). The code then attempts to parse this as a certificate which obviously fails.