Actions
Bug #9774
closedrequest.env[Setting[:ssl_client_dn_env]] is empty
Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Description
puppet:
/etc/puppet/node.rb agent.test.com Error retrieving node agent.test.com: Net::HTTPForbidden Check Foreman's /var/log/foreman/production.log for more information.
agent:
# puppet agent -t Warning: Unable to fetch my node definition, but the agent run will continue: Warning: Error 400 on SERVER: Failed to find ns8-1.cnolnic.com via exec: Execution of '/etc/puppet/node.rb ns8-1.cnolnic.com' returned 1: Info: Retrieving pluginfacts Info: Retrieving plugin Info: Loading facts Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed when searching for node ns8-1.cnolnic.com: Failed to find ns8-1.cnolnic.com via exec: Execution of '/etc/puppet/node.rb ns8-1.cnolnic.com' returned 1: Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run
Foreman reports is disabled!
trace:
/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb def auth_smart_proxy(proxies = SmartProxy.all, require_cert = true) request_hosts = nil if request.ssl? dn = request.env[Setting[:ssl_client_dn_env]] ...
value of dn is empty
puppet(CA+Apache+Passenger+foreman+foreman-proxy) installed by foreman-installer on CentOS release 6.6 (Final)
config as below:
# cat /etc/puppet/puppet.conf ### File managed with puppet ### ## Module: 'puppet' [main] # The Puppet log directory. # The default value is '$vardir/log'. logdir = /var/log/puppet # Where Puppet PID files are kept. # The default value is '$vardir/run'. rundir = /var/run/puppet # Where SSL certificates are kept. # The default value is '$confdir/ssl'. ssldir = $vardir/ssl # Allow services in the 'puppet' group to access key (Foreman + proxy) privatekeydir = $ssldir/private_keys { group = service } hostprivkey = $privatekeydir/$certname.pem { mode = 640 } # Puppet 3.0.x requires this in both [main] and [master] - harmless on agents autosign = $confdir/autosign.conf { mode = 664 } show_diff = false hiera_config = $confdir/hiera.yaml ### Next part of the file is managed by a different template ### ## Module: 'puppet' [agent] # The file in which puppetd stores a list of the classes # associated with the retrieved configuration. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is '$statedir/classes.txt'. classfile = $vardir/classes.txt # Where puppetd caches the local configuration. An # extension indicating the cache format is added automatically. # The default value is '$confdir/localconfig'. localconfig = $vardir/localconfig # Disable the default schedules as they cause continual skipped # resources to be displayed in Foreman - only for Puppet >= 3.4 default_schedules = false report = true pluginsync = true masterport = 8140 environment = production certname = puppet.test.com server = puppet.test.com listen = false splay = false splaylimit = 1800 runinterval = 1800 noop = false configtimeout = 120 usecacheonfailure = true ### Next part of the file is managed by a different template ### ## Module: 'puppet' [master] autosign = $confdir/autosign.conf { mode = 664 } reports = foreman external_nodes = /etc/puppet/node.rb node_terminus = exec ca = true ssldir = /var/lib/puppet/ssl certname = puppet.test.com strict_variables = false environmentpath = /etc/puppet/environments basemodulepath = /etc/puppet/environments/common:/etc/puppet/modules:/usr/share/puppet/modules # #ssl_client_header = SSL_CLIENT_S_DN #ssl_client_verify_header = SSL_CLIENT_VERIFY # cat /etc/puppet/foreman.yaml --- :url: "https://puppet.test.com" :ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem" :ssl_cert: "/var/lib/puppet/ssl/certs/puppet.test.com.pem" :ssl_key: "/var/lib/puppet/ssl/private_keys/puppet.test.com.pem" :user: "" :password: "" :puppetdir: "/var/lib/puppet" :puppetuser: "puppet" :facts: true :timeout: 10 :threads: null # cat /etc/foreman/settings.yaml --- ### File managed with puppet ### ## Module: 'foreman' #your default puppet server - can be overridden in the host level #if none specified, plain "puppet" will be used. #:puppet_server: puppet :unattended: true :puppetconfdir: /etc/puppet/puppet.conf :login: true :require_ssl: true :locations_enabled: false :organizations_enabled: false # The following values are used for providing default settings during db migrate :oauth_active: true :oauth_map_users: false :oauth_consumer_key: UGgJodEeGwGMwQ6MCgpTCHmuPYACfev3 :oauth_consumer_secret: sZVFhrJnYCXgEAHiGFgwRt8Z59gnx5bj # Websockets :websockets_encrypt: true :websockets_ssl_key: /var/lib/puppet/ssl/private_keys/puppet.test.com.pem :websockets_ssl_cert: /var/lib/puppet/ssl/certs/puppet.test.com.pem # cat /etc/foreman-proxy/settings.yml --- ### File managed with puppet ### ## Module: 'foreman_proxy' :settings_directory: /etc/foreman-proxy/settings.d # SSL Setup # if enabled, all communication would be verfied via SSL # NOTE that both certificates need to be signed by the same CA in order for this to work # see http://theforeman.org/projects/smart-proxy/wiki/SSL for more information :ssl_ca_file: /var/lib/puppet/ssl/certs/ca.pem :ssl_certificate: /var/lib/puppet/ssl/certs/puppet.test.com.pem :ssl_private_key: /var/lib/puppet/ssl/private_keys/puppet.test.com.pem # the hosts which the proxy accepts connections from # commenting the following lines would mean every verified SSL connection allowed :trusted_hosts: - puppet.test.com - localhost - 127.0.0.1 # by default smart_proxy runs in the foreground. To enable running as a daemon, uncomment 'daemon' setting :daemon: true # Only used when 'daemon' is set to true. # Uncomment and modify if you want to change the default pid file '/var/run/foreman-proxy/foreman-proxy.pid' #:daemon_pid: /var/run/foreman-proxy/foreman-proxy.pid # HTTP ports configuration # http is disabled by default. To enable, uncomment 'http_port' setting # https is enabled if certificate, CA certificate, and private key are present in locations specifed by # ssl_certificate, ssl_ca_file, and ssl_private_key correspondingly # default values for https_port is 8443 #:http_port: 8000 :https_port: 8443 # shared options for virsh DNS/DHCP provider :virsh_network: default # Where our proxy log files are stored # filename or STDOUT :log_file: /var/log/foreman-proxy/proxy.log # valid options are # WARN, DEBUG, Error, Fatal, INFO, UNKNOWN :log_level: DEBUG
Files
Updated by Dominic Cleal about 9 years ago
- Category set to Authentication
Could you run this please: grep -i verify /etc/httpd/conf.d/05-foreman-ssl.conf
Updated by Shane Wan about 9 years ago
Dominic Cleal wrote:
Could you run this please:
grep -i verify /etc/httpd/conf.d/05-foreman-ssl.conf
# grep -i verify /etc/httpd/conf.d/05-foreman-ssl.conf SSLVerifyClient optional SSLVerifyDepth 3
Updated by Anonymous almost 7 years ago
- Status changed from New to Resolved
should be resolved by now
Actions