puppet:

/etc/puppet/node.rb agent.test.com
Error retrieving node agent.test.com: Net::HTTPForbidden
Check Foreman's /var/log/foreman/production.log for more information.

agent:

# puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Error 400 on SERVER: Failed to find ns8-1.cnolnic.com via exec: Execution of '/etc/puppet/node.rb ns8-1.cnolnic.com' returned 1: 
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed when searching for node ns8-1.cnolnic.com: Failed to find ns8-1.cnolnic.com via exec: Execution of '/etc/puppet/node.rb ns8-1.cnolnic.com' returned 1: 
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

Foreman reports is disabled!

trace:

/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb
 def auth_smart_proxy(proxies = SmartProxy.all, require_cert = true)
    request_hosts = nil
    if request.ssl?
      dn = request.env[Setting[:ssl_client_dn_env]]
...

value of dn is empty

puppet(CA+Apache+Passenger+foreman+foreman-proxy) installed by foreman-installer on CentOS release 6.6 (Final)

config as below:

# cat /etc/puppet/puppet.conf 
### File managed with puppet ###
## Module:           'puppet'

[main]
    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet

    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet

    # Where SSL certificates are kept.
    # The default value is '$confdir/ssl'.
    ssldir = $vardir/ssl

    # Allow services in the 'puppet' group to access key (Foreman + proxy)
    privatekeydir = $ssldir/private_keys { group = service }
    hostprivkey = $privatekeydir/$certname.pem { mode = 640 }

    # Puppet 3.0.x requires this in both [main] and [master] - harmless on agents
    autosign       = $confdir/autosign.conf { mode = 664 }

    show_diff     = false

    hiera_config = $confdir/hiera.yaml
### Next part of the file is managed by a different template ###
## Module:           'puppet'

[agent]
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuration.  Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is '$statedir/classes.txt'.
    classfile = $vardir/classes.txt

    # Where puppetd caches the local configuration.  An
    # extension indicating the cache format is added automatically.
    # The default value is '$confdir/localconfig'.
    localconfig = $vardir/localconfig

    # Disable the default schedules as they cause continual skipped
    # resources to be displayed in Foreman - only for Puppet >= 3.4
    default_schedules = false

    report            = true
    pluginsync        = true
    masterport        = 8140
    environment       = production
    certname          = puppet.test.com
    server            = puppet.test.com
    listen            = false
    splay             = false
    splaylimit        = 1800
    runinterval       = 1800
    noop              = false
    configtimeout     = 120
    usecacheonfailure = true
### Next part of the file is managed by a different template ###
## Module:           'puppet'

[master]
    autosign       = $confdir/autosign.conf { mode = 664 }
    reports        = foreman
    external_nodes = /etc/puppet/node.rb
    node_terminus  = exec
    ca             = true
    ssldir         = /var/lib/puppet/ssl
    certname       = puppet.test.com
    strict_variables = false

    environmentpath  = /etc/puppet/environments
    basemodulepath   = /etc/puppet/environments/common:/etc/puppet/modules:/usr/share/puppet/modules
#
    #ssl_client_header = SSL_CLIENT_S_DN
    #ssl_client_verify_header = SSL_CLIENT_VERIFY

# cat /etc/puppet/foreman.yaml 
---
:url: "https://puppet.test.com" 
:ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem" 
:ssl_cert: "/var/lib/puppet/ssl/certs/puppet.test.com.pem" 
:ssl_key: "/var/lib/puppet/ssl/private_keys/puppet.test.com.pem" 
:user: "" 
:password: "" 
:puppetdir: "/var/lib/puppet" 
:puppetuser: "puppet" 
:facts: true
:timeout: 10
:threads: null

# cat /etc/foreman/settings.yaml
---
### File managed with puppet ###
## Module:           'foreman'

#your default puppet server - can be overridden in the host level
#if none specified, plain "puppet" will be used.
#:puppet_server: puppet
:unattended: true
:puppetconfdir: /etc/puppet/puppet.conf
:login: true
:require_ssl: true
:locations_enabled: false
:organizations_enabled: false

# The following values are used for providing default settings during db migrate
:oauth_active: true
:oauth_map_users: false
:oauth_consumer_key: UGgJodEeGwGMwQ6MCgpTCHmuPYACfev3
:oauth_consumer_secret: sZVFhrJnYCXgEAHiGFgwRt8Z59gnx5bj

# Websockets
:websockets_encrypt: true
:websockets_ssl_key: /var/lib/puppet/ssl/private_keys/puppet.test.com.pem
:websockets_ssl_cert: /var/lib/puppet/ssl/certs/puppet.test.com.pem

# cat /etc/foreman-proxy/settings.yml 
---
### File managed with puppet ###
## Module:           'foreman_proxy'

:settings_directory: /etc/foreman-proxy/settings.d

# SSL Setup

# if enabled, all communication would be verfied via SSL
# NOTE that both certificates need to be signed by the same CA in order for this to work
# see http://theforeman.org/projects/smart-proxy/wiki/SSL for more information
:ssl_ca_file: /var/lib/puppet/ssl/certs/ca.pem
:ssl_certificate: /var/lib/puppet/ssl/certs/puppet.test.com.pem
:ssl_private_key: /var/lib/puppet/ssl/private_keys/puppet.test.com.pem

# the hosts which the proxy accepts connections from
# commenting the following lines would mean every verified SSL connection allowed
:trusted_hosts:
  - puppet.test.com
  - localhost
  - 127.0.0.1

# by default smart_proxy runs in the foreground. To enable running as a daemon, uncomment 'daemon' setting
:daemon: true
# Only used when 'daemon' is set to true.
# Uncomment and modify if you want to change the default pid file '/var/run/foreman-proxy/foreman-proxy.pid'
#:daemon_pid: /var/run/foreman-proxy/foreman-proxy.pid

# HTTP ports configuration
# http is disabled by default. To enable, uncomment 'http_port' setting
# https is enabled if certificate, CA certificate, and private key are present in locations specifed by
# ssl_certificate, ssl_ca_file, and ssl_private_key correspondingly
# default values for https_port is 8443
#:http_port: 8000
:https_port: 8443

# shared options for virsh DNS/DHCP provider
:virsh_network: default

# Where our proxy log files are stored
# filename or STDOUT
:log_file: /var/log/foreman-proxy/proxy.log
# valid options are
# WARN, DEBUG, Error, Fatal, INFO, UNKNOWN
:log_level: DEBUG