Hello,
I have generated certificates in foreman server according to the > puppetmaster hostname. The smart proxy (puppetmaster) has added to the > smart proxy list in foreman GUI. Error is resolved. > After that when am trying to add Puppet classes am getting below *error > on Foreman GUI.* *Error: *ERF12-2749 [ProxyAPI::ProxyException]: Unable to get environments from Puppet ([RestClient::NotAcceptable]: 406 Not Acceptable) for proxy https://puppetmaster.exapmle.com:8443/puppet *Below is error in /var/log/foreman-proxy/proxy.log* E, [2016-07-29T15:03:44.169966 #30702] ERROR -- : Failed to list puppet environments: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed I, [2016-07-29T15:03:44.170369 #30702] INFO -- : 1x.1xx.xxx.xxx - - [29/Jul/2016:15:03:44 -0400] "GET /puppet/environments HTTP/1.1" 406 131 0.0063 E, [2016-07-29T15:17:08.632367 #30702] ERROR -- : OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv2/v3 read client hello A: unknown protocol /usr/share/ruby/openssl/ssl.rb:226:in `accept' *Below has other error when I have tried curl * curl -v https://puppetmaster.exapmle.com:8443/puppet * About to connect() to puppetmaster.example.com port 8443 (#0) * Trying xx.xxx.xxx.xxx... * Connected to puppetmaster.example.com (xx.xx.xxx.xxx) port 8443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=puppetmaster.exapmle.com * start date: Jul 28 13:52:01 2016 GMT * expire date: Jul 28 13:52:01 2021 GMT * common name: puppetmaster.exapmle.com * issuer: CN=Puppet CA: foremanserver.exapmle.com * *NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)* * *Peer's certificate issuer has been marked as not trusted by the user.* ** Closing connection 0* *curl: (60) Peer's certificate issuer has been marked as not trusted by the user.* More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. ****************************************************************************************************************************************************************************************************************************** ls -ld /etc/puppetlabs/ drwxr-xr-x 8 puppet puppet 98 Jun 29 10:20 /etc/puppetlabs/ ls -ld /etc/puppetlabs/puppet/ drwxr-xr-x 3 puppet puppet 131 Jul 29 15:22 /etc/puppetlabs/puppet/ ls -ld /etc/puppetlabs/puppet/ssl/ drwxrwx--x 8 puppet puppet 119 Jul 14 15:21 /etc/puppetlabs/puppet/ssl/ ls -ld /etc/puppetlabs/puppet/ssl/certs/ca.pem -rw-r--r-- 1 puppet puppet 1997 Jul 29 09:50 /etc/puppetlabs/puppet/ssl/certs/ca.pem sestatus SELinux status: disabled Foreman user is in puppet group [ puppet:x:249:foreman-proxy] I have also tried sudo -u foreman-proxy cat /var/lib/puppet/ssl/certs/ca.pem its working. puppet --version (on puppetmaster where foreman smart proxy is running) 4.5.2 I have tried telnet from foreman server to puppet master it is connecting. Foreman proxy is running on puppetmaster. */etc/puppetlabs/puppet/auth.conf * path /puppet/v3/environments method find allow * path /puppet/v3/resource_type method search allow * Please advice Sai Krishna -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
