Foreman 1.15.0 here.
My Foreman environment is set up to manage Puppet host certificates: <https://lh3.googleusercontent.com/-nK1YKhByNcM/WTptQFtRWbI/AAAAAAAAAEI/N2XUhWrJwww7VBybVJkjuwY9S9BETYRugCLcB/s1600/Settings%2B-%2BGoogle%2BChrome_024.png> I have a perfectly operational PuppetCA proxy. I can manually view/sign/revoke/autosign certificates no problem: <https://lh3.googleusercontent.com/-Qi-9skJ62kM/WTpt1M-yOfI/AAAAAAAAAEQ/D4jXCzrynnk-jiijF9vO_WYuWxzbA4kTwCLcB/s1600/Smart%2BProxy%253A%2BPuppetCA%2B-%2BGoogle%2BChrome_025.png> PuppetCA proxy is assigned to organization and location (no screenshots here, trust me ;) ). My hostgroup is set up to use the above PuppetCA smartproxy to manage the certificates: <https://lh3.googleusercontent.com/-_HyTRgoHFFI/WTpuJt9HITI/AAAAAAAAAEU/15rhZ9WCTxU_HpCZ8OHjZ_7upN0WnWojgCLcB/s1600/Edit%2BGT%2B-%2BGoogle%2BChrome_026.png> However, I still need to sign CSRs manually. *Looks like the PuppetCA proxy autosign POST endpoint does not get triggered during the orchestration process.* This applies to all hosts: manually created-provisioned and discovered-autoprovisioned. WIth the DEBUG sql turned on, I get nothing like 'puppetca' or 'puppet ca' when I hit 'build host' or 'auto-provision'. *However, in the PuppetCA proxy logs I can see some 404s:* --> when the foreman_url("built") is reached: https://pastebin.com/Y0KgRkje --> when deleting the host: https://pastebin.com/ebJzM68c This makes perfect sense, as the autosign was never there in the first place. Once again, I can do anything I like from Infrastructure->Smart Proxies->PuppetCA page (so the ACL/permissions are OK). I use the discovery image and a custom initrd provisioning. To break the custom initrd PXE boot loop, the host curls the foreman_url("built") (passed as kernel parameter and called from initrd scripting). Now the problems I see: --> according to klaas' words on IRC, reaching the foreman_url("built") shall remove hosts fqdn from the autosign.conf file; the host never had a chance to run puppet yet (needs to boot from hd); *this probably breaks most scenarios that include Foreman Discovery Plugin* --> anyway, as stated above, I cannot see autosign.conf edited nor the PuppetCA proxy POST called when hitting 'build host' or 'auto-provision' --> probably can work around with Foreman Hooks, but seems like reinventing the wheel. Thoughts on this? Missing POST looks like a minor code issue. But the Discovery Plugin - PuppetCA - foreman_url("built") relation issue goes deeper. Maybe I should use other API endpoint? Please share your view on this. Thank you. -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
