Hi Daniel Lobato,
thanks for the replay. I use foreman with katello. So I
used /etc/pki/katello/certs/katello-apache.crt
and /etc/pki/katello/private/katello-apache.key as mentioned
in /etc/httpd/conf.d/05-foreman-ssl.conf but still without success.
Here are current logs:
==> /var/log/foreman/production.log <==
2017-07-19 09:27:50 d0a8c61a [app] [I] Started POST "/api/v2/hosts/facts"
for 172.27.9.166 at 2017-07-19 09:27:50 +0200
2017-07-19 09:27:50 d0a8c61a [app] [I] Processing by
Api::V2::HostsController#facts as JSON
2017-07-19 09:27:50 d0a8c61a [app] [I] Parameters:
{"facts"=>"[FILTERED]", "name"=>"client.in.corp", "apiv"=>"v2",
:host=>{"name"=>"client.in.corp"}}
2017-07-19 09:27:50 d0a8c61a [app] [W] No SSL cert with CN supplied -
request from 172.27.9.166,
2017-07-19 09:27:50 d0a8c61a [app] [W] SSO failed
2017-07-19 09:27:50 d0a8c61a [app] [I] Rendered
api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout
(1.0ms)
2017-07-19 09:27:50 d0a8c61a [app] [I] Filter chain halted as
#<Proc:0x00000009905b10@/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14>
rendered or redirected
2017-07-19 09:27:50 d0a8c61a [app] [I] Completed 403 Forbidden in 10ms
(Views: 2.1ms | ActiveRecord: 0.5ms)
2017-07-19 09:27:50 5216bc1a [app] [I] Started POST "/api/v2/hosts/facts"
for IP_FOREMAN_URL at 2017-07-19 09:27:50 +0200
2017-07-19 09:27:50 5216bc1a [app] [I] Processing by
Api::V2::HostsController#facts as JSON
2017-07-19 09:27:50 5216bc1a [app] [I] Parameters:
{"facts"=>"[FILTERED]", "name"=>"client.in.corp", "apiv"=>"v2",
:host=>{"name"=>"client.in.corp"}}
2017-07-19 09:27:50 5216bc1a [app] [W] No SSL cert with CN supplied -
request from IP_FOREMAN_URL,
2017-07-19 09:27:50 5216bc1a [app] [W] SSO failed
2017-07-19 09:27:50 5216bc1a [app] [I] Rendered
api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout
(0.5ms)
2017-07-19 09:27:50 5216bc1a [app] [I] Filter chain halted as
#<Proc:0x00000009905b10@/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14>
rendered or redirected
2017-07-19 09:27:50 5216bc1a [app] [I] Completed 403 Forbidden in 5ms
(Views: 1.4ms | ActiveRecord: 0.0ms)
Is there any debug mode or curl command which could give me some hint?
Thank you very moch.
Daniel Slezak
Dne úterý 18. července 2017 17:23:01 UTC+2 Daniel Lobato napsal(a):
>
> On 07/18, Dan Sk wrote:
> >
> >
> > Hi,
> >
> > I am lost with setting of callback/foreman.py.
> >
> > We use Foreman 1.15.2, Katello 3.4.2, foreman_ansible 1.4.5 (with
> updated callback/forman.py from github) and ansible 2.3.1 on CentOS 7.
> >
> > I think i know where Foreman runs.
> > curl -k -H "Accept: application/json" https://fqdn.in.corp/status
> > {"result":"ok","status":"ok","version":"1.15.2","db_duration_ms":"3"}
> >
> > Checked certification as is on
> https://www.theforeman.org/plugins/foreman_ansible/1.x/index.html#2.1Ansiblecallback
>
> > Request check for certifications
> http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification
>
> > python
> >
> > import requests
> > requests.get('https://fqdn.in.corp/',
> cert=('/etc/foreman/client_cert.pem', '/etc/foreman/client_key.pem'))
> >
> > <Response [200]>
> >
> > But when run ansible -m setup client.in.corp i see
> >
> > 2017-07-18 14:26:25 91503c77 [app] [I] Started POST
> "/api/v2/hosts/facts" for IP_FOREMAN_URL at 2017-07-18 14:26:25 +0200
> > 2017-07-18 14:26:25 91503c77 [app] [I] Processing by
> Api::V2::HostsController#facts as JSON
> > 2017-07-18 14:26:25 91503c77 [app] [I] Parameters:
> {"facts"=>"[FILTERED]", "name"=>"client.in.corp", "apiv"=>"v2",
> :host=>{"name"=>"client.in.corp"}}
> > 2017-07-18 14:26:25 91503c77 [app] [D] Importer
> Katello::RhsmFactImporter does not implement
> authorized_smart_proxy_features.
> > 2017-07-18 14:26:25 91503c77 [app] [D] Importer
> ForemanAnsible::StructuredFactImporter does not implement
> authorized_smart_proxy_features.2017-07-18 14:26:25 91503c77 [app] [W] No
> SSL cert with CN supplied - request from IP_FOREMAN_URL,
> > 2017-07-18 14:26:25 91503c77 [app] [W] SSO failed
> > 2017-07-18 14:26:25 91503c77 [app] [I] Rendered
> api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout
> (0.8ms)
> > 2017-07-18 14:26:25 91503c77 [app] [I] Filter chain halted as
> #<Proc:0x0000000b444908@/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14>
>
> <Proc:0x0000000b444908@/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14>
>
> rendered or redirected
> > 2017-07-18 14:26:25 91503c77 [app] [I] Completed 403 Forbidden in 6ms
> (Views: 1.6ms | ActiveRecord: 0.0ms)
> >
> >
> > If i use FOREMAN_USER/FOREMAN_PASSWORD combination facts upload
> correctly. So i am pretty sure it is installed correctly.
> >
> > Configuration part in callback/foreman.py
> > FOREMAN_URL = os.getenv('FOREMAN_URL', "https://fqdn.in.corp"; <
> https://fqdn.in.corp>)
> >
> > FOREMAN_SSL_CERT = (os.getenv('FOREMAN_SSL_CERT',
> > "/etc/foreman/client_cert.pem"),
> > os.getenv('FOREMAN_SSL_KEY',
> > "/etc/foreman/client_key.pem"))
> > FOREMAN_SSL_VERIFY = os.getenv('FOREMAN_SSL_VERIFY', "1")
> > FOREMAN_USER = os.getenv('FOREMAN_USER', "admin") #It works with
> user
> > FOREMAN_PASSWORD = os.getenv('FOREMAN_PASSWORD', "S3cr3tPASS") # and
> password
> >
> > I do not know which cert/key is for what. Thanks for hints and kicking
> me
> > in right direction.
>
> You can find the keys in /etc/httpd/conf.d/05-katello-ssl.conf or a
> similar file if you just have Foreman. The values match those of
> SSLCertificateFile, SSLCertificateKeyFile.
>
> By default these are in
>
> "/etc/pki/katello/certs/katello-default-ca.crt"
> "/etc/pki/katello/private/katello-default-ca.key"
>
> in a Foreman+Katello installation
>
> If you just use foreman, it'd be something like:
>
> /etc/puppetlabs/puppet/ssl/certs/yourfqdn.pem'
> /etc/puppetlabs/puppet/ssl/private_keys/yourfqdn.pem'
>
> (or maybe /var/lib/puppet/ssl, depending on your Puppet version)
>
> >
> >
> > Daniel Slezak
> >
> >
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "Foreman users" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected] <javascript:>.
> > To post to this group, send email to [email protected]
> <javascript:>.
> > Visit this group at https://groups.google.com/group/foreman-users.
> > For more options, visit https://groups.google.com/d/optout.
>
>
> --
> Daniel Lobato Garcia
>
> @dLobatog
> blog.daniellobato.me
> daniellobato.me
>
> GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30
> Keybase: https://keybase.io/elobato
>
--
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
