On 07/19, Dan Sk wrote: > Hi Daniel Lobato, > thanks for the replay. I use foreman with katello. So I > used /etc/pki/katello/certs/katello-apache.crt > and /etc/pki/katello/private/katello-apache.key as mentioned > in /etc/httpd/conf.d/05-foreman-ssl.conf but still without success.
Are you sure that's it? My Apache config file is 05-katello-ssl.conf,
and the cert/key are:
SSLCertificateFile "/etc/pki/katello/certs/katello-default-ca.crt"
SSLCertificateKeyFile "/etc/pki/katello/private/katello-default-ca.key"
>
> Here are current logs:
> ==> /var/log/foreman/production.log <==
> 2017-07-19 09:27:50 d0a8c61a [app] [I] Started POST "/api/v2/hosts/facts"
> for 172.27.9.166 at 2017-07-19 09:27:50 +0200
> 2017-07-19 09:27:50 d0a8c61a [app] [I] Processing by
> Api::V2::HostsController#facts as JSON
> 2017-07-19 09:27:50 d0a8c61a [app] [I] Parameters:
> {"facts"=>"[FILTERED]", "name"=>"client.in.corp", "apiv"=>"v2",
> :host=>{"name"=>"client.in.corp"}}
> 2017-07-19 09:27:50 d0a8c61a [app] [W] No SSL cert with CN supplied -
> request from 172.27.9.166,
> 2017-07-19 09:27:50 d0a8c61a [app] [W] SSO failed
> 2017-07-19 09:27:50 d0a8c61a [app] [I] Rendered
> api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout
> (1.0ms)
> 2017-07-19 09:27:50 d0a8c61a [app] [I] Filter chain halted as
> #<Proc:0x00000009905b10@/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14>
> rendered or redirected
> 2017-07-19 09:27:50 d0a8c61a [app] [I] Completed 403 Forbidden in 10ms
> (Views: 2.1ms | ActiveRecord: 0.5ms)
> 2017-07-19 09:27:50 5216bc1a [app] [I] Started POST "/api/v2/hosts/facts"
> for IP_FOREMAN_URL at 2017-07-19 09:27:50 +0200
> 2017-07-19 09:27:50 5216bc1a [app] [I] Processing by
> Api::V2::HostsController#facts as JSON
> 2017-07-19 09:27:50 5216bc1a [app] [I] Parameters:
> {"facts"=>"[FILTERED]", "name"=>"client.in.corp", "apiv"=>"v2",
> :host=>{"name"=>"client.in.corp"}}
> 2017-07-19 09:27:50 5216bc1a [app] [W] No SSL cert with CN supplied -
> request from IP_FOREMAN_URL,
> 2017-07-19 09:27:50 5216bc1a [app] [W] SSO failed
> 2017-07-19 09:27:50 5216bc1a [app] [I] Rendered
> api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout
> (0.5ms)
> 2017-07-19 09:27:50 5216bc1a [app] [I] Filter chain halted as
> #<Proc:0x00000009905b10@/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14>
> rendered or redirected
> 2017-07-19 09:27:50 5216bc1a [app] [I] Completed 403 Forbidden in 5ms
> (Views: 1.4ms | ActiveRecord: 0.0ms)
>
> Is there any debug mode or curl command which could give me some hint?
>
> Thank you very moch.
> Daniel Slezak
>
> Dne úterý 18. července 2017 17:23:01 UTC+2 Daniel Lobato napsal(a):
> >
> > On 07/18, Dan Sk wrote:
> > >
> > >
> > > Hi,
> > >
> > > I am lost with setting of callback/foreman.py.
> > >
> > > We use Foreman 1.15.2, Katello 3.4.2, foreman_ansible 1.4.5 (with
> > updated callback/forman.py from github) and ansible 2.3.1 on CentOS 7.
> > >
> > > I think i know where Foreman runs.
> > > curl -k -H "Accept: application/json" https://fqdn.in.corp/status
> > > {"result":"ok","status":"ok","version":"1.15.2","db_duration_ms":"3"}
> > >
> > > Checked certification as is on
> > https://www.theforeman.org/plugins/foreman_ansible/1.x/index.html#2.1Ansiblecallback
> > > Request check for certifications
> > http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification
> > > python
> > >
> > > import requests
> > > requests.get('https://fqdn.in.corp/',
> > cert=('/etc/foreman/client_cert.pem', '/etc/foreman/client_key.pem'))
> > >
> > > <Response [200]>
> > >
> > > But when run ansible -m setup client.in.corp i see
> > >
> > > 2017-07-18 14:26:25 91503c77 [app] [I] Started POST
> > "/api/v2/hosts/facts" for IP_FOREMAN_URL at 2017-07-18 14:26:25 +0200
> > > 2017-07-18 14:26:25 91503c77 [app] [I] Processing by
> > Api::V2::HostsController#facts as JSON
> > > 2017-07-18 14:26:25 91503c77 [app] [I] Parameters:
> > {"facts"=>"[FILTERED]", "name"=>"client.in.corp", "apiv"=>"v2",
> > :host=>{"name"=>"client.in.corp"}}
> > > 2017-07-18 14:26:25 91503c77 [app] [D] Importer
> > Katello::RhsmFactImporter does not implement
> > authorized_smart_proxy_features.
> > > 2017-07-18 14:26:25 91503c77 [app] [D] Importer
> > ForemanAnsible::StructuredFactImporter does not implement
> > authorized_smart_proxy_features.2017-07-18 14:26:25 91503c77 [app] [W] No
> > SSL cert with CN supplied - request from IP_FOREMAN_URL,
> > > 2017-07-18 14:26:25 91503c77 [app] [W] SSO failed
> > > 2017-07-18 14:26:25 91503c77 [app] [I] Rendered
> > api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout
> > (0.8ms)
> > > 2017-07-18 14:26:25 91503c77 [app] [I] Filter chain halted as
> > #<Proc:0x0000000b444908@/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14>
> > <Proc:0x0000000b444908@/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14>
> > rendered or redirected
> > > 2017-07-18 14:26:25 91503c77 [app] [I] Completed 403 Forbidden in 6ms
> > (Views: 1.6ms | ActiveRecord: 0.0ms)
> > >
> > >
> > > If i use FOREMAN_USER/FOREMAN_PASSWORD combination facts upload
> > correctly. So i am pretty sure it is installed correctly.
> > >
> > > Configuration part in callback/foreman.py
> > > FOREMAN_URL = os.getenv('FOREMAN_URL', "https://fqdn.in.corp"; <
> > https://fqdn.in.corp>)
> > >
> > > FOREMAN_SSL_CERT = (os.getenv('FOREMAN_SSL_CERT',
> > > "/etc/foreman/client_cert.pem"),
> > > os.getenv('FOREMAN_SSL_KEY',
> > > "/etc/foreman/client_key.pem"))
> > > FOREMAN_SSL_VERIFY = os.getenv('FOREMAN_SSL_VERIFY', "1")
> > > FOREMAN_USER = os.getenv('FOREMAN_USER', "admin") #It works with
> > user
> > > FOREMAN_PASSWORD = os.getenv('FOREMAN_PASSWORD', "S3cr3tPASS") # and
> > password
> > >
> > > I do not know which cert/key is for what. Thanks for hints and kicking
> > me
> > > in right direction.
> >
> > You can find the keys in /etc/httpd/conf.d/05-katello-ssl.conf or a
> > similar file if you just have Foreman. The values match those of
> > SSLCertificateFile, SSLCertificateKeyFile.
> >
> > By default these are in
> >
> > "/etc/pki/katello/certs/katello-default-ca.crt"
> > "/etc/pki/katello/private/katello-default-ca.key"
> >
> > in a Foreman+Katello installation
> >
> > If you just use foreman, it'd be something like:
> >
> > /etc/puppetlabs/puppet/ssl/certs/yourfqdn.pem'
> > /etc/puppetlabs/puppet/ssl/private_keys/yourfqdn.pem'
> >
> > (or maybe /var/lib/puppet/ssl, depending on your Puppet version)
> >
> > >
> > >
> > > Daniel Slezak
> > >
> > >
> > >
> > > --
> > > You received this message because you are subscribed to the Google
> > Groups "Foreman users" group.
> > > To unsubscribe from this group and stop receiving emails from it, send
> > an email to [email protected] <javascript:>.
> > > To post to this group, send email to [email protected]
> > <javascript:>.
> > > Visit this group at https://groups.google.com/group/foreman-users.
> > > For more options, visit https://groups.google.com/d/optout.
> >
> >
> > --
> > Daniel Lobato Garcia
> >
> > @dLobatog
> > blog.daniellobato.me
> > daniellobato.me
> >
> > GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30
> > Keybase: https://keybase.io/elobato
> >
>
> --
> You received this message because you are subscribed to the Google Groups
> "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> Visit this group at https://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/d/optout.
--
Daniel Lobato Garcia
@dLobatog
blog.daniellobato.me
daniellobato.me
GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30
Keybase: https://keybase.io/elobato
--
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: PGP signature
