On 07/19, Dan Sk wrote: > Hi Daniel Lobato, > thanks for the replay. I use foreman with katello. So I > used /etc/pki/katello/certs/katello-apache.crt > and /etc/pki/katello/private/katello-apache.key as mentioned > in /etc/httpd/conf.d/05-foreman-ssl.conf but still without success.
Are you sure that's it? My Apache config file is 05-katello-ssl.conf,
and the cert/key are:
SSLCertificateFile "/etc/pki/katello/certs/katello-default-ca.crt"
SSLCertificateKeyFile "/etc/pki/katello/private/katello-default-ca.key"
>
> Here are current logs:
> ==> /var/log/foreman/production.log <==
> 2017-07-19 09:27:50 d0a8c61a [app] [I] Started POST "/api/v2/hosts/facts"
> for 172.27.9.166 at 2017-07-19 09:27:50 +0200
> 2017-07-19 09:27:50 d0a8c61a [app] [I] Processing by
> Api::V2::HostsController#facts as JSON
> 2017-07-19 09:27:50 d0a8c61a [app] [I] Parameters:
> {"facts"=>"[FILTERED]", "name"=>"client.in.corp", "apiv"=>"v2",
> :host=>{"name"=>"client.in.corp"}}
> 2017-07-19 09:27:50 d0a8c61a [app] [W] No SSL cert with CN supplied -
> request from 172.27.9.166,
> 2017-07-19 09:27:50 d0a8c61a [app] [W] SSO failed
> 2017-07-19 09:27:50 d0a8c61a [app] [I] Rendered
> api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout
> (1.0ms)
> 2017-07-19 09:27:50 d0a8c61a [app] [I] Filter chain halted as
> #<Proc:0x00000009905b10@/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14>
> rendered or redirected
> 2017-07-19 09:27:50 d0a8c61a [app] [I] Completed 403 Forbidden in 10ms
> (Views: 2.1ms | ActiveRecord: 0.5ms)
> 2017-07-19 09:27:50 5216bc1a [app] [I] Started POST "/api/v2/hosts/facts"
> for IP_FOREMAN_URL at 2017-07-19 09:27:50 +0200
> 2017-07-19 09:27:50 5216bc1a [app] [I] Processing by
> Api::V2::HostsController#facts as JSON
> 2017-07-19 09:27:50 5216bc1a [app] [I] Parameters:
> {"facts"=>"[FILTERED]", "name"=>"client.in.corp", "apiv"=>"v2",
> :host=>{"name"=>"client.in.corp"}}
> 2017-07-19 09:27:50 5216bc1a [app] [W] No SSL cert with CN supplied -
> request from IP_FOREMAN_URL,
> 2017-07-19 09:27:50 5216bc1a [app] [W] SSO failed
> 2017-07-19 09:27:50 5216bc1a [app] [I] Rendered
> api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout
> (0.5ms)
> 2017-07-19 09:27:50 5216bc1a [app] [I] Filter chain halted as
> #<Proc:0x00000009905b10@/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14>
> rendered or redirected
> 2017-07-19 09:27:50 5216bc1a [app] [I] Completed 403 Forbidden in 5ms
> (Views: 1.4ms | ActiveRecord: 0.0ms)
>
> Is there any debug mode or curl command which could give me some hint?
>
> Thank you very moch.
> Daniel Slezak
>
> Dne úterý 18. července 2017 17:23:01 UTC+2 Daniel Lobato napsal(a):
> >
> > On 07/18, Dan Sk wrote:
> > >
> > >
> > > Hi,
> > >
> > > I am lost with setting of callback/foreman.py.
> > >
> > > We use Foreman 1.15.2, Katello 3.4.2, foreman_ansible 1.4.5 (with
> > updated callback/forman.py from github) and ansible 2.3.1 on CentOS 7.
> > >
> > > I think i know where Foreman runs.
> > > curl -k -H "Accept: application/json" https://fqdn.in.corp/status
> > > {"result":"ok","status":"ok","version":"1.15.2","db_duration_ms":"3"}
> > >
> > > Checked certification as is on
> > https://www.theforeman.org/plugins/foreman_ansible/1.x/index.html#2.1Ansiblecallback
> > > Request check for certifications
> > http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification
> > > python
> > >
> > > import requests
> > > requests.get('https://fqdn.in.corp/',
> > cert=('/etc/foreman/client_cert.pem', '/etc/foreman/client_key.pem'))
> > >
> > > <Response [200]>
> > >
> > > But when run ansible -m setup client.in.corp i see
> > >
> > > 2017-07-18 14:26:25 91503c77 [app] [I] Started POST
> > "/api/v2/hosts/facts" for IP_FOREMAN_URL at 2017-07-18 14:26:25 +0200
> > > 2017-07-18 14:26:25 91503c77 [app] [I] Processing by
> > Api::V2::HostsController#facts as JSON
> > > 2017-07-18 14:26:25 91503c77 [app] [I] Parameters:
> > {"facts"=>"[FILTERED]", "name"=>"client.in.corp", "apiv"=>"v2",
> > :host=>{"name"=>"client.in.corp"}}
> > > 2017-07-18 14:26:25 91503c77 [app] [D] Importer
> > Katello::RhsmFactImporter does not implement
> > authorized_smart_proxy_features.
> > > 2017-07-18 14:26:25 91503c77 [app] [D] Importer
> > ForemanAnsible::StructuredFactImporter does not implement
> > authorized_smart_proxy_features.2017-07-18 14:26:25 91503c77 [app] [W] No
> > SSL cert with CN supplied - request from IP_FOREMAN_URL,
> > > 2017-07-18 14:26:25 91503c77 [app] [W] SSO failed
> > > 2017-07-18 14:26:25 91503c77 [app] [I] Rendered
> > api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout
> > (0.8ms)
> > > 2017-07-18 14:26:25 91503c77 [app] [I] Filter chain halted as
> > #<Proc:0x0000000b444908@/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14>
> > <Proc:0x0000000b444908@/usr/share/foreman/app/controllers/concerns/foreman/controller/smart_proxy_auth.rb:14>
> > rendered or redirected
> > > 2017-07-18 14:26:25 91503c77 [app] [I] Completed 403 Forbidden in 6ms
> > (Views: 1.6ms | ActiveRecord: 0.0ms)
> > >
> > >
> > > If i use FOREMAN_USER/FOREMAN_PASSWORD combination facts upload
> > correctly. So i am pretty sure it is installed correctly.
> > >
> > > Configuration part in callback/foreman.py
> > > FOREMAN_URL = os.getenv('FOREMAN_URL', "https://fqdn.in.corp"; <
> > https://fqdn.in.corp>)
> > >
> > > FOREMAN_SSL_CERT = (os.getenv('FOREMAN_SSL_CERT',
> > > "/etc/foreman/client_cert.pem"),
> > > os.getenv('FOREMAN_SSL_KEY',
> > > "/etc/foreman/client_key.pem"))
> > > FOREMAN_SSL_VERIFY = os.getenv('FOREMAN_SSL_VERIFY', "1")
> > > FOREMAN_USER = os.getenv('FOREMAN_USER', "admin") #It works with
> > user
> > > FOREMAN_PASSWORD = os.getenv('FOREMAN_PASSWORD', "S3cr3tPASS") # and
> > password
> > >
> > > I do not know which cert/key is for what. Thanks for hints and kicking
> > me
> > > in right direction.
> >
> > You can find the keys in /etc/httpd/conf.d/05-katello-ssl.conf or a
> > similar file if you just have Foreman. The values match those of
> > SSLCertificateFile, SSLCertificateKeyFile.
> >
> > By default these are in
> >
> > "/etc/pki/katello/certs/katello-default-ca.crt"
> > "/etc/pki/katello/private/katello-default-ca.key"
> >
> > in a Foreman+Katello installation
> >
> > If you just use foreman, it'd be something like:
> >
> > /etc/puppetlabs/puppet/ssl/certs/yourfqdn.pem'
> > /etc/puppetlabs/puppet/ssl/private_keys/yourfqdn.pem'
> >
> > (or maybe /var/lib/puppet/ssl, depending on your Puppet version)
> >
> > >
> > >
> > > Daniel Slezak
> > >
> > >
> > >
> > > --
> > > You received this message because you are subscribed to the Google
> > Groups "Foreman users" group.
> > > To unsubscribe from this group and stop receiving emails from it, send
> > an email to foreman-user...@googlegroups.com <javascript:>.
> > > To post to this group, send email to forema...@googlegroups.com
> > <javascript:>.
> > > Visit this group at https://groups.google.com/group/foreman-users.
> > > For more options, visit https://groups.google.com/d/optout.
> >
> >
> > --
> > Daniel Lobato Garcia
> >
> > @dLobatog
> > blog.daniellobato.me
> > daniellobato.me
> >
> > GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30
> > Keybase: https://keybase.io/elobato
> >
>
> --
> You received this message because you are subscribed to the Google Groups
> "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to foreman-users+unsubscr...@googlegroups.com.
> To post to this group, send email to foreman-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/d/optout.
--
Daniel Lobato Garcia
@dLobatog
blog.daniellobato.me
daniellobato.me
GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30
Keybase: https://keybase.io/elobato
--
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: PGP signature
