Bug #7419
closed
Installer can't register proxy on RHEL 7 due to firewall rules
Description
Error Message:
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[cosdpl1.localdomain]: Could not evaluate: Could not load data from https://cosdpl1.localdomain
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[cosdpl1.localdomain]: Failed to call refresh: Could not load data from https://cosdpl1.localdomain
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[cosdpl1.localdomain]: Could not load data from https://cosdpl1.localdomain
Installing Done [100%] [..................................................................................]
Something went wrong! Check the log for ERROR-level output
Operating System:
Redhat Enterprise Linux 7 Minimal + latest updates
yum repolist
Loaded plugins: product-id, subscription-manager
repo id repo name status
epel/x86_64 Extra Packages for Enterprise Linux 7 - x86_64 5,617
foreman/x86_64 Foreman 1.6 276
foreman-plugins/x86_64 Foreman plugins 1.6 85
puppetlabs-deps/x86_64 Puppet Labs Dependencies El 7 - x86_64 10
puppetlabs-products/x86_64 Puppet Labs Products El 7 - x86_64 82
rhel-7-server-optional-rpms/7Server/x86_64 Red Hat Enterprise Linux 7 Server - Optional (RPMs) 4,374
rhel-7-server-rpms/7Server/x86_64 Red Hat Enterprise Linux 7 Server (RPMs) 4,746
rhel-ha-for-rhel-7-server-rpms/7Server/x86_64 Red Hat Enterprise Linux High Availability (for RHEL 7 Server) (RPMs) 45
rhel-server-rhscl-7-rpms/7Server/x86_64 Red Hat Software Collections RPMs for Red Hat Enterprise Linux 7 Server 779
repolist: 16,014
- yum list foreman-installer
Loaded plugins: product-id, subscription-manager
Installed Packages
foreman-installer.noarch 1:1.6.0-1.el7 @foreman
- cat /etc/selinux/config
- This file controls the state of SELinux on the system.
- SELINUX= can take one of these three values:
- enforcing - SELinux security policy is enforced.
- permissive - SELinux prints warnings instead of enforcing.
- disabled - No SELinux policy is loaded.
SELINUX=disabled - SELINUXTYPE= can take one of these two values:
- targeted - Targeted processes are protected,
- minimum - Modification of targeted policy. Only selected processes are protected.
- mls - Multi Level Security protection.
SELINUXTYPE=targeted
Please see also the attached log file
Files
Updated by Dirk Mayer over 10 years ago
- File installed_packages.log installed_packages.log added
- yum list installed > installed_packages.log
Updated by Dominic Cleal over 10 years ago
- Status changed from New to Need more information
Can you try visiting https://cosdpl1.localdomain? Is there an error of any sort?
Please also attach /var/log/httpd/*error*
Updated by Dirk Mayer over 10 years ago
- File error_log error_log added
- File puppet_error_ssl.log puppet_error_ssl.log added
I attached the requested log files.
The url https://cosdpl1.localdomain is not reachable via browser
Updated by Dominic Cleal over 10 years ago
I don't see any errors in the log, in fact it seems to report that it's running successfully. What kind of error do you get? Is DNS resolving?
Try "curl -k https://cosdpl1.localdomain/users/login" on the server itself and you should see some HTML, including the text "Welcome to Foreman" towards the bottom if it's running successfully.
Do check for any firewall, since firewalld/iptables will be blocking port 80/443 by default on RHEL 7.
Updated by Dirk Mayer over 10 years ago
Thanks for clarification. Changing the firewall settings BEFORE running the foreman-installer solved the problem, the installer succeeded.
Maybe it is a good idea to open the http/https ports in firewalld by the foreman-installer itsself via puppet ? That way the installer would not throw errors during the installation process
Updated by Dominic Cleal over 10 years ago
- Project changed from Foreman to Installer
- Subject changed from Foreman-installer 1.6.0-1 fails on RHEL 7 to Installer can't register proxy on RHEL 7 due to firewall rules
- Category set to Foreman modules
- Status changed from Need more information to New
- Priority changed from High to Normal
Ah, thanks for confirming. I'll leave the bug report open so we can consider doing that, though I'm nervous about managing the firewall by default as it could cause all sorts of problems.. I think it's probably one step too far.
Maybe we can put in some sort of connectivity pre-flight check?
Updated by Ewoud Kohl van Wijngaarden about 4 years ago
- Status changed from New to Closed
Given our experiences now I don't think we want to be managing the firewall. That's very hard to get right so I'm closing this now.