ERF12-7740

Generic or SSL connection errors

Please see Proxy_communication_errors first for SSL or communication errors, which aren't specific to this particular proxy action.

Unable to delete PuppetCA certificate for ...

Foreman will be contacting the smart proxy (responsible for Puppet CA management on that host) to request that the old certificate for the host is deleted.

Check /var/log/foreman-proxy/proxy.log on your Puppet CA server for any errors.

Failed to run puppetca: [sudo] password for foreman-proxy

The proxy is trying to run a Puppet command to delete the certificate via sudo, but the sudoers rules aren't allowing it to do so without a password - suggesting the rules aren't right (they vary for Puppet 2 versus 3) or are missing.

See http://theforeman.org/manuals/latest/index.html#4.3.2SmartProxySettings, scroll down a little for the Puppet CA configuration and the sudoers rules are listed. These should be in /etc/sudoers.d/foreman-proxy and the file should have -r--r----- (0440) permissions.

Note that if you've upgraded from Puppet 2 to 3, the rule needs changing to /usr/bin/puppet cert * (you should also read the FAQ for other changes, or re-run the installer).

Used Hashing Algorithms

Check that your client can and does support the chosen minimum hashing algorithm on your Foreman-installation. Issues can arise, if Puppet2 agent should talk to a recent Foreman with state of the art hashing algorithm like SHA256 as the old Puppet agent only supports MD5.