Proxy communication errors

The smart proxy is a service running on Puppet masters, DHCP servers etc throughout your infrastructure. Foreman will call out to the proxy occasionally to carry out actions needed when adding hosts, or updating Puppet classes and so on. These often fail because of basic communication issues which may not be directly related to the action you're currently trying to do and can result in a number of ErrorCodes.

SSL troubleshooting

Before you start investigating, make sure you have the following settings (Administer -> Settings -> Authentication) set correctly on the Foreman instance:

  • ssl_ca_file
  • ssl_certificate
  • ssl_priv_key

Also make sure that the hostname of the proxy is the same the certificate was issued for (Common Name) and that the time is synchronised with NTP on both servers.

Connection refused

Foreman is trying to open an HTTP connection to the proxy server (usually on port 8443). Check first that the proxy is actually running:

# service foreman-proxy status
foreman-proxy (pid  10025) is running...

Check for any firewalls between Foreman and the proxy host, including iptables or similar running on the proxy itself.

Try a test connection from the Foreman server to the proxy, e.g. telnet proxy.example.com 8443.

[Errno::ECONNRESET]: Connection reset by peer

Usually indicates the smart proxy is running on one protocol (i.e. HTTPS) and Foreman is trying to use another (i.e. HTTP). Edit the smart proxy via the Foreman UI and change the protocol in the URL field.

If the :ssl_* options in /etc/foreman-proxy/settings.yml are uncommented then the proxy is HTTPS, so the URL should start with "https://".

[RestClient::ResourceNotFound]: 404 Resource Not Found

This can depend on context (the proxy may return a 404 because some entry isn't found), but may mean that a feature that's expected to be available on the proxy (e.g. Puppet, DNS) isn't actually enabled in the config file or running instance.

[RestClient::RequestTimeout]: Request Timeout

Check that the Foreman server has network access to the smart proxy server. Try using "telnet proxy.example.com 8443" or "curl -k https://proxy.example.com:8443/features".