Feature #18224
openAdd client certificate support for smart proxy registration
Description
We require client certificates be presented for TLS connections to Foreman by introducing the following httpd configuration on a CentOS 7 Foreman server:
<Location /> Require ssl-verify-client </Location>
as file:
/etc/httpd/conf.d/zz-require-client-cert.conf
When installing additional smart proxies in the environment, we have to temporarily turn off client certificate verification, otherwise the smart proxy cannot complete its request to register itself.
We see the following on Foreman in /var/log/httpd/foreman-ssl_error_ssl.log
[Tue Jan 24 12:18:01.222540 2017] [authz_core:error] [pid 13638] [client 192.168.1.121:45780] AH01630: client denied by server configuration: /usr/share/foreman/public/api
And the following on the CentOS 7 smart proxy server in /var/log/foreman-installer/foreman.log:
[ERROR 2017-01-24 12:18:01 main] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[devel]: Failed to call refresh: Proxy devel cannot be retrieved: unknown error (response 403) [ERROR 2017-01-24 12:18:01 main] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[devel]: Proxy devel cannot be retrieved: unknown error (response 403) [ERROR 2017-01-24 12:18:01 main] /usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:7:in `proxy' [ERROR 2017-01-24 12:18:01 main] /usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:13:in `id' [ERROR 2017-01-24 12:18:01 main] /usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:17:in `exists?' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/property/ensure.rb:81:in `retrieve' [ERROR 2017-01-24 12:18:01 main] /usr/share/foreman-installer/modules/foreman/lib/puppet/type/foreman_smartproxy.rb:53:in `refresh' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction/event_manager.rb:101:in `process_callback' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction/event_manager.rb:20:in `block in process_events' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction/event_manager.rb:93:in `block in queued_events' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction/event_manager.rb:92:in `each' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction/event_manager.rb:92:in `queued_events' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction/event_manager.rb:19:in `process_events' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction.rb:191:in `eval_resource' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction.rb:117:in `call' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction.rb:117:in `block (2 levels) in evaluate' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/util.rb:327:in `block in thinmark' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/benchmark.rb:296:in `realtime' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/util.rb:326:in `thinmark' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction.rb:117:in `block in evaluate' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/graph/relationship_graph.rb:118:in `traverse' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction.rb:108:in `evaluate' [ERROR 2017-01-24 12:18:01 main] /usr/share/gems/gems/kafo-1.0.5/modules/kafo_configure/lib/puppet/parser/functions/add_progress.rb:30:in `evaluate_with_trigger' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/resource/catalog.rb:167:in `block in apply' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/util/log.rb:149:in `with_destination' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction/report.rb:112:in `as_logging_destination' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/resource/catalog.rb:166:in `apply' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/configurer.rb:117:in `block in apply_catalog' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/util.rb:161:in `block in benchmark' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/benchmark.rb:296:in `realtime' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/util.rb:160:in `benchmark' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/configurer.rb:116:in `apply_catalog' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/configurer.rb:191:in `run' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/application/apply.rb:288:in `apply_catalog' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/application/apply.rb:228:in `block in main' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/context.rb:64:in `override' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet.rb:234:in `override' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/application/apply.rb:190:in `main' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/application/apply.rb:151:in `run_command' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/application.rb:371:in `block (2 levels) in run' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/application.rb:477:in `plugin_hook' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/application.rb:371:in `block in run' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/util.rb:479:in `exit_on_fail' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/application.rb:371:in `run' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/util/command_line.rb:137:in `run' [ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/util/command_line.rb:91:in `execute' [ERROR 2017-01-24 12:18:01 main] /usr/bin/puppet:8:in `<main>'
Recommend that arguments to foreman-installer be added to tell the rest client used therein to include a client certificate in the request to Foreman (as there are for Foreman to use when it makes a request in turn to the smart proxy to gather features etc during registration).
Updated by Joe Mader almost 8 years ago
Apologies - submitted this issue in the wrong project. Will a moderator please move it to the Installer project? Thanks in advance.
Updated by Anonymous almost 8 years ago
- Project changed from Docker to Installer
- Category set to Foreman modules