Project

General

Profile

Actions

Feature #18224

open

Add client certificate support for smart proxy registration

Added by Joe Mader almost 8 years ago. Updated almost 8 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Foreman modules
Target version:
-
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

We require client certificates be presented for TLS connections to Foreman by introducing the following httpd configuration on a CentOS 7 Foreman server:

<Location />
  Require ssl-verify-client
</Location>

as file:

/etc/httpd/conf.d/zz-require-client-cert.conf

When installing additional smart proxies in the environment, we have to temporarily turn off client certificate verification, otherwise the smart proxy cannot complete its request to register itself.

We see the following on Foreman in /var/log/httpd/foreman-ssl_error_ssl.log

[Tue Jan 24 12:18:01.222540 2017] [authz_core:error] [pid 13638] [client 192.168.1.121:45780] AH01630: client denied by server configuration: /usr/share/foreman/public/api

And the following on the CentOS 7 smart proxy server in /var/log/foreman-installer/foreman.log:

[ERROR 2017-01-24 12:18:01 main]  /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[devel]: Failed to call refresh: Proxy devel cannot be retrieved: unknown error (response 403)
[ERROR 2017-01-24 12:18:01 main]  /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[devel]: Proxy devel cannot be retrieved: unknown error (response 403)
[ERROR 2017-01-24 12:18:01 main] /usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:7:in `proxy'
[ERROR 2017-01-24 12:18:01 main] /usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:13:in `id'
[ERROR 2017-01-24 12:18:01 main] /usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:17:in `exists?'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/property/ensure.rb:81:in `retrieve'
[ERROR 2017-01-24 12:18:01 main] /usr/share/foreman-installer/modules/foreman/lib/puppet/type/foreman_smartproxy.rb:53:in `refresh'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction/event_manager.rb:101:in `process_callback'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction/event_manager.rb:20:in `block in process_events'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction/event_manager.rb:93:in `block in queued_events'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction/event_manager.rb:92:in `each'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction/event_manager.rb:92:in `queued_events'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction/event_manager.rb:19:in `process_events'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction.rb:191:in `eval_resource'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction.rb:117:in `call'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction.rb:117:in `block (2 levels) in evaluate'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/util.rb:327:in `block in thinmark'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/benchmark.rb:296:in `realtime'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/util.rb:326:in `thinmark'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction.rb:117:in `block in evaluate'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/graph/relationship_graph.rb:118:in `traverse'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction.rb:108:in `evaluate'
[ERROR 2017-01-24 12:18:01 main] /usr/share/gems/gems/kafo-1.0.5/modules/kafo_configure/lib/puppet/parser/functions/add_progress.rb:30:in `evaluate_with_trigger'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/resource/catalog.rb:167:in `block in apply'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/util/log.rb:149:in `with_destination'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/transaction/report.rb:112:in `as_logging_destination'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/resource/catalog.rb:166:in `apply'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/configurer.rb:117:in `block in apply_catalog'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/util.rb:161:in `block in benchmark'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/benchmark.rb:296:in `realtime'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/util.rb:160:in `benchmark'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/configurer.rb:116:in `apply_catalog'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/configurer.rb:191:in `run'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/application/apply.rb:288:in `apply_catalog'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/application/apply.rb:228:in `block in main'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/context.rb:64:in `override'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet.rb:234:in `override'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/application/apply.rb:190:in `main'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/application/apply.rb:151:in `run_command'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/application.rb:371:in `block (2 levels) in run'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/application.rb:477:in `plugin_hook'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/application.rb:371:in `block in run'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/util.rb:479:in `exit_on_fail'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/application.rb:371:in `run'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/util/command_line.rb:137:in `run'
[ERROR 2017-01-24 12:18:01 main] /usr/share/ruby/vendor_ruby/puppet/util/command_line.rb:91:in `execute'
[ERROR 2017-01-24 12:18:01 main] /usr/bin/puppet:8:in `<main>'

Recommend that arguments to foreman-installer be added to tell the rest client used therein to include a client certificate in the request to Foreman (as there are for Foreman to use when it makes a request in turn to the smart proxy to gather features etc during registration).

Actions

Also available in: Atom PDF