Project

General

Profile

Actions

Bug #20324

closed

BMC Smart Proxy SSL configuration/setup?

Added by Jason Lang over 7 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
BMC
Target version:
-
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Im attempting to configure the bmc smart proxy plugin. Im to the point where its installed on my smart proxy, and tested working per ipmitool commands on that smart proxy itself.
bmc.yml:
---
  1. BMC management (Bare metal power and bios controls)
    :enabled: https
  2. Available providers:
  3. - freeipmi / ipmitool - requires the appropriate package installed, and the rubyipmi gem
  4. - shell - for local reboot control (requires sudo access to /sbin/shutdown for the proxy user)
    :bmc_default_provider: ipmitool

Within Foreman - it times out with error: Failure: ERF12-2269 [ProxyAPI::ProxyException]: Unable to perform lan BMC operation ([RestClient::RequestTimeout]: Request Timeout) for proxy https://fmnpxprw1.paychex.com:8443/bmc

Smart Proxy logs show:
E, [2017-07-17T16:12:13.040482 ] ERROR -- : could not read client cert from environment
I, [2017-07-17T16:12:13.040829 ] INFO -- : IP - - [17/Jul/2017:16:12:13 -0400] "GET /bmc HTTP/1.1" 403 43 0.0007

I, [2017-07-17T16:12:33.484111 ] INFO -- : IP - - [17/Jul/2017:16:12:33 -0400] "GET /bmc/%BMCIP%/chassis/power/status HTTP/1.1" 200 33 0.1347

E, [2017-07-17T16:13:11.872390 ] ERROR -- : could not read client cert from environment
I, [2017-07-17T16:13:11.872938 ] INFO -- : IP - - [17/Jul/2017:16:13:11 -0400] "GET /bmc/%BMCIP%/chassis/power/status HTTP/1.1" 403 43 0.0010

Similarly - hitting either /bmc or /bmc/%BMCIP%/...... from a browser give me the same error could not read client cert from environment

I thought this might have to do with the smart proxies "trusted hosts" setting, so I edited settings.yml for the smart proxy to try no trusted hosts:
- remove all entries

With this set the URL's above began returning: No client SSL certificate supplied via output and logs.

At this point im stumped. I would imagine that doing this through the browser directly to a smart proxy might return a client cert issue (my browser wouldn't supply one) but that should go away with removing the trusted host option?

Also - when viewing through a host itself, my foreman server should be using its cert (which is trusted and works for all other "stuff") to connect to the smart proxy to do the smart proxy call.

How should this be configured to "work". I've scoured the website, google, and foreman manual - but the only thing i've found is 3 lines on configuring the account for ILO3, as well as the bmc.yml file in the foreman manual which ive copied and used verbatim.

Any help would be greatly appreciated!
This is foreman 1.14.3 specifically

Actions #1

Updated by Jason Lang over 7 years ago

  • Status changed from New to Resolved

This is working as expected.

Cert issues in the logs were a red herring. Removing all trusted hosts does not mean trust all, you have to remove the trusted host line as well. DEBUG logging for the smart proxy got me pointed right there after enabling.

After that - I saw IPMI errors about insufficient resources - it retried hundreds of times per second (as seen in the logs).

After confirming the same error state using ipmi commands manually on the host i was testing against - i reset the ILO and all is well.

Actions #2

Updated by Marek Hulán over 7 years ago

Thanks for letting us know, I'm glad it works.

Actions

Also available in: Atom PDF