Bug #20324
closed
BMC Smart Proxy SSL configuration/setup?
Description
bmc.yml:
---
- BMC management (Bare metal power and bios controls)
:enabled: https - Available providers:
- - freeipmi / ipmitool - requires the appropriate package installed, and the rubyipmi gem
- - shell - for local reboot control (requires sudo access to /sbin/shutdown for the proxy user)
:bmc_default_provider: ipmitool
Within Foreman - it times out with error: Failure: ERF12-2269 [ProxyAPI::ProxyException]: Unable to perform lan BMC operation ([RestClient::RequestTimeout]: Request Timeout) for proxy https://fmnpxprw1.paychex.com:8443/bmc
Smart Proxy logs show:
E, [2017-07-17T16:12:13.040482 ] ERROR -- : could not read client cert from environment
I, [2017-07-17T16:12:13.040829 ] INFO -- : IP - - [17/Jul/2017:16:12:13 -0400] "GET /bmc HTTP/1.1" 403 43 0.0007
I, [2017-07-17T16:12:33.484111 ] INFO -- : IP - - [17/Jul/2017:16:12:33 -0400] "GET /bmc/%BMCIP%/chassis/power/status HTTP/1.1" 200 33 0.1347
E, [2017-07-17T16:13:11.872390 ] ERROR -- : could not read client cert from environment
I, [2017-07-17T16:13:11.872938 ] INFO -- : IP - - [17/Jul/2017:16:13:11 -0400] "GET /bmc/%BMCIP%/chassis/power/status HTTP/1.1" 403 43 0.0010
Similarly - hitting either /bmc or /bmc/%BMCIP%/...... from a browser give me the same error could not read client cert from environment
I thought this might have to do with the smart proxies "trusted hosts" setting, so I edited settings.yml for the smart proxy to try no trusted hosts:
- remove all entries
With this set the URL's above began returning: No client SSL certificate supplied via output and logs.
At this point im stumped. I would imagine that doing this through the browser directly to a smart proxy might return a client cert issue (my browser wouldn't supply one) but that should go away with removing the trusted host option?
Also - when viewing through a host itself, my foreman server should be using its cert (which is trusted and works for all other "stuff") to connect to the smart proxy to do the smart proxy call.
How should this be configured to "work". I've scoured the website, google, and foreman manual - but the only thing i've found is 3 lines on configuring the account for ILO3, as well as the bmc.yml file in the foreman manual which ive copied and used verbatim.
Any help would be greatly appreciated!
This is foreman 1.14.3 specifically
Updated by Jason Lang over 7 years ago
- Status changed from New to Resolved
This is working as expected.
Cert issues in the logs were a red herring. Removing all trusted hosts does not mean trust all, you have to remove the trusted host line as well. DEBUG logging for the smart proxy got me pointed right there after enabling.
After that - I saw IPMI errors about insufficient resources - it retried hundreds of times per second (as seen in the logs).
After confirming the same error state using ipmi commands manually on the host i was testing against - i reset the ILO and all is well.
Updated by Marek Hulán over 7 years ago
Thanks for letting us know, I'm glad it works.