Bug #25430
openforeman proxy -> Error connecting to Pulp service and qdrouter failed: proton:io Connection refused
Description
Hi Guys,
i installed a katello/foreman Server without any, any, any proxy functionality like this...
foreman-installer --scenario katello \ --no-enable-foreman-proxy \ --no-enable-foreman-proxy-content \ --no-enable-foreman-proxy-plugin-pulp \ --foreman-proxy-dhcp-managed=false \ --foreman-proxy-dns-managed=false \ --foreman-proxy-freeipa-remove-dns=false \ --foreman-proxy-http=false \ --foreman-proxy-logs=false \ --foreman-proxy-puppet=false \ --foreman-proxy-puppetca=false \ --foreman-proxy-register-in-foreman=false \ --foreman-proxy-ssl=false \ --foreman-proxy-templates=false \ --foreman-proxy-tftp=false \ --foreman-proxy-tftp-manage-wget=false \ --foreman-proxy-tftp-managed=false \ --foreman-proxy-use-sudoers=false \ --foreman-proxy-use-sudoersd=false \ --foreman-proxy-content-enable-deb=false \ --foreman-proxy-content-enable-docker=false \ --foreman-proxy-content-enable-file=false \ --foreman-proxy-content-enable-puppet=false \ --foreman-proxy-content-enable-yum=false \ --foreman-proxy-plugin-chef-ssl-pem-file=false \ --foreman-proxy-plugin-remote-execution-ssh-generate-keys=false \ --foreman-proxy-ssl=false \ --foreman-proxy-gpgcheck=false \ --enable-foreman-plugin-discovery \ --verbose
after that i added a new foreman proxy like this... i got this command from the generate certifcates script
foreman-installer --scenario foreman-proxy-content\ --foreman-proxy-content-parent-fqdn "katello01.example.com"\ --foreman-proxy-register-in-foreman "true"\ --foreman-proxy-foreman-base-url "https://katello01.example.com"\ --foreman-proxy-trusted-hosts "katello01.example.com"\ --foreman-proxy-trusted-hosts "katello-smart-proxy.example.com"\ --foreman-proxy-oauth-consumer-key "doRmgp4tgVcSy7xkzbfz2wJxYM4CNnXx"\ --foreman-proxy-oauth-consumer-secret "fDsqTg5k5XHMErxxNQACUtFGrLKQyZdW"\ --foreman-proxy-content-certs-tar "/root/katello-smart-proxy.example.com.tar"\ --puppet-server-foreman-url "https://katello01.example.com" --foreman-proxy-dhcp-option-domain "sub.example.com" \ --foreman-proxy-dhcp-gateway "10.32.0.1" \ --foreman-proxy-dhcp-nameservers "10.32.0.11,10.32.0.12" \ --foreman-proxy-dhcp-range "10.32.0.50 10.32.0.100" \ --enable-foreman-proxy-plugin-discovery \ --enable-foreman-proxy-plugin-pulp
later i added the dns and other things....
all things good...
when i look into the smart proxy overview it looks really good but i found the following error. maybe the use of foreman-installer is not correct.
when you look the picture you will see "Error connecting to Pulp service"... if i run a command on the smart-proxy console like status it looks good.
[root@katello-smart-proxy ~]# pulp-admin status +----------------------------------------------------------------------+ Status of the server +----------------------------------------------------------------------+ Api Version: 2 Database Connection: Connected: True Known Workers: _id: scheduler@katello-smart-proxy.example.com _ns: workers Last Heartbeat: 2018-11-10T13:28:57Z _id: resource_manager@katello-smart-proxy.example.com _ns: workers Last Heartbeat: 2018-11-10T13:29:01Z _id: reserved_resource_worker-1@katello-smart-proxy.example.com _ns: workers Last Heartbeat: 2018-11-10T13:28:59Z _id: reserved_resource_worker-0@katello-smart-proxy.example.com _ns: workers Last Heartbeat: 2018-11-10T13:28:59Z Messaging Connection: Connected: True Versions: Platform Version: 2.16.4
1. Picture show "Error connecting to Pulp service".
2. i found that the service qdrouterd throws an error like this
qdrouterd.service - Qpid Dispatch router daemon Loaded: loaded (/usr/lib/systemd/system/qdrouterd.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2018-11-10 01:03:40 CET; 13h ago Main PID: 4726 (qdrouterd) CGroup: /system.slice/qdrouterd.service └─4726 /usr/sbin/qdrouterd -c /etc/qpid-dispatch/qdrouterd.conf Nov 10 14:30:46 katello-smart-proxy-sn.example.com qdrouterd[4726]: 2018-11-10 14:30:46.002921 +0100 SERVER (info) Connection to katello01.example.com:5646 failed: proton:io Connection refused - disconnected katello01.example.com:5646 Nov 10 14:30:51 katello-smart-proxy-sn.example.com qdrouterd[4726]: 2018-11-10 14:30:51.003487 +0100 SERVER (info) Connection to katello01.example.com:5646 failed: proton:io Connection refused - disconnected katello01.example.com:5646
what is wrong. the provisioning how i provision a smart proxy?
Files
Updated by Andrew Kofink over 5 years ago
- Status changed from New to Need more information
Could you please provide the output of `rpm -qa | grep 'foreman\|katello'`?
Updated by Sven Vogel over 5 years ago
Hi Andrew,
yes sure no problem.
print from katello01
[root@katello01 ~]# rpm -qa | grep 'foreman\|katello' tfm-rubygem-foreman-tasks-core-0.2.5-1.fm1_18.el7.noarch tfm-rubygem-foreman-tasks-0.13.4-1.fm1_19.el7.noarch tfm-rubygem-hammer_cli_katello-0.14.1-1.el7.noarch katello-repos-3.8.0-4.el7.noarch foreman-compute-1.19.1-1.el7.noarch rubygem-foreman_maintain-0.2.4-1.el7.noarch katello-installer-base-3.8.0-1.el7.noarch tfm-rubygem-hammer_cli_foreman_docker-0.0.4-3.el7.noarch katello-default-ca-1.0-1.noarch foreman-1.19.1-1.el7.noarch katello-certs-tools-2.4.0-1.el7.noarch foreman-installer-katello-3.8.0-1.el7.noarch pulp-katello-1.0.2-1.el7.noarch tfm-rubygem-hammer_cli_foreman_bootdisk-0.1.3-6.el7.noarch katello-common-3.8.0-5.el7.noarch katello-server-ca-1.0-1.noarch katello01.mdk.services-qpid-broker-1.0-1.noarch katello01.mdk.services-foreman-client-1.0-1.noarch foreman-selinux-1.19.1-1.el7.noarch foreman-proxy-1.19.1-1.el7.noarch katello-selinux-3.0.3-1.el7.noarch tfm-rubygem-foreman_docker-4.1.0-1.fm1_18.el7.noarch tfm-rubygem-hammer_cli_foreman_tasks-0.0.12-2.fm1_17.el7.noarch katello01.mdk.services-qpid-client-cert-1.0-1.noarch foreman-cli-1.19.1-1.el7.noarch foreman-installer-1.19.1-1.el7.noarch foreman-release-1.19.1-1.el7.noarch katello-service-3.8.0-5.el7.noarch tfm-rubygem-hammer_cli_foreman-0.14.0-1.el7.noarch katello-3.8.0-5.el7.noarch foreman-release-scl-7-2.el7.noarch foreman-debug-1.19.1-1.el7.noarch tfm-rubygem-foreman_discovery-13.0.1-1.fm1_19.el7.noarch tfm-rubygem-katello-3.8.0-1.el7.noarch katello-debug-3.8.0-5.el7.noarch katello01.mdk.services-tomcat-1.0-1.noarch katello01.mdk.services-apache-1.0-1.noarch foreman-postgresql-1.19.1-1.el7.noarch
print from katello-proxy01
[root@katello-smart-proxy-sn ~]# rpm -qa | grep 'foreman\|katello' katello-selinux-3.0.3-1.el7.noarch tfm-rubygem-hammer_cli_foreman_tasks-0.0.12-2.fm1_17.el7.noarch katello-client-bootstrap-1.4.2-1.el7.noarch katello-default-ca-1.0-1.noarch katello-smart-proxy-sn.mdk.services-apache-1.0-1.noarch katello-smart-proxy-sn.mdk.services-qpid-client-cert-1.0-1.noarch foreman-release-1.19.1-1.el7.noarch katello-smart-proxy-sn.mdk.services-puppet-client-1.0-1.noarch foreman-proxy-1.19.1-1.el7.noarch katello-repos-3.8.0-4.el7.noarch rubygem-foreman_maintain-0.2.4-1.el7.noarch foreman-installer-1.19.1-1.el7.noarch katello-installer-base-3.8.0-1.el7.noarch foreman-proxy-content-3.8.0-5.el7.noarch katello-ca-consumer-katello-smart-proxy-sn.mdk.services-1.0-1.noarch tfm-rubygem-hammer_cli_foreman-0.14.0-1.el7.noarch tfm-rubygem-hammer_cli_foreman_bootdisk-0.1.3-6.el7.noarch tfm-rubygem-hammer_cli_katello-0.14.1-1.el7.noarch katello-debug-3.8.0-5.el7.noarch katello-server-ca-1.0-1.noarch katello-smart-proxy-sn.mdk.services-foreman-proxy-client-1.0-1.noarch katello-smart-proxy-sn.mdk.services-qpid-router-server-1.0-1.noarch katello-smart-proxy-sn.mdk.services-qpid-broker-1.0-1.noarch katello-certs-tools-2.4.0-1.el7.noarch foreman-selinux-1.19.1-1.el7.noarch foreman-installer-katello-3.8.0-1.el7.noarch tfm-rubygem-hammer_cli_foreman_docker-0.0.4-3.el7.noarch katello-smart-proxy-sn.mdk.services-foreman-proxy-1.0-1.noarch katello-smart-proxy-sn.mdk.services-qpid-router-client-1.0-1.noarch foreman-release-scl-7-1.el7.noarch katello-service-3.8.0-5.el7.noarch foreman-debug-1.19.1-1.el7.noarch
does this help?
Updated by Sven Vogel over 5 years ago
anybody here? :) there are other information needed?
Updated by Christine Fouant over 5 years ago
- Status changed from Need more information to Needs design
- Assignee set to Andrew Kofink
- Triaged changed from No to Yes
Updated by Andrew Kofink over 5 years ago
What does the following show?
echo 'SmartProxy.first.statuses[:pulp].status' | foreman-rake console
Updated by Sven Vogel over 5 years ago
Hi Andrew,
Sorry for late reply.
i can run this command only on the foreman server not the capsule. i dont have there a "foreman-rake" command
[root@katello01 ~]# echo 'SmartProxy.first.statuses[:pulp].status' | foreman-rake console /usr/share/foreman/lib/foreman.rb:8: warning: already initialized constant Foreman::UUID_REGEXP /usr/share/foreman/lib/foreman.rb:8: warning: previous definition of UUID_REGEXP was here /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.9.0/app/models/katello/concerns/content_facet_host_extensions.rb:7: warning: already initialized constant Katello::Concerns::ContentFacetHostExtensions::ERRATA_STATUS_MAP /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.9.0/app/models/katello/concerns/content_facet_host_extensions.rb:7: warning: previous definition of ERRATA_STATUS_MAP was here /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.9.0/app/models/katello/concerns/content_facet_host_extensions.rb:14: warning: already initialized constant Katello::Concerns::ContentFacetHostExtensions::TRACE_STATUS_MAP /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.9.0/app/models/katello/concerns/content_facet_host_extensions.rb:14: warning: previous definition of TRACE_STATUS_MAP was here /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.9.0/app/models/katello/concerns/subscription_facet_host_extensions.rb:13: warning: already initialized constant Katello::Concerns::SubscriptionFacetHostExtensions::SUBSCRIPTION_STATUS_MAP /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.9.0/app/models/katello/concerns/subscription_facet_host_extensions.rb:13: warning: previous definition of SUBSCRIPTION_STATUS_MAP was here /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.9.0/app/models/katello/concerns/subscription_facet_host_extensions.rb:21: warning: already initialized constant Katello::Concerns::SubscriptionFacetHostExtensions::SLA_STATUS_MAP /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.9.0/app/models/katello/concerns/subscription_facet_host_extensions.rb:21: warning: previous definition of SLA_STATUS_MAP was here /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.9.0/app/models/katello/concerns/subscription_facet_host_extensions.rb:26: warning: already initialized constant Katello::Concerns::SubscriptionFacetHostExtensions::USAGE_STATUS_MAP /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.9.0/app/models/katello/concerns/subscription_facet_host_extensions.rb:26: warning: previous definition of USAGE_STATUS_MAP was here /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.9.0/app/models/katello/concerns/subscription_facet_host_extensions.rb:31: warning: already initialized constant Katello::Concerns::SubscriptionFacetHostExtensions::ROLE_STATUS_MAP /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.9.0/app/models/katello/concerns/subscription_facet_host_extensions.rb:31: warning: previous definition of ROLE_STATUS_MAP was here /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.9.0/app/models/katello/concerns/subscription_facet_host_extensions.rb:36: warning: already initialized constant Katello::Concerns::SubscriptionFacetHostExtensions::ADDONS_STATUS_MAP /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.9.0/app/models/katello/concerns/subscription_facet_host_extensions.rb:36: warning: previous definition of ADDONS_STATUS_MAP was here /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.9.0/app/models/katello/concerns/subscription_facet_host_extensions.rb:41: warning: already initialized constant Katello::Concerns::SubscriptionFacetHostExtensions::PURPOSE_STATUS_MAP /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.9.0/app/models/katello/concerns/subscription_facet_host_extensions.rb:41: warning: previous definition of PURPOSE_STATUS_MAP was here Loading production environment (Rails 5.2.1) Failed to load console gems, starting anyway Switch to inspect mode. SmartProxy.first.statuses[:pulp].status {"fatal"=>"Unable to connect. Got: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)"}
what do you think?
Updated by Andrew Kofink over 5 years ago
Looks to me like your SSL settings aren't quite right for communication to the proxy. Details for how to do this are at https://theforeman.org/manuals/1.20/index.html#5.4.2SecuringSmartProxyRequests. Please check that all is correct there and try the command again from the Katello server.
Updated by Sven Vogel over 5 years ago
Hi Andrew,
you mean -> 5.4.2 Securing Smart Proxy Requests? so we have the problem after a initial new installation like the values above. we install it with the values above and get a false? normally this should be a bug or our provision is not correctly. you now what i mean? We alleviate the symptoms but do not solve the problem. anyway that i dont know how to fix it with this link and the puppet certificates when we have a pulp problem.
this section is for puppet but we have a pulp problem?
--- # SSL Setup # if enabled, all communication would be verified via SSL # NOTE that both certificates need to be signed by the same CA in order for this to work # see http://theforeman.org/projects/smart-proxy/wiki/SSL for more information :ssl_certificate: /var/lib/puppet/ssl/certs/FQDN.pem :ssl_ca_file: /var/lib/puppet/ssl/certs/ca.pem :ssl_private_key: /var/lib/puppet/ssl/private_keys/FQDN.pem
if i deploy it with --foreman-proxy-content-certs-tar "/root/katello-smart-proxy.example.com.tar" then the correct certificate should not be automatically used??
how can i check the certificate between host and smartproxy?
thanks
Sven