Project

General

Profile

Actions
Copy link

Bug #25759

open

Installer works only when foreman_ssl_ca exists

Added by Dor Pinhas about 6 years ago. Updated over 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Hello,

I'm running Foreman and Proxy on the same box, Foreman is signed with a known CA.
I implemented CAChain to validate SSL connection.

I faced SSL verification problem when deploying a dynflow service, after lots of troubleshooting found the below doc:
https://theforeman.org/2015/11/foreman-ssl.html

'make sure foreman_ssl_ca is not defined in /etc/foreman-proxy/settings.yaml and it will read the CA from the main foreman settings.'

Once removed foreman_ssl_ca - Foreman was able to verify dynflow requests.
Currently, I want to change the installer answer file to allow that change, tried to remove that line from foreman-answers.yaml and got the below exception:

 /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[TLV1 proxy]: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed in get request to: https://theforeman.eng.lab.tlv.redhat.com/api/v2/smart_proxies?search=name=%22TLV1%20proxy%22

This make sense because Foreman is tried to register the proxy and couldn't verify the proxy without the CAChain.
Whne greped that argument I found the foreman_proxy module is using that

[root@theforeman ~]# grep -ir "foreman_ssl_ca" /etc
/etc/foreman-installer/scenarios.d/foreman-answers.yaml.pem:  foreman_ssl_ca:
/etc/foreman-installer/scenarios.d/foreman-answers.yaml.pem:  server_foreman_ssl_ca:
/etc/foreman-installer/scenarios.d/foreman-answers.yaml:  foreman_ssl_ca: /etc/pki/tls/certs/RHChain.cer
/etc/foreman-installer/scenarios.d/foreman-answers.yaml:  server_foreman_ssl_ca: /etc/pki/tls/certs/RHChain.cer
/etc/foreman-installer/scenarios.d/foreman-answers.yaml.rh:  foreman_ssl_ca: /etc/pki/tls/certs/RHChain.cer
/etc/foreman-installer/scenarios.d/foreman-answers.yaml.rh:  server_foreman_ssl_ca:
/etc/foreman-proxy/settings.yml::foreman_ssl_ca: /etc/pki/tls/certs/RHChain.cer
/etc/puppetlabs/code/environments/production/modules/foreman_proxy/manifests/register.pp:      ssl_ca          => pick($foreman_proxy::foreman_ssl_ca, $foreman_proxy::ssl_ca),
/etc/puppetlabs/code/environments/production/modules/foreman_proxy/manifests/init.pp:# $foreman_ssl_ca::             SSL CA used to verify connections when accessing the Foreman API.
/etc/puppetlabs/code/environments/production/modules/foreman_proxy/manifests/init.pp:  Optional[Stdlib::Absolutepath] $foreman_ssl_ca = $::foreman_proxy::params::foreman_ssl_ca,
/etc/puppetlabs/code/environments/production/modules/foreman_proxy/manifests/params.pp:  $foreman_ssl_ca  = undef
/etc/puppetlabs/code/environments/production/modules/foreman_proxy/manifests/plugin/ansible.pp:  $foreman_ssl_ca = pick($::foreman_proxy::foreman_ssl_ca, $::foreman_proxy::ssl_ca)
/etc/puppetlabs/code/environments/production/modules/foreman_proxy/templates/settings.yml.erb:<% unless [nil, :undefined, :undef].include?(scope.lookupvar("foreman_proxy::foreman_ssl_ca")) -%>
/etc/puppetlabs/code/environments/production/modules/foreman_proxy/templates/settings.yml.erb::foreman_ssl_ca: <%= scope.lookupvar("foreman_proxy::foreman_ssl_ca") %>
/etc/puppetlabs/code/environments/production/modules/foreman_proxy/templates/settings.yml.erb:#:foreman_ssl_ca: ssl/certs/ca.pem
/etc/puppetlabs/code/environments/production/modules/foreman_proxy/templates/plugin/ansible.cfg.erb:verify_certs = <%= @foreman_ssl_ca %>
/etc/puppetlabs/code/environments/production/modules/foreman_proxy/templates/plugin/dynflow_core.yml.erb:<% if [nil, :undefined, :undef].include?(scope.lookupvar("foreman_proxy::foreman_ssl_ca")) -%>
/etc/puppetlabs/code/environments/production/modules/foreman_proxy/templates/plugin/dynflow_core.yml.erb:#:foreman_ssl_ca: ssl/certs/ca.pem
/etc/puppetlabs/code/environments/production/modules/foreman_proxy/templates/plugin/dynflow_core.yml.erb::foreman_ssl_ca: <%= scope.lookupvar("foreman_proxy::foreman_ssl_ca") %>
/etc/puppetlabs/code/environments/production/modules/puppet/manifests/server.pp:# $foreman_ssl_ca::            SSL CA of the Foreman server
/etc/puppetlabs/code/environments/production/modules/puppet/manifests/server.pp:  Optional[Stdlib::Absolutepath] $foreman_ssl_ca = $::puppet::server_foreman_ssl_ca,
/etc/puppetlabs/code/environments/production/modules/puppet/manifests/server/config.pp:      ssl_ca         => pick($::puppet::server::foreman_ssl_ca, $::puppet::server::ssl_ca_cert),
/etc/puppetlabs/code/environments/production/modules/puppet/manifests/init.pp:# $server_foreman_ssl_ca::                  SSL CA of the Foreman server
/etc/puppetlabs/code/environments/production/modules/puppet/manifests/init.pp:  Optional[Stdlib::Absolutepath] $server_foreman_ssl_ca = $puppet::params::server_foreman_ssl_ca,
/etc/puppetlabs/code/environments/production/modules/puppet/manifests/params.pp:  $server_foreman_ssl_ca   = undef
/etc/puppetlabs/code/environments/production/modules/foreman/lib/puppet/functions/foreman/foreman.rb:        http.ca_file = tfmproxy[:foreman_ssl_ca]
/etc/puppetlabs/code/environments/production/modules/foreman/lib/puppet/parser/functions/foreman.rb:        http.ca_file = tfmproxy[:foreman_ssl_ca]
/etc/smart_proxy_dynflow_core/settings.yml::foreman_ssl_ca: /etc/pki/tls/certs/RHChain.cer

How can i modify the installer that proxy/settings.yaml won't have the foreman_ssl_ca but the puppet module that does the deployment does?

Actions
Copy link

Also available in: Atom PDF