Project

General

Profile

Bug #30017

foreman-proxy can't authenticate to foreman with tls 1.3

Added by Lars Wagner over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

I'm running foreman 1.24.3 on ubuntu 18.04. As soon as I enable tls 1.3 in apache the foreman-proxy is unable to communicate with foreman.

I get the following error if I try to create a new host (I get same error in the Foreman discover image):

# curl -X POST -k https://10.2.0.20:8443/discovery/create -d '{}'
Discovery failed, code 403, reason: N/A

In the foreman-proxy log I can see the following errors:

2020-06-04T15:51:59  [D] accept: 10.2.0.104:42034
2020-06-04T15:51:59  [D] Rack::Handler::WEBrick is invoked.
2020-06-04T15:51:59 064c8e96 [I] Started POST /discovery/create 
2020-06-04T15:51:59 064c8e96 [E] Discovery failed, code 403, reason: N/A
2020-06-04T15:51:59 064c8e96 [W] Discovery failed, code 403, reason: N/A
RuntimeError: Discovery failed, code 403, reason: N/A
/usr/lib/ruby/vendor_ruby/smart_proxy_discovery/discovery_main.rb:20:in `create_discovered_host'
/usr/lib/ruby/vendor_ruby/smart_proxy_discovery/discovery_api.rb:38:in `block in <class:InboundApi>'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1611:in `call'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1611:in `block in compile!'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:975:in `block (3 levels) in route!'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:994:in `route_eval'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:975:in `block (2 levels) in route!'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1015:in `block in process_route'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1013:in `catch'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1013:in `process_route'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:973:in `block in route!'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:972:in `each'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:972:in `route!'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1085:in `block in dispatch!'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1067:in `block in invoke'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1067:in `catch'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1067:in `invoke'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1082:in `dispatch!'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:907:in `block in call!'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1067:in `block in invoke'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1067:in `catch'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:1067:in `invoke'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:907:in `call!'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:895:in `call'
/usr/share/foreman-proxy/lib/proxy/log.rb:98:in `call'
/usr/share/foreman-proxy/lib/proxy/request_id_middleware.rb:11:in `call'
/usr/lib/ruby/vendor_ruby/rack/protection/xss_header.rb:18:in `call'
/usr/lib/ruby/vendor_ruby/rack/protection/path_traversal.rb:16:in `call'
/usr/lib/ruby/vendor_ruby/rack/protection/json_csrf.rb:18:in `call'
/usr/lib/ruby/vendor_ruby/rack/protection/base.rb:50:in `call'
/usr/lib/ruby/vendor_ruby/rack/protection/base.rb:50:in `call'
/usr/lib/ruby/vendor_ruby/rack/protection/frame_options.rb:31:in `call'
/usr/lib/ruby/vendor_ruby/rack/nulllogger.rb:9:in `call'
/usr/lib/ruby/vendor_ruby/rack/head.rb:13:in `call'
/usr/lib/ruby/vendor_ruby/sinatra/show_exceptions.rb:25:in `call'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:182:in `call'
/usr/lib/ruby/vendor_ruby/sinatra/base.rb:2013:in `call'
/usr/lib/ruby/vendor_ruby/smart_proxy_discovery/discovery_api.rb:12:in `call'
/usr/lib/ruby/vendor_ruby/rack/urlmap.rb:66:in `block in call'
/usr/lib/ruby/vendor_ruby/rack/urlmap.rb:50:in `each'
/usr/lib/ruby/vendor_ruby/rack/urlmap.rb:50:in `call'
/usr/lib/ruby/vendor_ruby/rack/builder.rb:153:in `call'
/usr/lib/ruby/vendor_ruby/rack/handler/webrick.rb:88:in `service'
/usr/lib/ruby/2.5.0/webrick/httpserver.rb:140:in `service'
/usr/lib/ruby/2.5.0/webrick/httpserver.rb:96:in `run'
/usr/lib/ruby/2.5.0/webrick/server.rb:307:in `block in start_thread'
/usr/lib/ruby/vendor_ruby/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'
2020-06-04T15:51:59 064c8e96 [I] Finished POST /discovery/create with 500 (25.08 ms)
2020-06-04T15:51:59  [D] close: 10.2.0.104:42034

As soon as I disable tls 1.3 in apache, everyhting works as expected:

    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.3

First I thought it's a foreman discovery image problem. But now I think the problem is between the proxy and foreman: https://projects.theforeman.org/issues/29509#change-135795

Just let me know if you need any further information.

Also available in: Atom PDF