Support #7742
closedUnable to get PuppetCA certificates
Description
I have foreman running on one server. I have installed foreman-proxy on puppet server and added smart proxy to the foreman server sucessfully but now when i click on certificates then I receive Unable to get PuppetCA Certificates.
Warning!
ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates ([RestClient::NotAcceptable]: 406 Not Acceptable) for proxy https://puppet.example.com:8443/puppet/ca
If you feel this is an error with Foreman itself, please open a new issue with Foreman ticketing system, You would probably need to attach the Full trace and relevant log entries.
ProxyAPI::ProxyException
ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates ([RestClient::NotAcceptable]: 406 Not Acceptable) for proxy https://puppet.example.com:8443/puppet/ca
lib/proxy_api/puppetca.rb:47:in `rescue in all'
lib/proxy_api/puppetca.rb:45:in `all'
app/services/smart_proxies/puppet_ca.rb:21:in `all'
app/services/smart_proxies/puppet_ca.rb:36:in `find_by_state'
app/controllers/puppetca_controller.rb:8:in `index'
app/models/concerns/foreman/thread_session.rb:33:in `clear_thread'
lib/middleware/catch_json_parse_errors.rb:9:in `call'
Updated by Anonymous almost 10 years ago
- Assignee set to Anonymous
Could you have a look into /var/log/foreman-proxy/proxy.log on the Puppet Master? There should be a more specific error in there. Maybe you forgot to add the sudoers rules for foreman-proxy?
Updated by Piyush Panchal almost 10 years ago
Michael Moll wrote:
Could you have a look into /var/log/foreman-proxy/proxy.log on the Puppet Master? There should be a more specific error in there. Maybe you forgot to add the sudoers rules for foreman-proxy?
Hi Michael,
I have looked into the proxy.log but not find anything useful.
172.16.1.4 - - [29/Sep/2014 12:53:16] "GET /puppet/ca HTTP/1.1" 406 63 0.0029
E, [2014-09-29T13:09:04.846207 #17998] ERROR -- : Failed to list certificates: SSL/CA unavailable on this machine
172.16.1.4 is my foreman server.
I am able to access the URL https://puppet.example.com:8443/features which displays the features and added to the foreman smart proxy.
DHCP Browser
Home
Features
Suported features
facts
puppet
puppetca
tftp
Updated by Anonymous almost 10 years ago
"SSL/CA unavailable on this machine" suggests, foreman-proxy didn't find your CA files, is ssldir for puppetca correctly set in foreman-proxy's config? Are the permisons correctly set as shown in http://theforeman.org/manuals/1.6/index.html#4.3.8PuppetCA ?
Can the foreman-proxy user access the ca directory? check e.g. with
# sudo -u foreman-proxy ls -l /var/lib/puppet/ssl/ca
Updated by Piyush Panchal almost 10 years ago
Michael Moll wrote:
"SSL/CA unavailable on this machine" suggests, foreman-proxy didn't find your CA files, is ssldir for puppetca correctly set in foreman-proxy's config? Are the permisons correctly set as shown in http://theforeman.org/manuals/1.6/index.html#4.3.8PuppetCA ?
Can the foreman-proxy user access the ca directory? check e.g. with
[...]
Hi Michael,
I am using CentOS 6.5 as root user privileges.
also looked into the error message "E, [2014-09-29T17:20:19.630856 #26438] ERROR -- : Failed to list certificates: Execution of puppetca failed, check log files"
I couldn't find puppetca system binary in puppet version 3.7.1 which may be required by smart-proxy.
It is avaialble with foreman-installer v1.6 which is installed puppet version 2.7.25. Smart-proxy works great on all-in-one type of setup using foreman-installer.
I am not sure if that is matter at all.
Updated by Dominic Cleal almost 10 years ago
Piyush Panchal wrote:
Michael Moll wrote:
"SSL/CA unavailable on this machine" suggests, foreman-proxy didn't find your CA files, is ssldir for puppetca correctly set in foreman-proxy's config? Are the permisons correctly set as shown in http://theforeman.org/manuals/1.6/index.html#4.3.8PuppetCA ?
Can the foreman-proxy user access the ca directory? check e.g. with
[...]Hi Michael,
I am using CentOS 6.5 as root user privileges.
The proxy runs as "foreman-proxy" rather than your own privileges though, so it'd be best to check if that user can see the directory.
also looked into the error message "E, [2014-09-29T17:20:19.630856 #26438] ERROR -- : Failed to list certificates: Execution of puppetca failed, check log files"
I couldn't find puppetca system binary in puppet version 3.7.1 which may be required by smart-proxy.
It'll use "puppet cert" instead on Puppet 3, it's just the logging calling it "puppetca".
If you can enable debug logging in /etc/foreman-proxy/settings.yml and restart foreman-proxy, you should see the exact command it's running.
If you upgraded from Puppet 2 to 3, you may need to update /etc/sudoers.d/foreman-proxy. See http://projects.theforeman.org/projects/foreman/wiki/FAQ#Upgrade-puppet-from-v2-to-v3-gotchas and ERF12-7740.
Updated by Piyush Panchal almost 10 years ago
Dominic Cleal wrote:
Piyush Panchal wrote:
Michael Moll wrote:
"SSL/CA unavailable on this machine" suggests, foreman-proxy didn't find your CA files, is ssldir for puppetca correctly set in foreman-proxy's config? Are the permisons correctly set as shown in http://theforeman.org/manuals/1.6/index.html#4.3.8PuppetCA ?
Can the foreman-proxy user access the ca directory? check e.g. with
[...]Hi Michael,
I am using CentOS 6.5 as root user privileges.
The proxy runs as "foreman-proxy" rather than your own privileges though, so it'd be best to check if that user can see the directory.
also looked into the error message "E, [2014-09-29T17:20:19.630856 #26438] ERROR -- : Failed to list certificates: Execution of puppetca failed, check log files"
I couldn't find puppetca system binary in puppet version 3.7.1 which may be required by smart-proxy.
It'll use "puppet cert" instead on Puppet 3, it's just the logging calling it "puppetca".
If you can enable debug logging in /etc/foreman-proxy/settings.yml and restart foreman-proxy, you should see the exact command it's running.
If you upgraded from Puppet 2 to 3, you may need to update /etc/sudoers.d/foreman-proxy. See http://projects.theforeman.org/projects/foreman/wiki/FAQ#Upgrade-puppet-from-v2-to-v3-gotchas and ERF12-7740.
You guys are awesome!
It is resolved.
I had to modify /etc/sudoers.d/foreman-proxy. I enabled debugging and found the exact command. I added /usr/bin/puppet cert * and fixed the problem.
D, [2014-09-30T10:02:01.167952 #24253] DEBUG -- : Found puppetca at /usr/bin/puppet
D, [2014-09-30T10:02:01.169757 #24253] DEBUG -- : Found sudo at /usr/bin/sudo
D, [2014-09-30T10:02:01.169805 #24253] DEBUG -- : Executing /usr/bin/sudo S /usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --list --all : Failed to run puppetca:
W, [2014-09-30T10:02:01.237814 #24253] WARN -
E, [2014-09-30T10:02:01.240303 #24253] ERROR -- : Failed to list certificates: Execution of puppetca failed, check log files
Thanks a lot.
Updated by Dominic Cleal almost 10 years ago
- Status changed from New to Resolved
Ah great. Don't forget there's an update to config.ru which you should also apply for Puppet 3, it can cause odd problems sometimes.
Updated by Istvan Cebrian almost 10 years ago
Just wanted to add that I too had this exact issue, but problem was different. In /etc/sudoers I did not have the includedir directive to add the /etc/sudoers.d path.
So I had to add "#includedir /etc/sudoers.d" to /etc/sudoers file (which is typically there by default)
Updated by mohd nouman over 9 years ago
Istvan Cebrian wrote:
Just wanted to add that I too had this exact issue, but problem was different. In /etc/sudoers I did not have the includedir directive to add the /etc/sudoers.d path.
So I had to add "#includedir /etc/sudoers.d" to /etc/sudoers file (which is typically there by default)
Thanks Man I was searching this for past 7 days... And just saw this and saved my time Thanks