1. cat /etc/sudoers.d/foreman-proxy
   foreman-proxy ALL = NOPASSWD : /usr/sbin/puppetca *, /usr/sbin/puppetrun *
   Defaults:foreman-proxy !requiretty

Can this be happeneded because of some puppet issues before between the foreman ones and when you have puppet 3 enabled in your repo's ?

This just started at once yesterday without any upgrade or so.

I don't understand that. Foreman has probably been installed with Puppet 2, then it has been upgraded without the configuration changes. Your package manager will probably log upgrades, however the misconfiguration is pretty clear.

This is true, but has been changed after the upgrade.

It might have been that the installer has been runned again somewhere in the 1.6.x versions.

Strange I never got any issues with it before.

Thanks.

Same issues still happens with the change.

Please provide the logs and configuration file again, and also include /etc/sudoers.

# cat /etc/sudoers
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem

## Command Aliases
## These are groups of related commands...

## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
#         You have to run "ssh -t hostname sudo <cmd>".
#
Defaults    requiretty

#
# Refuse to run if unable to disable echo on the tty. This setting should also be
# changed in order to be able to use sudo without a tty. See requiretty above.
#
Defaults   !visiblepw

#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults    always_set_home

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" 
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" 
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" 
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" 
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" 

#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults   env_keep += "HOME" 

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
# includedir /etc/sudoers.d

foreman-proxy ALL = NOPASSWD : /usr/bin/puppet cert *, /usr/bin/puppet kick *
Defaults:foreman-proxy !requiretty

Started GET "/node/hostname.domain.local?format=yml" for xxx.xxx.xxx.xxx at 2014-12-10 16:25:12 +0100
Processing by HostsController#externalNodes as YML
  Parameters: {"name"=>"hostname.domain.local"}
  Rendered text template (0.0ms)
Completed 200 OK in 165ms (Views: 1.2ms | ActiveRecord: 28.3ms)
Operation FAILED: ERF12-7740 [ProxyAPI::ProxyException]: Unable to delete PuppetCA certificate for hostname.domain.local ([RestClient::RequestTimeout]: Request Timeout) for proxy https://fm-hostname.domain.local:8443/puppet/ca
Completed 500 Internal Server Error in 61128ms

ArgumentError (There was no default layout for UnattendedController in #<ActionView::PathSet:0x007fc2d8746d58 @paths=[/usr/share/foreman/app/views, /opt/rh/ruby193/root/usr/share/gems/gems/foreman_dhcp_browser-0.0.6/app/views, /opt/rh/ruby193/root/usr/share/gems/gems/apipie-rails-0.2.5/app/views]>):
  app/controllers/application_controller.rb:319:in `generic_exception'
  lib/middleware/catch_json_parse_errors.rb:9:in `call'

Can you please verify the last line of /etc/sudoers? It doesn't look correct in the above paste.

You pasted:

# includedir /etc/sudoers.d

But there should be no space between # and includedir:

#includedir /etc/sudoers.d

This isn't a comment, it's a directive.

There have been issues before indeed, I think the space between # includedir but, even with the good lined in the sudoers file directly I still have this issue.

Please run the following command:

sudo -u foreman-proxy sudo puppet cert list

What output is produced?

Porces hangs, I need to reconnect putty to get a commandline again.

Since when is this resolved as it isn't.

Solved, a ipa-client install on the fm box seem to had some issues after a while. uninstalled and things go smooth again.