Generic or SSL connection errors

Please see Proxy_communication_errors first for SSL or communication errors, which aren't specific to this particular proxy action.

Unable to set PuppetCA autosign for ...

The proxy is responsible for writing host entries to Puppet's /etc/puppet/autosign.conf file while provisioning, so they get automatically signed during the build process. This means the foreman-proxy user must have write access to the file - usually it's owned by "foreman-proxy", group "puppet" and with mode 0664.

-rw-rw-r--. 1 foreman-proxy puppet 0 May 14 16:26 /etc/puppet/autosign.conf

If relying on group write, ensure foreman-proxy is a member of the puppet group (and restart foreman-proxy after doing this) and you may need to add this line into puppet.conf to ensure it remains 0664:

    autosign       = $confdir/autosign.conf { mode = 664 }

Foreman installed with Katello

When using Foreman in a Katello installation foreman-proxy needs a puppetca_hostname_whitelisting.yml (normally in /etc/foreman-proxy/settings.d) with the path to the autosign.conf file. Ex.:

:autosignfile: /etc/puppetlabs/puppet/autosign.conf

Updated by Adail Antônio Júnior about 5 years ago · 2 revisions