Red Hat Satellite 6 throws the exception: "ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates"
Environment
- Red Hat Satellite 6.7 and below
- Red Hat Satellite Capsule 6.7 and below
Issue
- When navigating to Satellite WEBUI -> Infrastructure -> Capsules -> Action -> Certificates gets below error message:
Operation FAILED: ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates ([RestClient::NotAcceptable]: 406 Not Acceptable) for proxy https://satellite.example.com:9090/puppet/ca
- The following error is received in /var/log/foreman/production.log when doing a PXE boot and attempting an unattended provisioning of a system:
Found client.example.com
Remove puppet certificate for client.example.com
Operation FAILED: ERF12-7740 [ProxyAPI::ProxyException]: Unable to delete PuppetCA certificate for client.example.com ([RestClient::NotAcceptable]: 406 Not Acceptable) for proxy https://satellite.example.com:9090/puppet/ca
Completed 500 Internal Server Error in 161ms
Resolution
- Make sure below lines included in /etc/sudoers files:
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
- File
/etc/sudoers.d/foreman-proxyshould be present with below content:
foreman-proxy ALL = (root) NOPASSWD : /opt/puppetlabs/bin/puppet cert *
Defaults:foreman-proxy !requiretty
- Restart Red Hat Satellite Services.
# katello-service restart
- If a certificate request exists on the Red Hat Satellite server, clean the pending request.
[root@satellite ~]# cd /var/lib/puppet/ssl/ca/requests
[root@satellite requests]# ls
test.example.com.pem
[root@satellite requests]# ls -ltr
total 0
- Verify
/etc/security/access.confhas the default with all lines commented out. Or if necessary
+ : ALL : LOCAL
- If you don't want to add
ALL, ensure to add below in the file/etc/security/access.conf:
+ :foreman:ALL
+ :foreman-proxy:ALL
For more KB articles/solutions related to Red Hat Satellite 6.x Puppet Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Puppet Issues
Root Cause
- foreman-proxy entry missing from /etc/sudoers file on Red Hat Satellite 6 server.
- Default /etc/sudoers file modified or replaced.
Diagnostic Steps
- Enable debugging by editing /etc/foreman-proxy/settings.yml:
# vim /etc/foreman-proxy/settings.yml
:log_level: DEBUG
# service foreman-proxy restart
- Check if the sudo command was executed when trying to access the webUI by check the logs at /var/log/secure and /var/log/foreman-proxy/proxy.log.
- Check
/var/log/foreman/production.logand/var/log/foreman-proxy/proxy.loglogs for below error:
/var/log/foreman/production.log <==
Operation FAILED: ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates ([RestClient::NotAcceptable]: 406 Not Acceptable) for proxy https://satellite.example.com:9090/puppet/ca
==> /var/log/foreman-proxy/proxy.log <==
192.11.12.13 - - [31/Mar/2019 14:52:46] "GET /features HTTP/1.1" 200 36 0.0007
D, [2019-03-31T14:53:03.439408 #61389] DEBUG -- : Found puppetca at /usr/bin/puppet
D, [2019-03-31T14:53:03.439671 #61389] DEBUG -- : Found sudo at /usr/bin/sudo
D, [2019-03-31T14:53:03.439761 #61389] DEBUG -- : Executing /usr/bin/sudo -S /usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --list --all
W, [2019-03-31T14:53:03.506229 #61389] WARN -- : Failed to run puppetca:
E, [2019-03-31T14:53:03.506952 #61389] ERROR -- : Failed to list certificates: Execution of puppetca failed, check log files
- Access the URL https://satellite.example.com:9090/ running on port 9090 and check its certificate.
SBR
Product(s)
Components
Category
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.