Running Satellite OpenScap and puppet agent fails with '/usr/bin/foreman_scap_client: No such file or directory' error message

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux
    • 7.5
  • Red Hat Satellite
    • 6.3

Issue

  • When trying to run OpenScap, the following error message is showing up:

    /var/tmp/foreman-ssh-cmd-xxxxx-xxxx-xxxx-xxxx-xxxxx/script: line 1: /usr/bin/foreman_scap_client: No such file or directory

  • When trying to run the puppet agent in the slave server, the following error messages are showing up:

        # /usr/bin/puppet agent -t
    Warning: Unable to fetch my node definition, but the agent run will continue:
    Warning: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
    Info: Retrieving pluginfacts
    Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect SYSCALL returned=5 errno=0                 state=SSLv3 read finished A
    Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://server.example.com/pluginfacts:                                                         SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
    Info: Retrieving plugin
    Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read     finished A
    Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://server.example.com/plugins: SSL_connect SYSCALL         returned=5 errno=0 state=SSLv3 read finished A
    Info: Loading facts
    Error: Could not retrieve catalog from remote server: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
    Warning: Not using cache on failed catalog
    Error: Could not retrieve catalog; skipping run
    Error: Could not send report: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A

    # /usr/bin/puppet agent --config /etc/puppet/puppet.conf --onetime --tags
    no_such_tag --server server.example.com --no-daemonize --verbose
    Info: Caching certificate for certificate.example.com
    Info: Caching certificate_revocation_list for ca
    Info: Caching certificate for certificate.example.com
    Info: Retrieving pluginfacts
    Info: Retrieving plugin
    Info: Loading facts
    Error: Could not retrieve catalog from remote server: Error 500 on SERVER: {"message":"Server Error: Evaluation Error: Error while evaluating a Resource     Statement, Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: Class[Stdlib::Stages] is already declared; cannot redeclare at     /usr/share/puppet/modules/stdlib/manifests/init.pp:18 at /usr/share/puppet/modules/stdlib/manifests/init.pp:18:3 on node certificate.example.com","issue_kind":"RUNTIME_ERROR","stacktrace":["Warning: The 'stacktrace' property is deprecated and will be removed in a future version of     Puppet. For security reasons, stacktraces are not returned with Puppet HTTP Error responses."]}
    Notice: Using cached catalog
    Error: Could not retrieve catalog; skipping run

Resolution

This issue must be solved in two steps, as follows:

  1. First, to solve the puppet agent issues, any existing certificates present in /var/lib/puppet/ssl must be deleted. After that, run puppet agent again:

    # rm -rf /var/lib/puppet/ssl/*
# puppet agent -t

  2. Finally, to solve the OpenScap issue, the Stdlib::Stages class must be removed from the Puppet Classes of any Host Groupor Config Group. That can be accessed by the URL https://satelliteserver.example.com/hostgroups/hostgroupname/edit, changing only the hostgroupname for each Host Group or Config Group existing in the environment or by following these steps:

    2.1 Access the Satellite Web GUI
    2.2 Navigate to Configure > Host groups
    2.3 Select a host group
    2.4 Navigate to Puppet Classes
    2.5 If there is a stdlib::stages class under Included Classes column, just click the dash (-) icon to remove it
    2.6 Repeat the same steps for each Host Group or Config Group in the environment
    2.7 Run puppet agent to check if the OpenScap issue was solved:

      # /usr/bin/puppet agent --config /etc/puppet/puppet.conf --onetime --tags no_such_tag --server satelliteserver --no-daemonize --verbose

For more KB articles/solutions related to Red Hat Satellite 6.x Puppet Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Puppet Issues

For more KB articles/solutions related to Red Hat Satellite 6.x OpenSCAP Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x OpenSCAP Issues

Root Cause

This issue is caused by errors with certificates present in the /var/lib/puppet/ssl folder and if any Stdlib::Stages class is added in Host Group or Config Group on the satellite GUI (Graphical User Interface).

Diagnostic Steps

Run puppet agent and check if there is any SSL error or Error 500:

# /usr/bin/puppet agent -t
# /usr/bin/puppet agent --config /etc/puppet/puppet.conf --onetime --tags

NOTE: Refer to the following articles to understand more about OpenScap and Satellite integration:

Installing and Configuring OpenScap on Red Hat Satellite 6.

Unable to run an OpenSCAP audit via satellite 6.2, the client is missing the file /etc/foreman_scap_client/config.yaml

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.