[Satellite 6] Provisioning through Satellite fails with 'Warning: anaconda: failed to fetch kickstart from https://satellite.example.com:9090/unattended/provision?token=XXXXXX'

Solution Verified - Updated

Environment

  • Satellite 6
  • PXE provisioning

Issue

  • Provisioning through Satellite fails on dracut with Warning: anaconda: failed to fetch kickstart from https://satellite.example.com:9090/unattended/provision?token=XXXXXX

Resolution

  • Make sure that the Unattended URL attribute in WebUI --> Administer --> Settings --> Provisioning has the correct value.

    Unattended URL
- URL hosts will retrieve templates from during build (normally http as many installers don't support https)

  • Make sure the templates proxy listens on http. This can be set in:

    # grep enabled /etc/foreman-proxy/settings.d/templates.yml
:enabled: true

  • Make sure that :template_url: in /etc/foreman-proxy/settings.d/templates.yml on the Satellite (or Capsule server used for provisioning) is referencing:

    • http:// and not https://
    • Port 8000 and not port 9090.

    For example:

    :template_url: http://provisioning_capsule.example.com:8000

  • If it's set to true then the template proxy will listen on both http and https. On the other hand if it's set to false then the template proxy will only listen on https. You can also set the parameter specifically to http or https.

  • This setting is managed by satellite-installer, specifically with the --foreman-proxy-templates-listen-on argument:

    # satellite-installer --help | grep -i templates-listen
  --foreman-proxy-templates-listen-on  Templates proxy to listen on https, http, or both (current: "both")

  • If you execute satellite-installer --foreman-proxy-templates-listen-on both then the value in the file will be true and the template proxy will listen on both http and https. This is generally what you want.

For more KB articles/solutions related to Red Hat Satellite 6.x Provisioning Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x Provisioning related Issues

Root Cause

  • Content Hosts registered to Satellite server (internal Capsule) should fetch templates over http and port 8000.

Diagnostic Steps

  • Based on the rendered 'Kickstart default PXELinux' template, the Content Host is trying fetch the kickstart over https using port 9090:

      # This file was deployed via 'Kickstart default PXELinux' template

  DEFAULT menu
  MENU TITLE Booting into OS installer (ESC to stop)
  TIMEOUT 100
  ONTIMEOUT installer

  LABEL installer
    MENU LABEL Kickstart default PXELinux
    KERNEL boot/kickstart_x86_64_7_6-XXXXXXXX--vmlinuz
    APPEND initrd=boot/kickstart_x86_64_7_6-XXXXXXXX--initrd.img 
  ks=https://satellite.example.com:9090/unattended/provision?token=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX  network 
  ksdevice=bootif ks.device=bootif BOOTIF=XX-XX-XX-XX-XX-XX-XX kssendmac ks.sendmac inst.ks.sendmac 
  ip=XX.XXX.XXX.XXX::XX.XXX.XXX.X:XXX.XXX.XXX.X:::none nameserver=XX.XXX.XXX.XX nameserver=XX.XXX.XXX.XX
    IPAPPEND 2

  • These errors can be found in anaconda.log:

    [10.282055] dracut-initqueue[965]: curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
...
...
...
[10.284750] dracut-initqueue[965]: Warning: anaconda: failed to fetch kickstart from https://satellite.example.com:9090/unattended/provision?token=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.