Actions
Bug #30017
openforeman-proxy can't authenticate to foreman with tls 1.3
Status:
New
Priority:
Normal
Assignee:
-
Category:
Core
Target version:
-
Description
I'm running foreman 1.24.3 on ubuntu 18.04. As soon as I enable tls 1.3 in apache the foreman-proxy is unable to communicate with foreman.
I get the following error if I try to create a new host (I get same error in the Foreman discover image):
# curl -X POST -k https://10.2.0.20:8443/discovery/create -d '{}' Discovery failed, code 403, reason: N/A
In the foreman-proxy log I can see the following errors:
2020-06-04T15:51:59 [D] accept: 10.2.0.104:42034 2020-06-04T15:51:59 [D] Rack::Handler::WEBrick is invoked. 2020-06-04T15:51:59 064c8e96 [I] Started POST /discovery/create 2020-06-04T15:51:59 064c8e96 [E] Discovery failed, code 403, reason: N/A 2020-06-04T15:51:59 064c8e96 [W] Discovery failed, code 403, reason: N/A RuntimeError: Discovery failed, code 403, reason: N/A /usr/lib/ruby/vendor_ruby/smart_proxy_discovery/discovery_main.rb:20:in `create_discovered_host' /usr/lib/ruby/vendor_ruby/smart_proxy_discovery/discovery_api.rb:38:in `block in <class:InboundApi>' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1611:in `call' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1611:in `block in compile!' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:975:in `block (3 levels) in route!' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:994:in `route_eval' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:975:in `block (2 levels) in route!' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1015:in `block in process_route' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1013:in `catch' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1013:in `process_route' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:973:in `block in route!' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:972:in `each' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:972:in `route!' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1085:in `block in dispatch!' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1067:in `block in invoke' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1067:in `catch' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1067:in `invoke' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1082:in `dispatch!' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:907:in `block in call!' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1067:in `block in invoke' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1067:in `catch' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1067:in `invoke' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:907:in `call!' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:895:in `call' /usr/share/foreman-proxy/lib/proxy/log.rb:98:in `call' /usr/share/foreman-proxy/lib/proxy/request_id_middleware.rb:11:in `call' /usr/lib/ruby/vendor_ruby/rack/protection/xss_header.rb:18:in `call' /usr/lib/ruby/vendor_ruby/rack/protection/path_traversal.rb:16:in `call' /usr/lib/ruby/vendor_ruby/rack/protection/json_csrf.rb:18:in `call' /usr/lib/ruby/vendor_ruby/rack/protection/base.rb:50:in `call' /usr/lib/ruby/vendor_ruby/rack/protection/base.rb:50:in `call' /usr/lib/ruby/vendor_ruby/rack/protection/frame_options.rb:31:in `call' /usr/lib/ruby/vendor_ruby/rack/nulllogger.rb:9:in `call' /usr/lib/ruby/vendor_ruby/rack/head.rb:13:in `call' /usr/lib/ruby/vendor_ruby/sinatra/show_exceptions.rb:25:in `call' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:182:in `call' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:2013:in `call' /usr/lib/ruby/vendor_ruby/smart_proxy_discovery/discovery_api.rb:12:in `call' /usr/lib/ruby/vendor_ruby/rack/urlmap.rb:66:in `block in call' /usr/lib/ruby/vendor_ruby/rack/urlmap.rb:50:in `each' /usr/lib/ruby/vendor_ruby/rack/urlmap.rb:50:in `call' /usr/lib/ruby/vendor_ruby/rack/builder.rb:153:in `call' /usr/lib/ruby/vendor_ruby/rack/handler/webrick.rb:88:in `service' /usr/lib/ruby/2.5.0/webrick/httpserver.rb:140:in `service' /usr/lib/ruby/2.5.0/webrick/httpserver.rb:96:in `run' /usr/lib/ruby/2.5.0/webrick/server.rb:307:in `block in start_thread' /usr/lib/ruby/vendor_ruby/logging/diagnostic_context.rb:474:in `block in create_with_logging_context' 2020-06-04T15:51:59 064c8e96 [I] Finished POST /discovery/create with 500 (25.08 ms) 2020-06-04T15:51:59 [D] close: 10.2.0.104:42034
As soon as I disable tls 1.3 in apache, everyhting works as expected:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.3
First I thought it's a foreman discovery image problem. But now I think the problem is between the proxy and foreman: https://projects.theforeman.org/issues/29509#change-135795
Just let me know if you need any further information.
Updated by Ewoud Kohl van Wijngaarden almost 2 years ago
- Category set to Core
Ubuntu 18.04 shipped Ruby 2.5. Can you still reproduce this with Ubuntu 20.04 and Ruby 2.7?
Actions