Foreman DNS Error ERF12-2357 [ProxyAPI::ProxyException]: Unable to set DNS entry

domain-name-systemforeman

after setting up the foreman enviroment I'm getting the error:

"Unable to save
Create Reverse DNS record for mydomain.de task failed with the following error: ERF12-2357 [ProxyAPI::ProxyException]: Unable to set DNS entry ([RestClient::BadRequest]: 400 Bad Request) for proxy https://mydomain.de:8443/dns"

I defenetly did read EVERY Google Page I could find to that Problem and every bug report I could find and I have no idea why it is not working. I'm getting kind of desperate here …

What i did so far:

I outcommentet the line withe the dns-key in the /etc/foreman-proxy/settings.yml
I used Centos, Ubuntu 13.04 , 13.10 , 14.04
I gave the HOLE System 777 to every file
I choosed another domain

My syslog error message locks like this:

"Aug 12 18:54:22 foremanmaster01 named1016: client 127.0.0.1#58169: update '10.in-addr.arpa/IN' denied"

Does someone has an idea why this is not working , because I cant understand it.
I provide you with every information I can find to solve this problem.

Best Answer

If this is still a problem I've found that following along with the Foreman installation guide is very confusing. Both your dns and dhcp keys need to be the same, whereas in the installation guide it shows two different ways to configure keys between dns and dhcp.

This is what finally worked for me: run: ddns-confgen -k foreman -a hmac-md5

This produces output that looks like this:

 key "foreman" {
         algorithm hmac-md5;
         secret "GGd1oNCxaKsh8HA84sP1Ug=="; };

Put this block of text into /etc/rndc.key

Now you have to update your daemon configurations:
/etc/named.conf
/etc/zones.conf
/etc/dhcp/dhcpd.conf

/etc/named.conf:
Add:

include "/etc/rndc.key";
controls  {
        inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "foreman"; };
};

This tells BIND to read the key named "foreman" out of /etc/rndc.key and allow the key named "foreman" to connect to the control port on 953 to do ddns updates.

Now, In /etc/zones.conf, this is from my example, I am using ".local" as my domain and 172.16.1.0/24 as my network. Adjust accordingly.

zone "1.16.172.in-addr.arpa" {
    type master;
    file "/var/named/dynamic/db.1.16.172.in-addr.arpa";
    update-policy {
            grant foreman zonesub ANY;
    };
};
zone "local" {
    type master;
    file "/var/named/dynamic/db.local";
    update-policy {
            grant foreman zonesub ANY;
    };
};

The important part is:

update-policy {
                grant foreman zonesub ANY;
        };

This is telling BIND that the key foreman is allowed to update/add any of the records in these zones.

Finally, and this is what messed me up because the install guide uses a different syntax for the DHCP server: /etc/dhcp/dhcpd.conf Add:

omapi-port 7911;
key foreman {
algorithm HMAC-MD5;
secret "GGd1oNCxaKsh8HA84sP1Ug==";
};
omapi-key foreman;

Now you moved on to the foreman-proxy config files:
/etc/foreman-proxy/settings.d/dns.yml
/etc/foreman-proxy/settings.d/dhcp.yml

Contents of: /etc/foreman-proxy/settings.d/dns.yml

---
# DNS management
:enabled: true

# valid providers:
#   dnscmd (Microsoft Windows native implementation)
#   nsupdate
#   nsupdate_gss (for GSS-TSIG support)
#   virsh (simple implementation for libvirt)

:dns_provider: nsupdate
:dns_key: /etc/rndc.key

# use this setting if you are managing a dns server which is not localhost though this proxy
:dns_server: 127.0.0.1
# use this setting if you want to override default TTL setting (86400)
:dns_ttl: 86400

Contents of: /etc/foreman-proxy/settings.d/dhcp.yml

---
# Enable DHCP management
:enabled: true
# valid vendors:
#   - isc
#   - native_ms (Microsoft native implementation)
#   - virsh (simple implementation for libvirt)
:dhcp_vendor: isc
:dhcp_config: /etc/dhcp/dhcpd.conf
:dhcp_leases: /var/lib/dhcpd/dhcpd.leases
:dhcp_key_name: foreman
:dhcp_key_secret: GGd1oNCxaKsh8HA84sP1Ug==

For whatever reason having both configured with different keys kept causing problems for me. This finally fixed it. Hope that helps.

Oh and as an FYI those files /etc/rndc.key, /etc/dhcp/dhcpd.conf, /var/lib/dhcpd/dhcpd.leases need to be readable by foreman-proxy, I accomplished this by adding foreman-proxy to the dhcp and named groups:

usermod -a -G dhcpd foreman-proxy
usermod -a -G named foreman-proxy

ls -l /etc/named.conf /etc/zones.conf /etc/rndc.key /etc/dhcp/dhcpd.conf /var/lib/dhcpd/dhcpd.leases
-rw-r--r--. 1 root  root   787 Apr 10 14:56 /etc/dhcp/dhcpd.conf
-rw-r-----. 1 root  named  275 Apr 10 14:45 /etc/named.conf
-rw-r-----. 1 root  named   77 Apr 10 14:41 /etc/rndc.key
-rw-r-----. 1 root  named  316 Apr 10 12:40 /etc/zones.conf
-rw-r--r--. 1 dhcpd dhcpd 1262 Apr 10 15:00 /var/lib/dhcpd/dhcpd.leases

id foreman-proxy
uid=498(foreman-proxy) gid=497(foreman-proxy) groups=497(foreman-proxy),52(puppet),177(dhcpd),25(named)

Best Answer

Related Solutions

Foreman VM provisioning without SSH and DHCP/DNS

Unable to create new host using Foreman API – missing finishing template

Related Topic