Uploaded image for project: 'Facter'
  1. Facter
  2. FACT-2944

During Puppet 7 upgrade from Puppet 6, Puppet Server create another certname

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: FACT 4.0.52
    • Component/s: None
    • Template:
    • Team:
      Ghost
    • Story Points:
      3
    • Sprint:
      ghost-10.03.2021
    • Method Found:
      Needs Assessment
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      Description of the problem: Facter fails to retrieve domain using jruby because the Socket.getaddrinfo call fails.
      Description of the fix: On linux if any of the Socket method calls fail, try to retrieve information using FFI methods (as described in the diagram below).
      Show
      Description of the problem: Facter fails to retrieve domain using jruby because the Socket.getaddrinfo call fails. Description of the fix: On linux if any of the Socket method calls fail, try to retrieve information using FFI methods (as described in the diagram below).
    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppet Version: 7.4.0
      Puppet Server Version: 7.0.3
      OS Name/Version: Debian Buster 10.8

      Starting with a Puppet 6 platform installed on Debian Buster 10.8 from the officials Puppetlabs packages (using https://apt.puppetlabs.com/).

      Here is how I upgrade to Puppet 7 (Take a close look to the output of 'puppetserver ca list --all' before the upgrade and after).

      root@puppetdev:~# cat /etc/puppetlabs/puppet/puppet.conf 
      # This file can be used to override the default puppet settings.
      # See the following links for more details on what settings are available:
      # - https://puppet.com/docs/puppet/latest/config_important_settings.html
      # - https://puppet.com/docs/puppet/latest/config_about_settings.html
      # - https://puppet.com/docs/puppet/latest/config_file_main.html
      # - https://puppet.com/docs/puppet/latest/configuration.html
      [server]
      vardir = /opt/puppetlabs/server/data/puppetserver
      logdir = /var/log/puppetlabs/puppetserver
      rundir = /var/run/puppetlabs/puppetserver
      pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
      codedir = /srv/puppet/code
      storeconfigs=true
      storeconfigs_backend=puppetdb
      reports=store,puppetdb
      dns_alt_names=puppetdev.example.org,puppetdev
      [main]
      strict_variables=true
      [agent]
      environment=development
      server=puppetdev.example.org
      root@puppetdev:~# hostname
      puppetdev
      root@puppetdev:~# hostname -f
      puppetdev.example.org
      root@puppetdev:~# puppetserver ca list --all
      Signed Certificates:
          puppetagent1.example.org       (SHA256)  7E:E6:DF:B0:83:B7:36:C2:F1:4E:D8:33:31:74:75:A4:EE:58:C9:0D:A2:78:AC:D9:D4:04:1D:8A:AA:00:9B:19
          puppetagent2.example.org       (SHA256)  09:EB:01:B7:41:5F:6B:18:DC:25:B5:13:6A:F7:4B:34:66:E0:81:49:6F:25:9B:EC:5F:1B:09:21:EE:1E:27:F0
          puppetdev.example.org          (SHA256)  E4:6D:7F:84:71:D8:74:15:ED:1E:F7:79:D8:A5:A4:93:B6:A2:5A:52:1C:B6:08:34:D4:88:32:C2:99:CD:87:20	alt names: ["DNS:puppetdev.example.org", "DNS:puppetdev", "DNS:puppetdev.example.org"]	authorization extensions: [pp_cli_auth: true]
      root@puppetdev:~# ls -1 /etc/puppetlabs/puppet/ssl/*/puppetdev*.pem
      /etc/puppetlabs/puppet/ssl/certs/puppetdev.example.org.pem
      /etc/puppetlabs/puppet/ssl/private_keys/puppetdev.example.org.pem
      /etc/puppetlabs/puppet/ssl/public_keys/puppetdev.example.org.pem
      root@puppetdev:~# puppet --version
      6.21.0
      root@puppetdev:~# wget https://apt.puppetlabs.com/puppet7-release-buster.deb
      root@puppetdev:~# apt install ./puppet7-release-buster.deb 
      root@puppetdev:~# apt update;apt full-upgraderoot@puppetdev:~# puppet --version
      7.4.0
      root@puppetdev:~# puppetserver ca list --all
      The cadir is currently configured to be inside the /etc/puppetlabs/puppet/ssl directory. This config setting and the directory location will not be used in a future version of puppet. Please run the puppetserver ca tool to migrate out from the puppet confdir to the /etc/puppetlabs/puppetserver/ca directory. Use `puppetserver ca migrate --help` for more info.
      Signed Certificates:
          puppetagent1.example.org       (SHA256)  7E:E6:DF:B0:83:B7:36:C2:F1:4E:D8:33:31:74:75:A4:EE:58:C9:0D:A2:78:AC:D9:D4:04:1D:8A:AA:00:9B:19
          puppetagent2.example.org       (SHA256)  09:EB:01:B7:41:5F:6B:18:DC:25:B5:13:6A:F7:4B:34:66:E0:81:49:6F:25:9B:EC:5F:1B:09:21:EE:1E:27:F0
          puppetdev                      (SHA256)  46:3C:3C:0D:CD:5A:36:81:38:97:17:E9:58:AF:74:B7:94:20:A4:F2:F3:8B:55:87:64:B0:12:28:3D:D1:C5:32	alt names: ["DNS:puppetdev.example.org", "DNS:puppetdev", "DNS:puppetdev"]	authorization extensions: [pp_cli_auth: true]
          puppetdev.example.org          (SHA256)  E4:6D:7F:84:71:D8:74:15:ED:1E:F7:79:D8:A5:A4:93:B6:A2:5A:52:1C:B6:08:34:D4:88:32:C2:99:CD:87:20	alt names: ["DNS:puppetdev.example.org", "DNS:puppetdev", "DNS:puppetdev.example.org"]	authorization extensions: [pp_cli_auth: true]
      root@puppetdev:~# ls -1 /etc/puppetlabs/puppet/ssl/*/puppetdev*.pem
      /etc/puppetlabs/puppet/ssl/certs/puppetdev.example.org.pem
      /etc/puppetlabs/puppet/ssl/certs/puppetdev.pem
      /etc/puppetlabs/puppet/ssl/private_keys/puppetdev.example.org.pem
      /etc/puppetlabs/puppet/ssl/private_keys/puppetdev.pem
      /etc/puppetlabs/puppet/ssl/public_keys/puppetdev.example.org.pem
      /etc/puppetlabs/puppet/ssl/public_keys/puppetdev.pem
      

       

      Desired Behavior:
      After the upgrade to Puppet 7, the command 'puppetserver ca list --all' output should be identical to the output before the upgrade.

      Actual Behavior:
      After the upgrade to Puppet 7, the command 'puppetserver ca list --all' output now shows a 4th node with certname 'puppetdev'.

      If you remove this certificate, it is recreated when Puppet Server starts :

      root@puppetdev:~# puppet node clean puppetdev
      Notice: Revoked certificate for puppetdev
      Notice: Cleaned files related to puppetdev
      puppetdev
      root@puppetdev:~# systemctl stop puppetserver.service 
      root@puppetdev:~# rm /etc/puppetlabs/puppet/ssl/*/puppetdev.pem
      root@puppetdev:~# systemctl start puppetserver.service 
      root@puppetdev:~# ls /etc/puppetlabs/puppet/ssl/*/puppetdev*.pem
      /etc/puppetlabs/puppet/ssl/certs/puppetdev.example.org.pem  /etc/puppetlabs/puppet/ssl/private_keys/puppetdev.example.org.pem  /etc/puppetlabs/puppet/ssl/public_keys/puppetdev.example.org.pem
      /etc/puppetlabs/puppet/ssl/certs/puppetdev.pem		    /etc/puppetlabs/puppet/ssl/private_keys/puppetdev.pem	       /etc/puppetlabs/puppet/ssl/public_keys/puppetdev.pem
      root@puppetdev:~# puppetserver ca list --all
      Signed Certificates:
          puppetagent1.example.org       (SHA256)  7E:E6:DF:B0:83:B7:36:C2:F1:4E:D8:33:31:74:75:A4:EE:58:C9:0D:A2:78:AC:D9:D4:04:1D:8A:AA:00:9B:19
          puppetagent2.example.org       (SHA256)  09:EB:01:B7:41:5F:6B:18:DC:25:B5:13:6A:F7:4B:34:66:E0:81:49:6F:25:9B:EC:5F:1B:09:21:EE:1E:27:F0
          puppetdev                      (SHA256)  27:67:97:4A:B1:B9:99:AF:14:2F:28:37:72:06:E8:B7:C5:E1:64:EF:0A:DE:F7:2D:21:83:5E:89:70:F6:42:B4	alt names: ["DNS:puppetdev.example.org", "DNS:puppetdev", "DNS:puppetdev"]	authorization extensions: [pp_cli_auth: true]
          puppetdev.example.org          (SHA256)  E4:6D:7F:84:71:D8:74:15:ED:1E:F7:79:D8:A5:A4:93:B6:A2:5A:52:1C:B6:08:34:D4:88:32:C2:99:CD:87:20	alt names: ["DNS:puppetdev.example.org", "DNS:puppetdev", "DNS:puppetdev.example.org"]	authorization extensions: [pp_cli_auth: true]
      root@puppetdev:~# ls -1 /etc/puppetlabs/puppet/ssl/*/puppetdev*.pem
      /etc/puppetlabs/puppet/ssl/certs/puppetdev.example.org.pem
      /etc/puppetlabs/puppet/ssl/certs/puppetdev.pem
      /etc/puppetlabs/puppet/ssl/private_keys/puppetdev.example.org.pem
      /etc/puppetlabs/puppet/ssl/private_keys/puppetdev.pem
      /etc/puppetlabs/puppet/ssl/public_keys/puppetdev.example.org.pem
      /etc/puppetlabs/puppet/ssl/public_keys/puppetdev.pem
      

      I never encountered this behavior with Puppet 6.

      I managed to reproduce this behavior reliably on test server when upgrading from Puppet 6 to Puppet 7.

       

        Attachments

          Activity

            People

            Assignee:
            oana.tanasoiu Oana Tanasoiu
            Reporter:
            FredL Frédéric Lespez
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support