Details
-
Bug
-
Status: Closed
-
Normal
-
Resolution: Duplicate
-
puppet-agent 6.14.0
-
None
-
None
-
Needs Assessment
-
Needs Assessment
Description
Puppet Version: agent 6.14.0-1-el7
Puppet Server Version: pupperware 3.7
OS Name/Version: centos7
This is somewhat like https://tickets.puppetlabs.com/browse/PUP-8889
I have the letsencrypt certificate bundles and things set up in /etc/pki/ca-trust/source/anchors/ and a symlink in the puppet certs place and done a c_rehash:
-
ls -la /opt/puppetlabs/puppet/ssl/certstotal 0
drwxr-xr-x. 2 root root 62 Apr 15 15:04 .
drwxr-xr-x. 5 root root 178 Apr 15 14:38 ..
lrwxrwxrwx 1 root root 30 Apr 15 15:04 4f06f81d.0 -> letsencryptauthorityx3.pem.txt
lrwxrwxrwx 1 root root 63 Apr 15 10:34 letsencryptauthorityx3.pem.txt -> /etc/pki/ca-trust/source/anchors/letsencryptauthorityx3.pem.txt
I am using a letsencrypt certificate on our internal downloads server, from which I am pulling a file. With agent 6.14 I get a certificate failure. With 6.12 I don't get a cert error. I have tried many different things to try and find out why, even running the agent will full debug from strace!!
Desired Behavior:
this should work:
file { '/usr/local/bin/vault_linux_amd64': |
ensure => file,
|
source => 'https://intranet.example.com/download/vault_linux_amd64', |
checksum => mtime,
|
mode => '0755', |
owner => root,
|
group => root, }
|
Actual Behavior:
But what actually happens is you get this cert error
Error: certificate verify failed [unable to get local issuer certificate for CN=intranet.example.com]
|
Error: /Stage[main]/blahblah::Install/File['/usr/local/bin/vault_linux_amd64']/ensure: change from 'absent' to 'file' failed: certificate verify failed [unable to get local issuer certificate for CN=intranet.example.com] (corrective)
|
When I downgraded our puppet agents from 6.14.0-1.el7 to 6.12.0-1.el7.x86_64 then it worked again