Uploaded image for project: 'Puppet Agent'
  1. Puppet Agent
  2. PA-3185

Puppet Agent : cannot add certificates for HTTPS in 6.14.0-1.el7



    • Bug
    • Status: Closed
    • Normal
    • Resolution: Duplicate
    • puppet-agent 6.14.0
    • None
    • Security
    • None
    • Needs Assessment
    • Needs Assessment


      Puppet Version: agent 6.14.0-1-el7
      Puppet Server Version: pupperware 3.7
      OS Name/Version: centos7

      This is somewhat like https://tickets.puppetlabs.com/browse/PUP-8889

      I have the letsencrypt certificate bundles and things set up in /etc/pki/ca-trust/source/anchors/ and a symlink in the puppet certs place and done a c_rehash:

      1. ls -la /opt/puppetlabs/puppet/ssl/certs
         total 0
         drwxr-xr-x. 2 root root 62 Apr 15 15:04 .
         drwxr-xr-x. 5 root root 178 Apr 15 14:38 ..
         lrwxrwxrwx 1 root root 30 Apr 15 15:04 4f06f81d.0 -> letsencryptauthorityx3.pem.txt
         lrwxrwxrwx 1 root root 63 Apr 15 10:34 letsencryptauthorityx3.pem.txt -> /etc/pki/ca-trust/source/anchors/letsencryptauthorityx3.pem.txt


      I am using a letsencrypt certificate on our internal downloads server, from which I am pulling a file. With agent 6.14 I get a certificate failure. With 6.12 I don't get a cert error. I have tried many different things to try and find out why, even running the agent will full debug from strace!!

      Desired Behavior:

      this should work:

      file { '/usr/local/bin/vault_linux_amd64':
       ensure => file,
       source => 'https://intranet.example.com/download/vault_linux_amd64',
       checksum => mtime,
       mode => '0755',
       owner => root,
       group => root, }


      Actual Behavior:

      But what actually happens is you get this cert error

      Error: certificate verify failed [unable to get local issuer certificate for CN=intranet.example.com]
      Error: /Stage[main]/blahblah::Install/File['/usr/local/bin/vault_linux_amd64']/ensure: change from 'absent' to 'file' failed: certificate verify failed [unable to get local issuer certificate for CN=intranet.example.com] (corrective)


      When I downgraded our puppet agents from 6.14.0-1.el7 to 6.12.0-1.el7.x86_64 then it worked again



        Issue Links



              Unassigned Unassigned
              speculatrix Paul Mansfield
              0 Vote for this issue
              2 Start watching this issue



                Zendesk Support