Uploaded image for project: 'PuppetDB'
  1. PuppetDB
  2. PDB-4446

puppet query: certificate verify failed

    Details

    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: PDB 6.3.4
    • Fix Version/s: None
    • Component/s: PuppetDB
    • Labels:
      None
    • Environment:

      PuppetDB is on CentOS 7 using puppetdb-6.3.4-1.el7.noarch from the puppet6 repo.

      The CLI is on Fedora 30 using the puppetdb_cli-2.0.0.gem.  This same host has puppet-5.5.10-4.fc30.noarch from the regular Fedora repos.

    • Template:
    • Agent OS:
      Other
    • Master OS:
      CentOS 7
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Following the installation/configuration instructions at https://puppet.com/docs/puppetdb/6.3/pdb_client_tools.html, I have been unable to perform a simple test query.  These fail like:

      ~~~

      $ sudo puppet query "nodes [ certname ]

      { limit 1 }

      "
      Traceback (most recent call last):
             20: from /usr/local/bin/puppet-query:23:in `<main>'
             19: from /usr/local/bin/puppet-query:23:in `load'
             18: from /usr/local/share/gems/gems/puppetdb_cli-2.0.0/exe/puppet-query:7:in `<top (required)>'
             17: from /usr/local/share/gems/gems/puppetdb_cli-2.0.0/lib/puppetdb_cli.rb:13:in `run'
             16: from /usr/local/share/gems/gems/cri-2.15.9/lib/cri/command.rb:314:in `run'
             15: from /usr/local/share/gems/gems/cri-2.15.9/lib/cri/command.rb:296:in `run'
             14: from /usr/local/share/gems/gems/cri-2.15.9/lib/cri/command.rb:360:in `run_this'
             13: from /usr/local/share/gems/gems/puppetdb_cli-2.0.0/lib/puppetdb_cli/query.rb:34:in `block (2 levels) in <module:PuppetDBCLI>'
             12: from /usr/local/share/gems/gems/puppetdb_cli-2.0.0/lib/puppetdb_cli/utils.rb:41:in `send_query'
             11: from /usr/local/share/gems/gems/pl-puppetdb-ruby-2.0.2/lib/puppetdb/client.rb:103:in `request'
             10: from /usr/local/share/gems/gems/pl-puppetdb-ruby-2.0.2/lib/puppetdb/client.rb:103:in `each'
              9: from /usr/local/share/gems/gems/pl-puppetdb-ruby-2.0.2/lib/puppetdb/client.rb:105:in `block in request'
              8: from /usr/local/share/gems/gems/httparty-0.17.0/lib/httparty.rb:507:in `get'
              7: from /usr/local/share/gems/gems/httparty-0.17.0/lib/httparty.rb:593:in `perform_request'
              6: from /usr/local/share/gems/gems/httparty-0.17.0/lib/httparty/request.rb:145:in `perform'
              5: from /usr/share/ruby/net/http.rb:1470:in `request'
              4: from /usr/share/ruby/net/http.rb:919:in `start'
              3: from /usr/share/ruby/net/http.rb:930:in `do_start'
              2: from /usr/share/ruby/net/http.rb:996:in `connect'
              1: from /usr/share/ruby/net/protocol.rb:44:in `ssl_socket_connect'
      /usr/share/ruby/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (unspecified certificate verification error) (OpenSSL::SSL::SSLError)

      ~~~

      My CLI config (/etc/puppetlabs/client-tools/puppetdb.conf) is :

      ~~~
      {
      "puppetdb":

      { "server_urls": "https://puppetdb.doubledog.org:8081", "cacert": "/etc/puppet/ssl/certs/ca.pem", "cert": "/etc/puppet/ssl/certs/zuul.doubledog.org.pem", "key": "/etc/puppet/ssl/private_keys/zuul.doubledog.org.pem" }

      }
      ~~~

      This leaves me with little to debug the connection with.  I did an md5sum on the client /etc/puppet/ssl/certs/ca.pem and confirmed it matches both /etc/puppetlabs/puppetdb/ssl/ca.pem and /etc/puppetlabs/puppet/ssl/certs/ca.pem on the Master/DB host.  What now?  Could this be the CRL checking problem that agents have with the new(ish) intermediate CA cert?  FWIW, this client requires certificate_revocation = leaf to work around that issue.

      (My apologies for the markup, I can't make it work.)

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              jflorian John Florian
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                Zendesk Support