Uploaded image for project: 'PuppetDB'
  1. PuppetDB
  2. PDB-4487

PuppetDB Terminus with Masterless Fails on SSL Errors

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: PDB 6.5.0
    • Fix Version/s: PDB 6.6.0
    • Component/s: PuppetDB
    • Labels:
      None
    • Template:
    • Agent OS:
      CentOS 7
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      A change in the puppetdb-termini package for 6.5.0 broke SSL connections that did not use Puppet's CA. This adds an option "verify_client_connection" that will by default only allow SSL connection connections authenticated by the Puppet CA, but when false allow the use of other SSL.
      Show
      A change in the puppetdb-termini package for 6.5.0 broke SSL connections that did not use Puppet's CA. This adds an option "verify_client_connection" that will by default only allow SSL connection connections authenticated by the Puppet CA, but when false allow the use of other SSL.
    • QA Risk Assessment:
      Needs Assessment

      Description

      We are running Puppet masterless, connecting to a standalone PuppetDB cluster (6.5.0) with a shared PostgreSQL backend. SSL termination is handed by the load balancer, which is using a managed SSL certificate (from Google, signed by LetsEncrypt).

      routes.yaml: 

      ---
      apply:
       catalog:
         terminus: compiler
         cache: puppetdb
       resource:
         terminus: ral
         cache: puppetdb
       facts:
         terminus: facter
         cache: puppetdb_apply

      puppetdb.conf:

      [main]
      server_urls = https://puppetdb.[redacted]:443
      soft_write_failure = true

      puppet.conf:

      [main]
       storeconfigs = false
       report = true
       reports = puppetdb

      We have upgraded a test node to Puppet 6.8.0 and also upgraded the PuppetDB Termini to 6.5.0:

      $ yum list puppet-agent puppetdb-termini
      Installed Packages
      puppet-agent.x86_64 6.8.0-1.el7 @puppet6
      puppetdb-termini.noarch 6.5.0-1.el7 @puppet

      We now have issues where the PuppetDB terminus is complaining about a lack of TLS-related files (CRL, CA, certificate, key) which would normally exist on a mastered Puppet installation, but don't on ours as they're not used.

      So far, I have added:

      localcacert = /etc/pki/tls/certs/ca-bundle.crt
      certificate_revocation = false

      To try and work around and stub out the SSL, but I am now left with the following for each interaction with PuppetDB (facts, catalog, report):

      Error: Failed to initialize SSL: The private key is missing from '/etc/puppetlabs/puppet/ssl/private_keys/[fqdn].pem'
      Error: Run `puppet agent -t`
      Error: The private key is missing from '/etc/puppetlabs/puppet/ssl/private_keys/[fqdn].pem'

      I have tried rolling a temporary/throwaway local CA with no success.

      The Puppet run itself succeeds, but nothing is sent at all to PuppetDB
       

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  austin.blatt Austin Blatt
                  Reporter:
                  CraigWatson1987 Craig Watson
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Zendesk Support