Details
Blocker Description
We are running Puppet masterless, connecting to a standalone PuppetDB cluster (6.5.0) with a shared PostgreSQL backend. SSL termination is handed by the load balancer, which is using a managed SSL certificate (from Google, signed by LetsEncrypt).
routes.yaml:
---
|
apply:
|
catalog:
|
terminus: compiler
|
cache: puppetdb
|
resource:
|
terminus: ral
|
cache: puppetdb
|
facts:
|
terminus: facter
|
cache: puppetdb_apply
|
puppetdb.conf:
[main]
|
server_urls = https://puppetdb.[redacted]:443
|
soft_write_failure = true
|
puppet.conf:
[main]
|
storeconfigs = false
|
report = true
|
reports = puppetdb
|
We have upgraded a test node to Puppet 6.8.0 and also upgraded the PuppetDB Termini to 6.5.0:
$ yum list puppet-agent puppetdb-termini
|
Installed Packages
|
puppet-agent.x86_64 6.8.0-1.el7 @puppet6
|
puppetdb-termini.noarch 6.5.0-1.el7 @puppet
|
We now have issues where the PuppetDB terminus is complaining about a lack of TLS-related files (CRL, CA, certificate, key) which would normally exist on a mastered Puppet installation, but don't on ours as they're not used.
So far, I have added:
localcacert = /etc/pki/tls/certs/ca-bundle.crt
|
certificate_revocation = false
|
To try and work around and stub out the SSL, but I am now left with the following for each interaction with PuppetDB (facts, catalog, report):
Error: Failed to initialize SSL: The private key is missing from '/etc/puppetlabs/puppet/ssl/private_keys/[fqdn].pem'
|
Error: Run `puppet agent -t`
|
Error: The private key is missing from '/etc/puppetlabs/puppet/ssl/private_keys/[fqdn].pem'
|
I have tried rolling a temporary/throwaway local CA with no success.
The Puppet run itself succeeds, but nothing is sent at all to PuppetDB
Attachments
Issue Links
- is duplicated by
-
PDB-4508 puppetdb-termini for puppet standalone try to connect to master
-
- Closed
-
