Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10365

puppet agent unable to fetch file from https source - Error: certificate verify failed

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Normal
    • Resolution: Fixed
    • PUP 6.14.0
    • PUP 6.15.0
    • None
    • Coremunity
    • Platform Core KANBAN
    • Needs Assessment
    • Bug Fix
    • Fixes a regression in 6.14.0 that prevented puppet agents from retrieving file content from "https" sources when the server's certificate was issued by a CA other than the puppet CA.
    • Needs Assessment

    Description

      Puppet Version: 6.14.0
      Puppet Server Version:  6.9.1
      OS Name/Version: CentOS Linux release 7.7.1908 (Core) and CentOS Linux release 8.1.1911 (Core)

      File resource with an source https source cannot be created and produces the following error:

       

      Error: certificate verify failed [unable to get local issuer certificate for CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US] Error: /Stage[main]/Main/File[tree.js]/ensure: change from 'absent' to 'file' failed: certificate verify failed [unable to get local issuer certificate for CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US]
      

       

      Command to reproduce:

       

      puppet apply -e "file { 'puppet6.repo.rpm': ensure => 'present', source => 'https://yum.puppet.com/puppet6-release-el-8.noarch.rpm', path => '/tmp/puppet6.repo.rpm' }"
      

       

      I am suspecting this is related to PUP-10260 - Modifies puppet to use the new http client for all REST requests. It seems like the new agent's http client only has access to the puppetmaster CA, hence getting SSL certificate issues when source is not on the puppetmaster.

      Related ticket: PUP-7814 https://tickets.puppetlabs.com/browse/PUP-7814, where it is explained why https source for file would failed, but is missing why it worked in 6.13.0 but it no longers works in 6.14.0.

      Desired Behavior:

      File is downloaded without SSL error and created in path.

      Actual Behavior:

      Puppet agent produces the following error:

      Error: certificate verify failed [unable to get local issuer certificate for CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US]
      Error: /Stage[main]/Main/File[tree.js]/ensure: change from 'absent' to 'file' failed: certificate verify failed [unable to get local issuer certificate for CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US]

       

      Attachments

        Issue Links

          Activity

            People

              josh Josh Cooper
              cmdntrf Félix-Antoine Fortin
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support