[PUP-10365] puppet agent unable to fetch file from https source - Error: certificate verify failed - Puppet Tickets

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Normal
Resolution: Fixed
Affects Version/s: PUP 6.14.0
Fix Version/s: PUP 6.15.0
Component/s: None
Labels:
- doc_reviewed

Template:
PUP Bug Template customfield_10700 349360
Epic Link:
Agent HTTP
Team:
Coremunity
Sprint:
Platform Core KANBAN
Method Found:
Needs Assessment

Release Notes:
Bug Fix
Release Notes Summary:
Fixes a regression in 6.14.0 that prevented puppet agents from retrieving file content from "https" sources when the server's certificate was issued by a CA other than the puppet CA.

QA Risk Assessment:
Needs Assessment

Description

Puppet Version: 6.14.0
Puppet Server Version: 6.9.1
OS Name/Version: CentOS Linux release 7.7.1908 (Core) and CentOS Linux release 8.1.1911 (Core)

File resource with an source https source cannot be created and produces the following error:

Error: certificate verify failed [unable to get local issuer certificate for CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US] Error: /Stage[main]/Main/File[tree.js]/ensure: change from 'absent' to 'file' failed: certificate verify failed [unable to get local issuer certificate for CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US]

Command to reproduce:

puppet apply -e "file { 'puppet6.repo.rpm': ensure => 'present', source => 'https://yum.puppet.com/puppet6-release-el-8.noarch.rpm', path => '/tmp/puppet6.repo.rpm' }"

I am suspecting this is related to ~~PUP-10260~~ - Modifies puppet to use the new http client for all REST requests. It seems like the new agent's http client only has access to the puppetmaster CA, hence getting SSL certificate issues when source is not on the puppetmaster.

Related ticket: ~~PUP-7814~~ https://tickets.puppetlabs.com/browse/PUP-7814, where it is explained why https source for file would failed, but is missing why it worked in 6.13.0 but it no longers works in 6.14.0.

Desired Behavior:

File is downloaded without SSL error and created in path.

Actual Behavior:

Puppet agent produces the following error:

Error: certificate verify failed [unable to get local issuer certificate for CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US]

Error: /Stage[main]/Main/File[tree.js]/ensure: change from 'absent' to 'file' failed: certificate verify failed [unable to get local issuer certificate for CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US]

Attachments

Issue Links

is duplicated by

PUP-10377 Puppet-agent version 6.14.0 and file resource pulling from https source broken

Closed

PUP-10425 file {} fails to verify certificate when downloading via https

Closed

PA-3185 Puppet Agent : cannot add certificates for HTTPS in 6.14.0-1.el7

Closed

PUP-10383 File resource unable to download external https source

Closed

PUP-10384 puppet-agent file source fails with https

Closed

relates to

PUP-10260 Modify rest termini to call http client

Resolved

(1 relates to)

Activity

People

Assignee:: Josh Cooper

Reporter:: Félix-Antoine Fortin

Votes:: 1 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 2020/03/11 11:12 AM

Updated:: 2020/04/16 11:49 AM

Resolved:: 2020/03/19 10:47 AM