Details
-
Bug
-
Status: Resolved
-
Normal
-
Resolution: Fixed
-
PUP 6.14.0
-
None
-
Coremunity
-
Platform Core KANBAN
-
Needs Assessment
-
Bug Fix
-
Fixes a regression in 6.14.0 that prevented puppet agents from retrieving file content from "https" sources when the server's certificate was issued by a CA other than the puppet CA.
-
Needs Assessment
Description
Puppet Version: 6.14.0
Puppet Server Version: 6.9.1
OS Name/Version: CentOS Linux release 7.7.1908 (Core) and CentOS Linux release 8.1.1911 (Core)
File resource with an source https source cannot be created and produces the following error:
Error: certificate verify failed [unable to get local issuer certificate for CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US] Error: /Stage[main]/Main/File[tree.js]/ensure: change from 'absent' to 'file' failed: certificate verify failed [unable to get local issuer certificate for CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US] |
Command to reproduce:
puppet apply -e "file { 'puppet6.repo.rpm': ensure => 'present', source => 'https://yum.puppet.com/puppet6-release-el-8.noarch.rpm', path => '/tmp/puppet6.repo.rpm' }" |
I am suspecting this is related to PUP-10260 - Modifies puppet to use the new http client for all REST requests. It seems like the new agent's http client only has access to the puppetmaster CA, hence getting SSL certificate issues when source is not on the puppetmaster.
Related ticket: PUP-7814 https://tickets.puppetlabs.com/browse/PUP-7814, where it is explained why https source for file would failed, but is missing why it worked in 6.13.0 but it no longers works in 6.14.0.
Desired Behavior:
File is downloaded without SSL error and created in path.
Actual Behavior:
Puppet agent produces the following error:
Error: certificate verify failed [unable to get local issuer certificate for CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US] |
Error: /Stage[main]/Main/File[tree.js]/ensure: change from 'absent' to 'file' failed: certificate verify failed [unable to get local issuer certificate for CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US] |
Attachments
Issue Links
- is duplicated by
-
PUP-10377 Puppet-agent version 6.14.0 and file resource pulling from https source broken
-
- Closed
-
-
PUP-10425 file {} fails to verify certificate when downloading via https
-
- Closed
-
-
PA-3185 Puppet Agent : cannot add certificates for HTTPS in 6.14.0-1.el7
-
- Closed
-
-
PUP-10383 File resource unable to download external https source
-
- Closed
-
-
PUP-10384 puppet-agent file source fails with https
-
- Closed
-
- relates to
-
PUP-10260 Modify rest termini to call http client
-
- Resolved
-