Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10365

puppet agent unable to fetch file from https source - Error: certificate verify failed

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: PUP 6.14.0
    • Fix Version/s: PUP 6.15.0
    • Component/s: None
    • Labels:
    • Template:
      PUP Bug Template
    • Epic Link:
    • Team:
      Coremunity
    • Sprint:
      Platform Core KANBAN
    • Method Found:
      Needs Assessment
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Fixes a regression in 6.14.0 that prevented puppet agents from retrieving file content from "https" sources when the server's certificate was issued by a CA other than the puppet CA.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppet Version: 6.14.0
      Puppet Server Version:  6.9.1
      OS Name/Version: CentOS Linux release 7.7.1908 (Core) and CentOS Linux release 8.1.1911 (Core)

      File resource with an source https source cannot be created and produces the following error:

       

      Error: certificate verify failed [unable to get local issuer certificate for CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US] Error: /Stage[main]/Main/File[tree.js]/ensure: change from 'absent' to 'file' failed: certificate verify failed [unable to get local issuer certificate for CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US]
      

       

      Command to reproduce:

       

      puppet apply -e "file { 'puppet6.repo.rpm': ensure => 'present', source => 'https://yum.puppet.com/puppet6-release-el-8.noarch.rpm', path => '/tmp/puppet6.repo.rpm' }"
      

       

      I am suspecting this is related to PUP-10260 - Modifies puppet to use the new http client for all REST requests. It seems like the new agent's http client only has access to the puppetmaster CA, hence getting SSL certificate issues when source is not on the puppetmaster.

      Related ticket: PUP-7814 https://tickets.puppetlabs.com/browse/PUP-7814, where it is explained why https source for file would failed, but is missing why it worked in 6.13.0 but it no longers works in 6.14.0.

      Desired Behavior:

      File is downloaded without SSL error and created in path.

      Actual Behavior:

      Puppet agent produces the following error:

      Error: certificate verify failed [unable to get local issuer certificate for CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US]
      Error: /Stage[main]/Main/File[tree.js]/ensure: change from 'absent' to 'file' failed: certificate verify failed [unable to get local issuer certificate for CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US]

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              josh Josh Cooper
              Reporter:
              cmdntrf Félix-Antoine Fortin
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support