Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Duplicate
-
PUP 6.14.0
-
None
-
None
-
None
-
Linux, Ubuntu 18.04 LTS
-
Monolithic
-
Other
-
-
Needs Assessment
-
Needs Assessment
Description
Puppet Version: See above
Puppet Server Version: 6.9.0
OS Name/Version: Ubuntu 18.04 LTS (not listed in drop down above, neither for agent, nor for master)
After updating Puppet agent to 6.14.0 we see a failure in certificate validation when using a file resource with a https:// URL, which didn't happen before. The resource in question looks like this (simplyfied):
file { 'cache_node_jar': |
path => "/tmp/build-cache-node-8.1.jar", |
source => "https://docs.gradle.com/build-cache-node/jar/build-cache-node-8.1.jar", |
ensure => present,
|
}
|
which produced the following error:
certificate verify failed [unable to get local issuer certificate for CN=CloudFlare Inc ECC CA-2,O=CloudFlare\, Inc.,L=San Francisco,ST=CA,C=US] |
Since we have a Nexus server running in our environment (which also has a valid certificate, issued by Comodo), I set up a cache repository there and changed the URL, so that the resource now looks like this:
file { 'cache_node_jar': |
path => "/tmp/build-cache-node-8.1.jar", |
source => "https://nexus.ourdomain.com/repository/gradle-cache/build-cache-node-8.1.jar", |
ensure => present,
|
}
|
but this only led to a small change in the error message:
certificate verify failed [self signed certificate in certificate chain for CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE] |
but, as mentioned, the certificate is not self-signed. Downgrading the agent back to 6.13.0 resolved the problem.
Desired Behavior:
Certificate should be correclty validated as in 6.13.0.
Actual Behavior:
See above.
Please also consider this a feature request to add an option to file resources to skip certificate validation. Most other tools I know have such an option.
Attachments
Issue Links
- duplicates
-
-
- Resolved
-
