Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-11349

Puppet agent ssl_trust_store setting on Windows does not work

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Normal
    • Resolution: Done
    • PUP 6.21.0
    • None
    • Windows
    • Monolithic
    • Windows 10 (x86, x64)
    • RHEL 7 (x86_64)
    • Multiple versions of Windows agent
    • Night's Watch
    • Needs Assessment
    • Needs Assessment

    Description

      Puppet Version: Puppet agent 6.x and 7.x
      Puppet Server Version: Tested on PE and open source
      OS Name/Version: Windows Server 2019 and Windows 10

      Customer has a bunch of stuff staged in Artifactory. The Artifactory server is using SSL certificates from a local, private CA that is not trusted by the Puppet agent. On Linux we configure “puppet.conf” in the [agent] section with “ssl_trust_store = /etc/pki/…long-path…/ca-certs.pem” and all is well. I’m trying to configure Windows the same way and it fails the SSL verification.

      I confirmed the custom PEM file contains the trusted CA certificates and run puppet agent, but it fails the SSL validation when trying to download an "archive" resource. I know the contents of my custom PEM file are good.  If I append the custom .pem file to the default 'C:\Program Files\Puppet Labs\Puppet\puppet\ssl\cert.pem' I can run the agent without an SSL failure and all resources apply, but I’d prefer the puppet agent to use our custom trust file instead of modifying the bundled version, as we do with the Linux agents.

      Puppet version on this Windows agent was 7.12.0, but I also see this on 6.x agents.

      Desired Behavior: Windows puppet agent uses the SSL trust store file specified by "ssl_trust_store" in "puppet.conf"

      Actual Behavior: The Windows puppet agent ignores the "ssl_trust_store" entry and fails SSL validation to servers using certificates issued by a private CA.

      Example output from a Windows agent:

      PS C:\> puppet config print --section agent ssl_trust_store
      C:/ProgramData/PuppetLabs/puppet/etc/ssl/certs/ca-trust.pem

      PS C:\> puppet agent -t
      Info: Using environment 'production'
      …truncated…
      Info: Applying configuration version '1636583399'
      Error: Could not set 'present' on ensure: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (file: /etc/puppetlabs/code/environments/production/modules/winstall/manifests/product.pp, line: 85)
      Error: Could not set 'present' on ensure: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (file: /etc/puppetlabs/code/environments/production/modules/winstall/manifests/product.pp, line: 85)
      Wrapped exception:
      SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
      Error: /Stage[main]/Winstall/Winstall::Product[VMware Remote Console]/Archive[VMware Remote Console]/ensure: change from 'absent' to 'present' failed: Could not set 'present' on ensure: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (file: /etc/puppetlabs/code/environments/production/modules/winstall/manifests/product.pp, line: 85) (corrective)
      ...subsequest resources are skipped due to the failure...
      Notice: Applied catalog in 5.94 seconds

      Attachments

        Activity

          People

            Unassigned Unassigned
            chris.southall Chris Southall
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Zendesk Support