Details
-
Bug
-
Status: Closed
-
Normal
-
Resolution: Done
-
PUP 6.21.0
-
None
-
Monolithic
-
RHEL 7 (x86_64)
-
Multiple versions of Windows agent
-
Night's Watch
-
Needs Assessment
-
Needs Assessment
Description
Puppet Version: Puppet agent 6.x and 7.x
Puppet Server Version: Tested on PE and open source
OS Name/Version: Windows Server 2019 and Windows 10
Customer has a bunch of stuff staged in Artifactory. The Artifactory server is using SSL certificates from a local, private CA that is not trusted by the Puppet agent. On Linux we configure “puppet.conf” in the [agent] section with “ssl_trust_store = /etc/pki/…long-path…/ca-certs.pem” and all is well. I’m trying to configure Windows the same way and it fails the SSL verification.
I confirmed the custom PEM file contains the trusted CA certificates and run puppet agent, but it fails the SSL validation when trying to download an "archive" resource. I know the contents of my custom PEM file are good. If I append the custom .pem file to the default 'C:\Program Files\Puppet Labs\Puppet\puppet\ssl\cert.pem' I can run the agent without an SSL failure and all resources apply, but I’d prefer the puppet agent to use our custom trust file instead of modifying the bundled version, as we do with the Linux agents.
Puppet version on this Windows agent was 7.12.0, but I also see this on 6.x agents.
Desired Behavior: Windows puppet agent uses the SSL trust store file specified by "ssl_trust_store" in "puppet.conf"
Actual Behavior: The Windows puppet agent ignores the "ssl_trust_store" entry and fails SSL validation to servers using certificates issued by a private CA.
Example output from a Windows agent:
PS C:\> puppet config print --section agent ssl_trust_store
C:/ProgramData/PuppetLabs/puppet/etc/ssl/certs/ca-trust.pem
PS C:\> puppet agent -t
Info: Using environment 'production'
…truncated…
Info: Applying configuration version '1636583399'
Error: Could not set 'present' on ensure: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (file: /etc/puppetlabs/code/environments/production/modules/winstall/manifests/product.pp, line: 85)
Error: Could not set 'present' on ensure: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (file: /etc/puppetlabs/code/environments/production/modules/winstall/manifests/product.pp, line: 85)
Wrapped exception:
SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
Error: /Stage[main]/Winstall/Winstall::Product[VMware Remote Console]/Archive[VMware Remote Console]/ensure: change from 'absent' to 'present' failed: Could not set 'present' on ensure: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (file: /etc/puppetlabs/code/environments/production/modules/winstall/manifests/product.pp, line: 85) (corrective)
...subsequest resources are skipped due to the failure...
Notice: Applied catalog in 5.94 seconds
