Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-4822

Regression PMT cannot connect to forge on OSX

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: PUP 4.0.0
    • Fix Version/s: PUP 4.2.2
    • Component/s: None
    • Labels:
    • Template:
    • Story Points:
      3
    • Sprint:
      Client 2015-07-22, Client 2015-08-05, Client 2015-08-19
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      Fixes regression on OSX that prevented the puppet module tool from connecting to the forge, e.g. to download, search, publish modules.

      Note the actual fix was implemented in RE-5151, and the commit related to this ticket just re-enabled the PMT-related acceptance tests. From a user perspective, the regression has been fixed in 4.2.2.
      Show
      Fixes regression on OSX that prevented the puppet module tool from connecting to the forge, e.g. to download, search, publish modules. Note the actual fix was implemented in RE-5151, and the commit related to this ticket just re-enabled the PMT-related acceptance tests. From a user perspective, the regression has been fixed in 4.2.2.

      Description

      The PMT fails to connect:

      vfyfy4ou7ntrxfp:~ root# puppet module install puppetlabs-stdlib
      Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ...
      Notice: Downloading from https://forgeapi.puppetlabs.com ...
      Error: Could not connect via HTTPS to https://forgeapi.puppetlabs.com
        Unable to verify the SSL certificate
          The certificate may not be signed by a valid CA
          The CA bundle included with OpenSSL may not be valid or up to date
      

      However, using the system openssl, it does successfully connect:

      vfyfy4ou7ntrxfp:~ root# openssl s_client -connect forgeapi.puppetlabs.com:443
      CONNECTED(00000003)
      depth=1 /C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2
      verify error:num=20:unable to get local issuer certificate
      verify return:0
      ---
      

      It seems osx patches system openssl so it looks in the keystore, but that doesn't work for puppet-agent, because we compile openssl ourselves.

      The fix for PUP-3450 would fix this issue. Filing this as a separate issue because it affects OSX acceptance (which fails try to connect to the test forge).

      Workaround

      Create a file /opt/puppetlabs/puppet/ssl/cert.pem with the GeoTrust Global CA below, making sure permissions are not writable by non-root:

      -----BEGIN CERTIFICATE-----
      MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
      MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
      YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
      EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
      R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
      9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
      fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
      iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
      1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
      bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
      MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
      ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
      uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
      Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
      tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
      PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
      hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
      5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
      -----END CERTIFICATE-----
      

      and PMT will work:

      cpwj90x3cw44guh:~ root# /opt/puppetlabs/bin/puppet module install puppetlabs-stdlib
      Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ...
      Notice: Downloading from https://forgeapi.puppetlabs.com ...
      Notice: Installing -- do not interrupt ...
      /etc/puppetlabs/code/environments/production/modules
      └── puppetlabs-stdlib (v4.7.0) 
      

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  josh Josh Cooper
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  8 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: