Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-1233

Puppet Server fails with CA 'partial state' error if agent has run and generated SSL keys prior to first server start

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Cannot Reproduce
    • Affects Version/s: SERVER 2.3.0
    • Fix Version/s: None
    • Component/s: Puppet Server
    • Labels:
    • Environment:

      Ubuntu-14.04 with 3GB ram.

    • Template:
    • Sub-team:
    • Story Points:
      2

      Description

      An upgrade to 2.3.0 does NOT have a problem.

      A fresh install does:
      wget https://apt.puppetlabs.com/puppetlabs-release-pc1-trusty.deb
      dpkg -i puppetlabs-release-pc1-trusty.deb
      apt-get update
      apt-get install puppetserver

      Similar on client, except apt-get install puppet-agent.

      First sign of a problem is the puppetserver won't start. You can override this with a server=<FQDN> and it will start.

      The output of puppet status should mention version 4.4.0 on the client and 2.3.0 on the server. 4.3.2 and 2.2.0 does not exhibit this issue.

      So there's some possibilities:

      • this is intentional, so the post-install script in the package should create the cert, or at least a mention in the installation documentation.
      • this is a regression, and the puppetserver startup should create a cert if missing.

      To fix:
      puppet master --no-daemonize --verbose, then wait for "Notice: Starting Puppet master" then hit control c.

      What happens otherwise if new clients can send CSRs, the server can sign said CSRs, but then when a client connects:
      Error: Could not request certificate: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet.foo.com]

      Note this happens only on new installs, not upgrades.

      My 4.3.2 agent/2.2.0 server setup "just worked", apt-get install on both ends, server would start and I was in business. 2.3.0 server the daemon dies, if I get it to start clients can submit CSRs, but never connect afterwards.

      I had someone on #puppet replicate this, and actually the fix is from them.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  bill@broadley.org Bill Broadley
                • Votes:
                  1 Vote for this issue
                  Watchers:
                  9 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: