Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2354

`puppetserver ca` has wrong default value for server setting

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: SERVER 6.1.0
    • Component/s: None
    • Labels:
      None
    • Template:
      PUP Bug Template
    • Team:
      Server
    • Method Found:
      Needs Assessment
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      Previously the `puppetserver ca` tool would default to $certname for connecting to the server (as this is the most common workflow). However the agent defaults to connecting to "puppet" as its server and some environments configured to have the CA reachable by the name puppet, rather than the certname experienced connectivity issues with the tool. This was especially troublesome in our pupperware docker environment.

      The `puppetserver ca` tool now has the same default for $server as the agent, "puppet". It also will honor the settings within the agent section of the puppet.conf to help ease the transition for users who have only set custom $server values in the agent section (in testing this bug fix we realized that most workflows involved setting the $server value in the agent section to $certname, which breaks with this fix without the additional step of also reading the agent section).
      Show
      Previously the `puppetserver ca` tool would default to $certname for connecting to the server (as this is the most common workflow). However the agent defaults to connecting to "puppet" as its server and some environments configured to have the CA reachable by the name puppet, rather than the certname experienced connectivity issues with the tool. This was especially troublesome in our pupperware docker environment. The `puppetserver ca` tool now has the same default for $server as the agent, "puppet". It also will honor the settings within the agent section of the puppet.conf to help ease the transition for users who have only set custom $server values in the agent section (in testing this bug fix we realized that most workflows involved setting the $server value in the agent section to $certname, which breaks with this fix without the additional step of also reading the agent section).
    • QA Risk Assessment:
      Needs Assessment

      Description

      Current:

      The puppetserver-ca gem will resolve $ca_server -> $server -> $certname when attempting to connect, however puppet proper resolves it like $ca_server -> $server -> "puppet". This works in our PE and the server team's dev environments where we explicitly manage the $server setting, but will not necessarily work in other production or development environments.


      Original and Updates:

      Puppet Version: 6.0.2
      Puppet Server Version: 6.0.1
      OS Name/Version: centos 7

      When a puppetserver's fqdn is set to 'puppet', running `puppet agent` on that host succeeds but running `puppetserver ca` on that host fails with an authorization issue. However, if you run `puppet config set server puppet`, `puppetserver ca` succeeds.

      If the puppetserver's fqdn is set to any other hostname without domain (ie, 'puppetize'), running both `puppet agent` and `puppetserver ca` fail with certificate verify failed.

      examples:
      hostname = puppet

      [root@q7i6xv8dbok5p3f ~]# hostnamectl set-hostname puppet
      [root@q7i6xv8dbok5p3f ~]# vim /etc/hosts
      [root@q7i6xv8dbok5p3f ~]# hostname -f
      puppet
      [root@q7i6xv8dbok5p3f ~]# grep puppet /etc/hosts
      10.16.115.103 puppet
      [root@q7i6xv8dbok5p3f ~]# service puppetserver start
      Redirecting to /bin/systemctl start  puppetserver.service
      [root@q7i6xv8dbok5p3f ~]# puppet agent -t
      Info: Using configured environment 'production'
      Info: Retrieving pluginfacts
      Info: Retrieving plugin
      Info: Retrieving locales
      Info: Caching catalog for puppet.delivery.puppetlabs.net
      Info: Applying configuration version '1539196342'
      Notice: Applied catalog in 0.01 seconds
      [root@q7i6xv8dbok5p3f ~]# puppetserver ca list
      Traceback (most recent call last):
              12: from /opt/puppetlabs/server/apps/puppetserver/cli/apps/ca:5:in `<main>'
              11: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/cli.rb:89:in `run'
              10: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/action/list.rb:60:in `run'
               9: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/action/list.rb:117:in `get_all_certs'
               8: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/certificate_authority.rb:215:in `get_certificate_statuses'
               7: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/certificate_authority.rb:253:in `get'
               6: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/utils/http_client.rb:41:in `with_connection'
               5: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:609:in `start'
               4: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:909:in `start'
               3: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:920:in `do_start'
               2: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:981:in `connect'
               1: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/protocol.rb:44:in `ssl_socket_connect'
      /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLError)
      [root@q7i6xv8dbok5p3f ~]# puppet config set server puppet
      [root@q7i6xv8dbok5p3f ~]# puppet agent -t
      Info: Using configured environment 'production'
      Info: Retrieving pluginfacts
      Info: Retrieving plugin
      Info: Retrieving locales
      Info: Caching catalog for puppet.delivery.puppetlabs.net
      Info: Applying configuration version '1539196364'
      Notice: Applied catalog in 0.01 seconds
      [root@q7i6xv8dbok5p3f ~]# puppetserver ca list --all
      Signed Certificates:
          puppet.delivery.puppetlabs.net   (SHA256)  ED:3F:AE:F8:6C:3D:C1:07:8A:EE:99:84:3F:90:E6:D2:3A:44:1B:25:44:9E:37:91:66:D6:DB:1E:C4:E5:0C:14  alt names: ["DNS:puppet", "DNS:puppet.delivery.puppetlabs.net"]
      

      hostname = puppetize

      [root@q7i6xv8dbok5p3f ~]# hostnamectl set-hostname puppetize
      [root@q7i6xv8dbok5p3f ~]# vim /etc/hosts
      [root@q7i6xv8dbok5p3f ~]# service puppetserver start
      Redirecting to /bin/systemctl start  puppetserver.service
      [root@q7i6xv8dbok5p3f ~]# hostname -f
      puppetize
      [root@q7i6xv8dbok5p3f ~]# puppet config set server puppetize
      [root@q7i6xv8dbok5p3f ~]# puppet agent -t
      Warning: Unable to fetch my node definition, but the agent run will continue:
      Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppetize.delivery.puppetlabs.net]
      Info: Retrieving pluginfacts
      Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppetize.delivery.puppetlabs.net]
      Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppetize.delivery.puppetlabs.net]
      Info: Retrieving plugin
      Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppetize.delivery.puppetlabs.net]
      Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppetize.delivery.puppetlabs.net]
      Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppetize.delivery.puppetlabs.net]
      Warning: Not using cache on failed catalog
      Error: Could not retrieve catalog; skipping run
      Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppetize.delivery.puppetlabs.net]
      [root@q7i6xv8dbok5p3f ~]# puppetserver ca list
      Traceback (most recent call last):
              12: from /opt/puppetlabs/server/apps/puppetserver/cli/apps/ca:5:in `<main>'
              11: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/cli.rb:89:in `run'
              10: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/action/list.rb:60:in `run'
               9: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/action/list.rb:117:in `get_all_certs'
               8: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/certificate_authority.rb:215:in `get_certificate_statuses'
               7: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/certificate_authority.rb:253:in `get'
               6: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/utils/http_client.rb:41:in `with_connection'
               5: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:609:in `start'
               4: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:909:in `start'
               3: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:920:in `do_start'
               2: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:981:in `connect'
               1: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/protocol.rb:44:in `ssl_socket_connect'
      /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (unspecified certificate verification error) (OpenSSL::SSL::SSLError)
      

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  justin Justin Stoller
                  Reporter:
                  morgan Morgan Rhodes
                • Votes:
                  1 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: