Details
-
Bug
-
Status: Closed
-
Normal
-
Resolution: Fixed
-
None
-
None
-
None
-
Froyo
-
Needs Assessment
-
Bug Fix
-
-
Needs Assessment
Description
Current:
The puppetserver-ca gem will resolve $ca_server -> $server -> $certname when attempting to connect, however puppet proper resolves it like $ca_server -> $server -> "puppet". This works in our PE and the server team's dev environments where we explicitly manage the $server setting, but will not necessarily work in other production or development environments.
Original and Updates:
Puppet Version: 6.0.2
Puppet Server Version: 6.0.1
OS Name/Version: centos 7
When a puppetserver's fqdn is set to 'puppet', running `puppet agent` on that host succeeds but running `puppetserver ca` on that host fails with an authorization issue. However, if you run `puppet config set server puppet`, `puppetserver ca` succeeds.
If the puppetserver's fqdn is set to any other hostname without domain (ie, 'puppetize'), running both `puppet agent` and `puppetserver ca` fail with certificate verify failed.
examples:
hostname = puppet
[root@q7i6xv8dbok5p3f ~]# hostnamectl set-hostname puppet
|
[root@q7i6xv8dbok5p3f ~]# vim /etc/hosts
|
[root@q7i6xv8dbok5p3f ~]# hostname -f
|
puppet
|
[root@q7i6xv8dbok5p3f ~]# grep puppet /etc/hosts
|
10.16.115.103 puppet
|
[root@q7i6xv8dbok5p3f ~]# service puppetserver start
|
Redirecting to /bin/systemctl start puppetserver.service
|
[root@q7i6xv8dbok5p3f ~]# puppet agent -t
|
Info: Using configured environment 'production'
|
Info: Retrieving pluginfacts
|
Info: Retrieving plugin
|
Info: Retrieving locales
|
Info: Caching catalog for puppet.delivery.puppetlabs.net
|
Info: Applying configuration version '1539196342'
|
Notice: Applied catalog in 0.01 seconds
|
[root@q7i6xv8dbok5p3f ~]# puppetserver ca list
|
Traceback (most recent call last):
|
12: from /opt/puppetlabs/server/apps/puppetserver/cli/apps/ca:5:in `<main>'
|
11: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/cli.rb:89:in `run'
|
10: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/action/list.rb:60:in `run'
|
9: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/action/list.rb:117:in `get_all_certs'
|
8: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/certificate_authority.rb:215:in `get_certificate_statuses'
|
7: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/certificate_authority.rb:253:in `get'
|
6: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/utils/http_client.rb:41:in `with_connection'
|
5: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:609:in `start'
|
4: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:909:in `start'
|
3: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:920:in `do_start'
|
2: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:981:in `connect'
|
1: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/protocol.rb:44:in `ssl_socket_connect'
|
/opt/puppetlabs/puppet/lib/ruby/2.5.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLError)
|
[root@q7i6xv8dbok5p3f ~]# puppet config set server puppet
|
[root@q7i6xv8dbok5p3f ~]# puppet agent -t
|
Info: Using configured environment 'production'
|
Info: Retrieving pluginfacts
|
Info: Retrieving plugin
|
Info: Retrieving locales
|
Info: Caching catalog for puppet.delivery.puppetlabs.net
|
Info: Applying configuration version '1539196364'
|
Notice: Applied catalog in 0.01 seconds
|
[root@q7i6xv8dbok5p3f ~]# puppetserver ca list --all
|
Signed Certificates:
|
puppet.delivery.puppetlabs.net (SHA256) ED:3F:AE:F8:6C:3D:C1:07:8A:EE:99:84:3F:90:E6:D2:3A:44:1B:25:44:9E:37:91:66:D6:DB:1E:C4:E5:0C:14 alt names: ["DNS:puppet", "DNS:puppet.delivery.puppetlabs.net"]
|
hostname = puppetize
[root@q7i6xv8dbok5p3f ~]# hostnamectl set-hostname puppetize
|
[root@q7i6xv8dbok5p3f ~]# vim /etc/hosts
|
[root@q7i6xv8dbok5p3f ~]# service puppetserver start
|
Redirecting to /bin/systemctl start puppetserver.service
|
[root@q7i6xv8dbok5p3f ~]# hostname -f
|
puppetize
|
[root@q7i6xv8dbok5p3f ~]# puppet config set server puppetize
|
[root@q7i6xv8dbok5p3f ~]# puppet agent -t
|
Warning: Unable to fetch my node definition, but the agent run will continue:
|
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppetize.delivery.puppetlabs.net]
|
Info: Retrieving pluginfacts
|
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppetize.delivery.puppetlabs.net]
|
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppetize.delivery.puppetlabs.net]
|
Info: Retrieving plugin
|
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppetize.delivery.puppetlabs.net]
|
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppetize.delivery.puppetlabs.net]
|
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppetize.delivery.puppetlabs.net]
|
Warning: Not using cache on failed catalog
|
Error: Could not retrieve catalog; skipping run
|
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppetize.delivery.puppetlabs.net]
|
[root@q7i6xv8dbok5p3f ~]# puppetserver ca list
|
Traceback (most recent call last):
|
12: from /opt/puppetlabs/server/apps/puppetserver/cli/apps/ca:5:in `<main>'
|
11: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/cli.rb:89:in `run'
|
10: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/action/list.rb:60:in `run'
|
9: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/action/list.rb:117:in `get_all_certs'
|
8: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/certificate_authority.rb:215:in `get_certificate_statuses'
|
7: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/certificate_authority.rb:253:in `get'
|
6: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.1.1/lib/puppetserver/ca/utils/http_client.rb:41:in `with_connection'
|
5: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:609:in `start'
|
4: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:909:in `start'
|
3: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:920:in `do_start'
|
2: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/http.rb:981:in `connect'
|
1: from /opt/puppetlabs/puppet/lib/ruby/2.5.0/net/protocol.rb:44:in `ssl_socket_connect'
|
/opt/puppetlabs/puppet/lib/ruby/2.5.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate verify failed (unspecified certificate verification error) (OpenSSL::SSL::SSLError)
|
