Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2432

Puppet server ca setup fails with multiple CRL

    Details

    • Type: Bug
    • Status: Accepted
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: SERVER 5.3.6, SERVER 5.3.7
    • Fix Version/s: None
    • Component/s: Puppet Server
    • Labels:
      None
    • Environment:
    • Template:
      PUP Bug Template
    • Acceptance Criteria:
      Hide

      Correct output should be along the lines of:

      root@puppetmaster:~# puppetserver ca list --all
      Signed Certificates:
       puppet.example.com (SHA256) 8D:97:A4:0C:8C:B8:C4:BE:3C:92:5B:13:2A:57:AB:03:5A:82:3D:F3:29:AD:6A:E1:86:6F:7B:01:29:DA:99:B0 alt names: ["DNS:puppet"]
      

      Show
      Correct output should be along the lines of: root@puppetmaster:~# puppetserver ca list --all Signed Certificates: puppet.example.com (SHA256) 8D:97:A4:0C:8C:B8:C4:BE:3C:92:5B:13:2A:57:AB:03:5A:82:3D:F3:29:AD:6A:E1:86:6F:7B:01:29:DA:99:B0 alt names: ["DNS:puppet"]
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Hi Folks,

      On a brand new installation of puppetserver, I'm unable to get puppetserver ca cert to work out of the box as suggested in some docs.

      Here's my steps to reproduce:

      #!/bin/bash
       
      systemctl stop puppetserver
      rm -Rf /etc/puppetlabs/puppet/ssl
      /opt/puppetlabs/server/bin/puppetserver ca setup
      echo ""
      find /etc/puppetlabs/puppet/ssl/
      echo ""
      systemctl start puppetserver
      puppetserver ca list --all
      

      Gets us:

      root@puppetmaster:~# puppetserver ca list --all
      Error:
       code: 500
       body: Internal Server Error: java.lang.IllegalArgumentException: 
          The PEM stream contains more than one object
      

      Did some digging and narrowed this down to https://github.com/puppetlabs/jvm-ssl-utils/blob/master/src/java/com/puppetlabs/ssl_utils/SSLUtils.java#L375 which is the exact error.

      The following works without issue:

      #!/bin/bash
       
        systemctl stop puppetserver
        rm -Rf /etc/puppetlabs/puppet/ssl
       
        mkdir /etc/puppetlabs/puppet/ssl
        chown puppet:puppet /etc/puppetlabs/puppet/ssl
       
        systemctl start puppetserver
       
        echo ""
        find /etc/puppetlabs/puppet/ssl/
        echo ""
        puppetserver ca list --all
      

      The only discernable difference I could see between the two approaches is that ca setup generates CA certs, CRL etc with two certificate blocks, which is valid but something can't handle it.

      I'm happy working around this by using my second solution but this definitely feels like something should be handling this circumstance and isn't.

      Thanks, Ian.

        Attachments

          Activity

            jsd-sla-details-panel

              People

              • Assignee:
                Unassigned
                Reporter:
                idnorton Ian Norton
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: