Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-3067

Container not able to (re)start when another cert is present inside the certs folder. (Container restart loop)



    • Type: Bug
    • Status: Ready for Merge
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Puppet Server
    • Labels:
    • Environment:

      pupperware / docker-compose / docker

    • Template:
      PUP Bug Template
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment




      When i try to start/restart or recreate the puppetserver docker container while there are already certs other than the ca.pem and the puppet.pem certificate present inside the /etc/puppetlabs/puppet/ssl/certs/ folder, it will fail while executing the last entrypoint script ( /docker-entrypoint.d/90-log-config.sh ).

      In my case its a generated cert for the puppetboard docker container.

      This happens because of this line: https://github.com/puppetlabs/puppetserver/blob/main/docker/puppetserver/docker-entrypoint.d/90-log-config.sh#L9

      In this scenario it now has multiple cert names seperated by a new line inside of the variable it uses to check the server cert, because there is no check that it will only grab a single name. Even if it would grab only the first one of the listing it would be the wrong one.

      This pull request would open a possible workaround by having PUPPET_HOSTNAME set: https://github.com/puppetlabs/puppetserver/pull/2470

      but that would not fix the underlying problem of determining the right name without external input. Maybe it shouldn't try to do that in the first place.


      Desired Behavior:

      puppetserver inside the docker container starts successfully with other certs present inside of /etc/puppetlabs/puppet/ssl/certs/ folder


      Actual Behavior:

      container restart loop


      docker-compose log:

      puppet_1       | Running /docker-entrypoint.d/10-analytics.sh
      puppet_1       | (/docker-entrypoint.d/10-analytics.sh) Pupperware analytics disabled; skipping metric submission
      puppet_1       | Running /docker-entrypoint.d/20-use-templates-initially.sh
      puppet_1       | Running /docker-entrypoint.d/30-set-permissions.sh
      puppet_1       | Running /docker-entrypoint.d/40-update-puppetdb-conf.sh
      puppet_1       | Running /docker-entrypoint.d/50-set-certname.sh
      puppet_1       | Running /docker-entrypoint.d/55-set-masterport.sh
      puppet_1       | Running /docker-entrypoint.d/60-setup-autosign.sh
      puppet_1       | Running /docker-entrypoint.d/70-set-dns-alt-names.sh
      puppet_1       | Running /docker-entrypoint.d/80-ca.sh
      puppet_1       | Running /docker-entrypoint.d/85-setup-storeconfigs.sh
      puppet_1       | Running /docker-entrypoint.d/90-log-config.sh
      puppet_1       | System configuration values:
      puppet_1       | * HOSTNAME: 'puppet'
      puppet_1       | * hostname -f: 'puppet'
      puppet_1       | * PUPPETSERVER_HOSTNAME:PUPPET_MASTERPORT: 'puppet:8140'
      puppet_1       | * Generated certname: 'puppet.pem
      puppet_1       | puppetboard.pem'
      puppet_1       | * DNS_ALT_NAMES: 'puppet,puppet.[REDACTED_DOMAIN]'
      puppet_1       | * SSLDIR: '/etc/puppetlabs/puppet/ssl'
      puppet_1       | CA Certificate:
      puppet_1       | subject=CN = "Puppet Enterprise CA generated on puppet at [REDACTED]"
      puppet_1       | issuer=CN = Puppet Root CA: [REDACTED]
      puppet_1       |         X509v3 extensions:
      puppet_1       |             X509v3 Basic Constraints: critical
      puppet_1       |                 CA:TRUE
      puppet_1       |             X509v3 Key Usage: critical
      puppet_1       |                 Certificate Sign, CRL Sign
      puppet_1       |             X509v3 Subject Key Identifier: 
      puppet_1       |                 [REDACTED]
      puppet_1       |             Netscape Comment: 
      puppet_1       |                 Puppet Server Internal Certificate
      puppet_1       |             X509v3 Authority Key Identifier: 
      puppet_1       |                 keyid:[REDACTED]
      puppet_1       | 
      puppet_1       | Certificate puppet.pem
      puppet_1       | puppetboard.pem:
      puppet_1       | Can't open /etc/puppetlabs/puppet/ssl/certs/puppet.pem
      puppet_1       | puppetboard.pem for reading, No such file or directory
      puppet_1       | 140142905807296:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/puppetlabs/puppet/ssl/certs/puppet.pem
      puppet_1       | puppetboard.pem','r')
      puppet_1       | 140142905807296:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
      puppet_1       | unable to load certificate





            Unassigned Unassigned
            QueerCodingGirl QueerCodingGirl
            0 Vote for this issue
            1 Start watching this issue



                Zendesk Support