Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-347

Specify codedir similar to confdir and vardir

    Details

      Description

      Update:

      puppet-server needs to initialize puppet with --codedir /etc/puppetlabs/code similar to how it handles vardir and confdir. Since puppet-server doesn't specify this setting, and it runs as non-root, the codedir will default to ~/.puppet/code, but $HOME for the puppet user is in vardir resulting in puppet-server trying to access /opt/puppetlabs/agent/cache/.puppet/code (using an older version of vardir)

      Also note several files/directories currently in $confdir need to be moved to $codedir:

          environmentpath: /etc/puppetlabs/code/environments
          distmoduledir: /etc/puppetlabs/code/modules
          hieraconf:     /etc/puppetlabs/code/hiera.yaml
          hieradatadir:  /etc/puppetlabs/code/hieradata
      

      Original:

      Trying to run AIO acceptance using the puppet-server package from:

      https://gist.github.com/joshcooper/283cc84a1b45b57d5a8e#file-gistfile1-txt-L966

      During the acceptance setup, we execute the ruby puppet master and verify that all of the agents can download their SSL cert, and make an authenticated SSL connection. This works fine: https://gist.github.com/joshcooper/283cc84a1b45b57d5a8e#file-gistfile1-txt-L1578-L1618

      However, as soon as the puppet-agent package tries to connect to the master, it fails with:

      [root@pb5dl7xbpawqosr ~]# puppet agent -t --server lyvdzg9x0frzq2r.delivery.puppetlabs.net
      Warning: Unable to fetch my node definition, but the agent run will continue:
      Warning: SSL_connect returned=1 errno=0 state=unknown state: certificate verify failed: [unable to get local issuer certificate for /CN=lyvdzg9x0frzq2r.delivery.puppetlabs.net]
      Info: Retrieving pluginfacts
      Error: /File[/opt/puppetlabs/agent/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=unknown state: certificate verify failed: [unable to get local issuer certificate for /CN=lyvdzg9x0frzq2r.delivery.puppetlabs.net]
      

      This error is coming from openssl. If I try to execute openssl on the agent host using the CA cert that the agent has already downloaded, it fails in the same way, verify error 20:

      [root@pb5dl7xbpawqosr ~]# openssl s_client -connect lyvdzg9x0frzq2r.delivery.puppetlabs.net:8140 -CAfile /etc/puppetlabs/agent/ssl/certs/ca.pem
      CONNECTED(00000003)
      depth=0 CN = lyvdzg9x0frzq2r.delivery.puppetlabs.net
      verify error:num=20:unable to get local issuer certificate
      verify return:1
      depth=0 CN = lyvdzg9x0frzq2r.delivery.puppetlabs.net
      verify error:num=27:certificate not trusted
      verify return:1
      depth=0 CN = lyvdzg9x0frzq2r.delivery.puppetlabs.net
      verify error:num=21:unable to verify the first certificate
      verify return:1
      ...
          Verify return code: 21 (unable to verify the first certificate)
      ---
      

      In particular, note that the cert at depth 0 is the server's certificate, not the CA cert.

      However, if I stop the puppet-server, and run the ruby puppet master:

      [root@lyvdzg9x0frzq2r ~]# puppet resource service puppetserver ensure=stopped
      Notice: /Service[puppetserver]/ensure: ensure changed 'running' to 'stopped'
      service { 'puppetserver':
        ensure => 'stopped',
      }
      [root@lyvdzg9x0frzq2r ~]# puppet master --no-daemonize
      Notice: Starting Puppet master version 3.7.4
      

      The openssl on the agent works as expected:

      [root@pb5dl7xbpawqosr ~]# openssl s_client -connect lyvdzg9x0frzq2r.delivery.puppetlabs.net:8140 -CAfile /etc/puppetlabs/agent/ssl/certs/ca.pem
      CONNECTED(00000003)
      depth=1 CN = Puppet CA: lyvdzg9x0frzq2r.delivery.puppetlabs.net
      verify return:1
      depth=0 CN = lyvdzg9x0frzq2r.delivery.puppetlabs.net
      verify return:1
      ...
          Verify return code: 0 (ok)
      ---
      

      Note that the ruby puppet master is sending the CA cert at depth 0, and the server at depth 1.

      Both agent and master are rhel7 x86_64 with selinux enabled.

      I'm not 100% sure this is a puppet-server issue, but it seems likely given the different cert chains.

      Also note that AIO started testing against a new puppet-server promoted build in order to pick up the net-tools dependency. This may have introduced a regression in the puppet-server's SSL code.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  josh Josh Cooper
                  QA Contact:
                  Erik Dasher
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: