Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-816

Puppetserver using FreeIPA 4.x as external CA fails with java.util.ArrayList cannot be cast to java.lang.String



    • Bug
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • SERVER 2.y
    • Puppet Server
    • RHEL7.1, using puppetserver 2.x (have tested specifically with the RPMS for 2.0.0 and 2.1.1)
      Puppet 4 (rpm is puppet-agent 1.1.0 and 1.2.2)
      Both installed following the instructions provided on docs.puppetlabs.com

    • 2
    • Server Emerald 2015-08-05, Server Emerald 2015-08-19, Server Emerald 2015-09-02


      It appears that the newer FreeIPA 4.x server provides new fields in the CA signed certificates that cause an interesting error. When running puppet-agent against a puppetserver with these certificates, an error is reported (as shown in attachment puppet-agent-error.txt). This produces a log of some 400+ lines, mostly traceback (as show in attachment puppetserver-errorlog.txt) indicating the error:

      2015-07-28 18:10:28,851 ERROR [puppet-server] Puppet java.util.ArrayList cannot be cast to java.lang.String

      Further investigation leads to show that a FreeIPA 3.x CA signed certificate does not incur this issue. To that end, I've included what appears to be the difference between the two signed certificates (attached as signed-certificates.diff).

      I'm theorizing that the value 'X509v3 Extended Key Usage' is not accounted for in the puppetserver code.


        1. puppet.jordanlab.local-bad.pem
          2 kB
        2. puppet.jordanlab.local-good.pem
          1 kB
        3. puppet-agent-error.txt
          1 kB
        4. puppetserver-errorlog.txt
          30 kB
        5. signed-certificates.diff
          0.6 kB



            erik Erik Dasher
            herlo herlo
            Erik Dasher Erik Dasher
            1 Vote for this issue
            7 Start watching this issue



              Zendesk Support