[SERVER-142] ssldir in puppet.conf is not being honoured Created: 2014/11/05  Updated: 2016/09/27  Resolved: 2014/11/14

Status: Closed
Project: Puppet Server
Component/s: Puppet Server
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Normal
Reporter: Sheela Nistala Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: ssl
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

"distdescription"=>"Debian GNU/Linux 7.7 (wheezy)"

puppetserver version: 0.3.0-1puppetlabs1

QA Contact: Erik Dasher


There's a discrepancy between what --configprint (and the config file) shows and where puppet is looking for certificate requests.

sheela@rugnor:~$ sudo puppet agent -t
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for instance1
Info: Certificate Request fingerprint (SHA256): 10:2E:B9:74:92:0D:A5:FC:74:AB:E0:78:CC:06:29:F2:9D:29:D2:08:B8:0C:6B:0F:B8:C9:49:C5:D4:B1:D6:43
Error: Could not request certificate: Error 500 on SERVER: <html>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 500 </title>
<h2>HTTP ERROR: 500</h2>
<p>Problem accessing /production/certificate_request/instance1. Reason:

<pre> /var/lib/puppet/ssl/ca/requests/instance1.pem (No such file or directory)</pre></p>

<hr /><i><small>Powered by Jetty://</small></i>
Exiting; failed to retrieve certificate and waitforcert is disabled

This what configprint shows
sheela@rugnor:~$ sudo puppet agent --configprint ssldir

This is the /etc/puppet/puppet.conf
logdir = /var/log/puppet
ssldir = /etc/puppet/ssl
rundir = /var/run/puppet
pluginsync = true
parser = future

report = true
certname = instance1

Comment by Nate Wolfe [ 2014/11/07 ]

Thanks for the submission Sheela Nistala. I think you might be running into one of the current shortcomings of Puppet Server - it doesn't automatically pick up configuration changes (like to puppet.conf) without restarting the service. Furthermore, it would actually look like the master in fact did get your config changes when you do puppet master --configprint ssldir.

Did you by chance change the ssldir setting after the Server had been started? That would explain why the error message is looking in the default location of /var/lib/puppet/ssl, but the agent --configprint shows /etc/puppet/ssl.

If this is what is going on, then restarting the Server service would help. At that point you might need to do some SSL cleanup as things could be spread over the two locations.

Comment by Jeremy Barlow [ 2014/11/07 ]

Your theory sounds reasonable to me, Nate Wolfe.

It would also be interesting to know if the /var/lib/puppet/ssl/ca/requests/ directory was deleted sometime after the Puppet Server master had started up since the master presumably would have created it if it didn't already exist when it first started up. That is the only scenario under which I could reproduce the ERROR 500 response for a certificate_request PUT. It does seem like the error handling on the master should be a bit more precise here - e.g., check for the existence of the certificate request directory before attempting to save the request to it and, if it doesn't exist, fail with a message indicating that the request could not be stored because the requestdir does not exist.

When I do this with the Ruby CA, for example, I get this error in the agent instead:

Error: Could not request certificate: Error 400 on SERVER: Cannot save agent; parent directory /var/lib/puppet/ssl/ca/requests does not exist

Comment by Sheela Nistala [ 2014/11/12 ]

Thank you for the reply Nate Wolfe.
So, I did the necessary SSL cleanup and restarted puppetserver. That seemed to have solved the issue.
Jeremy Barlow: Yes, that directory was deleted because I was under the impression that that directory's existence made the server ignore the ssldir config.

Also, it took a while to figure out that once the CA was setup, the server needed to be restarted.
Thanks Nate Wolfe and Jeremy Barlow

Edit: I'm editing this comment because the one made earlier was inaccurate.

Comment by Nate Wolfe [ 2014/11/12 ]

Glad you got it working Sheela Nistala!

Yes, that directory was deleted because I was under the impression that that directory's existence made the server ignore the ssldir config.

The Puppet Server will not tolerate missing files/directories as nicely as the Ruby Master, so if deleting the directory used to work, it probably won't anymore. What were you trying to achieve by deleting the directory? There might be a different way to get the same effect now.

Comment by Jeremy Barlow [ 2014/11/12 ]

I think Sheela Nistala thought that by deleting the /var/lib/puppet/ssl directory – the originally generated SSL directory that would no longer need to be used – that the master would automatically start using the newly configured /etc/puppet/ssl directory. As you mentioned though, Nate Wolfe, a puppetserver restart is what would be needed in order for the /etc/puppet/ssl directory to start being used because the settings in the puppet.conf file are only read by the puppetserver service at startup.

Comment by Nate Wolfe [ 2014/11/14 ]

Sheela Nistala Glad you're past this issue - we're going to mark this as Resolved. Please feel free to reopen the ticket if there are further issues!

Comment by Sheela Nistala [ 2014/11/18 ]

Jeremy Barlow: That's exactly what I thought. Thank you for your assistance.
Nate Wolfe: Yes, this has been resolved. Thanks for helping out!

Generated at Thu Feb 27 00:52:00 PST 2020 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.