Hello Morgan
I was able to generate a new certificate with the alt name, and when doing
a 'puppet cert list --all' I see the following:
+ "puppet4.psd401.net" (SHA256) 1D:16:67:30:0D:62:CE:6C:2A:80:11:7E:C7:79:BA
:4F:25:C6:0E:E6:90:9D:4D:9F:86:4B:5C:42:A1:6D:09:96 (alt names: "DNS:puppet"
, "DNS:puppet4.psd401.net")
But when doing a docker logs on puppet_db, it still says:
Warning: Unable to fetch my node definition, but the agent run will
continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify
failed: [unable to get local issuer certificate for /CN=puppet4.psd401.net]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate
additional resources using 'eval_generate': SSL_connect returned=1 errno=0
state=error: certificate verify failed: [unable to get local issuer
certificate for /CN=puppet4.psd401.net]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate:
Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect
returned=1 errno=0 state=error: certificate verify failed: [unable to get
local issuer certificate for /CN=puppet4.psd401.net]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate
additional resources using 'eval_generate': SSL_connect returned=1 errno=0
state=error: certificate verify failed: [unable to get local issuer
certificate for /CN=puppet4.psd401.net]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could
not retrieve file metadata for puppet:///plugins: SSL_connect returned=1
errno=0 state=error: certificate verify failed: [unable to get local issuer
certificate for /CN=puppet4.psd401.net]
Error: Could not retrieve catalog from remote server: SSL_connect
returned=1 errno=0 state=error: certificate verify failed: [unable to get
local issuer certificate for /CN=puppet4.psd401.net]
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error:
certificate verify failed: [unable to get local issuer certificate for
/CN=puppet4.psd401.net]
Not entirely sure what the problem here still can be... I did clean the
certs as well. Realizing this is a pretty old version of Puppet, would it
perhaps be better to do a clean install of Puppet in a non-docker
environment?
Post by Morgan RhodesHi Rohit,
No, unfortunately, it's not just a change in your docker-compose.yml. When
you're generating the certs for your puppetserver, you'll want to make sure
you're passing the `--dns_alt_names=<altnames>`, so it would be something
puppet cert generate puppet4.psd401.net --dns_alt_names=puppet,
puppet.psd401.net
Afterwards, you can confirm that your certificate has all of the altnames
$ puppet cert list --all
+ "puppet4.psd401.net" (SHA256) <fingerprint> (alt names: "DNS:puppet",
"DNS:puppet4.psd401.net")
Post by RohitHello Morgan,
Apologies for the late response here, some of our Puppet services had
started working but it looks like the same issue has arised and I am not
entirely sure why. I did check the docker-entrypoint.sh file and indeed see
the very exact response as you posted. However my question is for the
"altname" that you suggested, would I change this in the docker-compose.yml
file? I also realize the full docker-compose.yml did not show up in my
previous post but have attached it again in a separate file.
Post by Morgan RhodesWhen you look at the output of `puppet cert list all` does the
certificate for your puppetmaster also include the alt name 'puppet'?
(Something like 'alt names: "DNS:puppet", "DNS:testpuppet"'). If not, I'm
guessing that's your problem.
You mentioned in your earlier email that you were using puppetdb 4.2.0.
I'm assuming you're running the puppet/puppetdb:4.2.0 container. To get the
container entrypoint, I start the container manually with a custom
entrypoint so I can look around, there should be a file
'docker-entrypoint.sh' in the root directory of the container.
$ docker run --rm -it --entrypoint /bin/bash puppet/puppetdb:4.2.0
Dockerfile bin boot dev docker-entrypoint.sh etc home lib lib64
media mnt opt proc root run sbin srv sys tmp usr var
#!/bin/bash
if [ ! -d "/etc/puppetlabs/puppetdb/ssl" ]; then
while ! nc -z puppet 8140; do
sleep 1
done
set -e
/opt/puppetlabs/bin/puppet agent --verbose --onetime --no-daemonize
--waitforcert 120
/opt/puppetlabs/server/bin/puppetdb ssl-setup -f
fi
The docker-entrypoint.sh script in that version of the container doesn't
have any logic for a puppetserver with a non-default name, which means when
it runs `puppet agent --verbose --onetime --no-daemonize --waitforcert 120`
it will connect to the host named 'puppet'. From the link you have set up
in your docker-compose.yml, I'm assuming your puppetserver container name
is 'puppet' with the hostname 'puppet4.psd401.net'. Since the container
name is 'puppet', the puppetdb container is able to resolve 'puppet' as
'puppet4....', so when it runs puppet agent -t it can connect to the host,
but certificate validation will fail if puppet isn't listed as one of the
valid altnames for the puppet container.
Post by Rohit1. puppet_db is trying to connect our.puppet.domain, there is no
docker-entrypoint.sh script that I was able to find.
2.
container_name: puppet_db
hostname: puppetdb.peninsula.wednet.edu
- 10.0.0.7
image: puppet/puppetdb:latest
- 8087:8080
- 8088:8081
- puppet
- puppet:puppet4.psd401.net
- puppetdbpostgres:postgres
- ./puppet-client.conf:/etc/puppetlabs/puppet/puppet.conf
- ./puppetdb_conf:/etc/puppetlabs/puppetdb/conf.d
- ./puppetdb_ssl:/etc/puppetlabs/puppet/ssl/
ipv4_address: 172.19.0.4
restart: always
2. The hostname that the puppetdb container is trying to connect
to is indeed the one listed on the certificate name on the puppet servers
cert.
Post by Morgan Rhodes1) what hostname is your puppetdb container trying to connect to
puppetserver at?
a) This should be in your docker-entrypoint.sh script in the
puppetdb container. Likely either 'puppet' or '$PUPPETSERVER_HOSTNAME'
depending on what variables you have set in your compose file and what
version of the puppetdb container you have.
2) Is the hostname your puppetdb container is trying to connect to
listed as one of the certificate names for your puppet server's cert?
a) For example, in my puppetserver container when I run `puppet
+ "testserver" (SHA256)
F0:31:6D:1D:03:82:C0:84:0D:FA:2B:28:5B:52:CB:18:88:87:61:5F:5A:F5:7E:AB:A2:73:29:44:BC:57:D0:99
(alt names: "DNS:testserver", "DNS:foo")
if my puppetdb container tries to connect to that host over any
names other than 'testserver' or 'foo' I get a certificate verify failed
error.
Hello Morgan,
Post by Morgan RhodesPost by RohitIf you are refferring to the cert being in the conf/ssl/certs folder,
then yes, our.puppet.domain.pem is in the folder. When running the 'puppet
- computername.our.puppet.domain
- our.puppet.domain
- servername.our.puppet.domain
If it is a DNS issue, do I have to likely change something from the
docker-compose side?
Post by Morgan RhodesHi Rohit,
Is the hostname from `/CN=our.puppet.domain` showing up in your
puppetserver's certificate? You can verify that with `puppet cert list
--all` on the puppetserver container. This looks like a DNS issue.
Post by RohitHello, we currently have a puppet docker container setup and are
experiencing certificate issues. Basically, in our docker setup (on our
main server) I had generated and signed new certificates, but the puppet_db
[unable to get local issuer certificate for /CN=our.puppet.domain]
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0
state=error: certificate verify failed: [unable to get local issuer
certificate for /CN=our.puppet.domain]â
I have tried series of steps to solve this problem as it looks like
Puppet is not functioning correctly as our servers are not properly
listening to the host server. Any idea what I can do to solve this problem?
For reference, we are running Puppet_DB version 4.2 and Puppet Server
version 2.7.2, all of which is set up on a docker container environment on
one server.
--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send
Post by RohitTo view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/899d2bf7-ceed-4d9e-bd24-c4ba2cc93928%40googlegroups.com
<https://groups.google.com/d/msgid/puppet-users/899d2bf7-ceed-4d9e-bd24-c4ba2cc93928%40googlegroups.com?utm_medium=email&utm_source=footer>
.
For more options, visit https://groups.google.com/d/optout.
--
Morgan Rhodes
Release Engineer
--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send
To view this discussion on the web visit
Post by Rohithttps://groups.google.com/d/msgid/puppet-users/fcf0c6da-82dd-4970-ab81-a60131b291f1%40googlegroups.com
<https://groups.google.com/d/msgid/puppet-users/fcf0c6da-82dd-4970-ab81-a60131b291f1%40googlegroups.com?utm_medium=email&utm_source=footer>
.
For more options, visit https://groups.google.com/d/optout.
--
Morgan Rhodes
Release Engineer
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/1015311c-0e2f-44f0-a096-6c5015d00d98%40googlegroups.com
<https://groups.google.com/d/msgid/puppet-users/1015311c-0e2f-44f0-a096-6c5015d00d98%40googlegroups.com?utm_medium=email&utm_source=footer>
.
For more options, visit https://groups.google.com/d/optout.
--
Morgan Rhodes
Release Engineer
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/ddf39b7c-d1b0-4e84-b660-207383ad022c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.