Jira (PUP-9314) puppetdb-termini for puppet standalone try to connect to master
Title: Message Title Craig Watson commented on PUP-9314 Re: puppetdb-termini for puppet standalone try to connect to master This is fixed by PDB-4487 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.285263.1542291964000.103518.1568815140247%40Atlassian.JIRA.
Jira (PDB-4487) PuppetDB Terminus with Masterless Fails on SSL Errors
Title: Message Title Craig Watson commented on PDB-4487 Re: PuppetDB Terminus with Masterless Fails on SSL Errors Louis Coilliot Can you add this to `puppetb.conf` and retry? ``` verify_client_certificate = false ``` Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.321961.1566490124000.103217.1568794800444%40Atlassian.JIRA.
Jira (PDB-4487) PuppetDB Terminus with Masterless Fails on SSL Errors
Title: Message Title Craig Watson commented on PDB-4487 Re: PuppetDB Terminus with Masterless Fails on SSL Errors So, I have worked/hacked around the problem in this PR: https://github.com/puppetlabs/puppetdb/pull/3053 Essentially, I have added the option to build our own SSLContext instead of looking up Puppet's own - this still performs validation of the certificate provided by PuppetDB against a CA, so should still satisfy security requirements. This has been tested and verified to work on my 6.8.0 node. My knowledge of testing/documentation rules for PuppetDB are non-existent, so I'm happy to either take guidance on this and evolve my PR, or I'm equally as happy for my fork's commit to be cherry-picked out somehow and used by someone with enough skill to write adequate docs/tests Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.321961.1566490124000.71415.1566593700465%40Atlassian.JIRA.
Jira (PDB-4487) PuppetDB Terminus with Masterless Fails on SSL Errors
Title: Message Title Craig Watson commented on PDB-4487 Re: PuppetDB Terminus with Masterless Fails on SSL Errors Thanks Austin Blatt and Josh Cooper - I’ve had a dive upstream into the SSL code, and it does seem like the change to `ssl_context` is the cause, pulling this data in invokes `Puppet::SSL::Verifier` which attempts a full validation of the local certificate and CA. The wider implication here is that its directly incompatible with masterless deployments that lack these certificates. As it’s not technically caused by PuppetDB, I’m happy for this ticket to be closed/migrated around as necessary. If there’s anything I can do to help with diagnosis, feel free to reach out Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.321961.1566490124000.69242.1566500700551%40Atlassian.JIRA.
Jira (PDB-4487) PuppetDB Terminus with Masterless Fails on SSL Errors
Title: Message Title
Craig Watson updated an issue
PuppetDB / PDB-4487
PuppetDB Terminus with Masterless Fails on SSL Errors
Change By:
Craig Watson
We are running Puppet masterless, connecting to a standalone PuppetDB cluster (6.5.0) with a shared PostgreSQL backend. SSL termination is handed by the load balancer, which is using a managed SSL certificate (from Google, signed by LetsEncrypt).routes.yaml: {code}---apply: catalog: terminus: compiler cache: puppetdb resource: terminus: ral cache: puppetdb facts: terminus: facter cache: puppetdb_apply{code}puppetdb.conf:{code}[main]server_urls = https://puppetdb.[redacted]:443soft_write_failure = true{code}puppet.conf:{code}[main] storeconfigs = false report = true reports = puppetdb{code}We have upgraded a test node to Puppet 6.8.0 and also upgraded the PuppetDB Termini to 6.5.0:{code}$ yum list puppet-agent puppetdb-terminiInstalled Packagespuppet-agent.x86_64 6.8.0-1.el7 @puppet6puppetdb-termini.noarch 6.5.0-1.el7 @puppet{code}We now have issues where the PuppetDB terminus is complaining about a lack of TLS-related files (CRL, CA, certificate, key) which would normally exist on a mastered Puppet installation, but don't on ours as they're not used.So far, I have added:{code}localcacert = /etc/pki/tls/certs/ca-bundle.crtcertificate_revocation = false{code}To try and work around and stub out the SSL, but I am now left with the following for each interaction with PuppetDB (facts, catalog, report):{code}Error: Failed to initialize SSL: The private key is missing from '/etc/puppetlabs/puppet/ssl/private_keys/[fqdn].pem'Error: Run `puppet agent -t`Error: The private key is missing from '/etc/puppetlabs/puppet/ssl/private_keys/[fqdn].pem'{code}I have tried rolling a temporary/throwaway local CA with no success.The Puppet run itself succeeds, but nothing is sent at all to PuppetDB
Add Comment
Jira (PDB-4487) PuppetDB Terminus with Masterless Fails on SSL Errors
Title: Message Title
Craig Watson updated an issue
PuppetDB / PDB-4487
PuppetDB Terminus with Masterless Fails on SSL Errors
Change By:
Craig Watson
We are running Puppet masterless, connecting to a standalone PuppetDB cluster (6.5.0) with a shared PostgreSQL backend. SSL termination is handed by the load balancer, which is using a managed SSL certificate (from Google, signed by LetsEncrypt).routes.yaml: {code :java }---apply: catalog: terminus: compiler cache: puppetdb resource: terminus: ral cache: puppetdb facts: terminus: facter cache: puppetdb_apply{code}puppetdb.conf:{code :java }[main]server_urls = https://puppetdb.[redacted]:443soft_write_failure = true{code}puppet.conf:{code :java }[main] storeconfigs = false report = true reports = puppetdb{code}We have upgraded a test node to Puppet 6.8.0 and also upgraded the PuppetDB Termini to 6.5.0:{code :java }$ yum list puppet-agent puppetdb-terminiInstalled Packagespuppet-agent.x86_64 6.8.0-1.el7 @puppet6puppetdb-termini.noarch 6.5.0-1.el7 @puppet{code}We now have issues where the PuppetDB terminus is complaining about a lack of TLS-related files (CRL, CA, certificate, key) which would normally exist on a mastered Puppet installation, but don't on ours as they're not used.So far, I have added:{code}localcacert = /etc/pki/tls/certs/ca-bundle.crtcertificate_revocation = false{code}To try and work around and stub out the SSL, but I am now left with the following for each interaction with PuppetDB (facts, catalog, report) :{code :java }Error: Failed to initialize SSL: The private key is missing from '/etc/puppetlabs/puppet/ssl/private_keys/[fqdn].pem'Error: Run `puppet agent -t`Error: The private key is missing from '/etc/puppetlabs/puppet/ssl/private_keys/[fqdn].pem'{code}I have tried rolling a temporary/throwaway local CA with no success. The Puppet run itself succeeds, but nothing is sent at all to PuppetDB
Add Comment
Jira (PDB-4487) PuppetDB Terminus with Masterless Fails on SSL Errors
Title: Message Title
Craig Watson updated an issue
PuppetDB / PDB-4487
PuppetDB Terminus with Masterless Fails on SSL Errors
Change By:
Craig Watson
We are running Puppet masterless, connecting to a standalone PuppetDB cluster (6.5.0) with a shared PostgreSQL backend. SSL termination is handed by the load balancer, which is using a managed SSL certificate (from Google, signed by LetsEncrypt).routes.yaml: {code:java} ---apply: catalog: terminus: compiler cache: puppetdb resource: terminus: ral cache: puppetdb facts: terminus: facter cache: puppetdb_apply{code}puppetdb.conf: {code:java} [main]server_urls = https://puppetdb.[redacted]:443soft_write_failure = true{code}puppet.conf: {code:java} [main] storeconfigs = false report = true reports = puppetdb{code} We have upgraded a test node to Puppet 6.8.0 and also upgraded the PuppetDB Termini to 6.5.0: {code:java} $ yum list puppet-agent puppetdb-terminiInstalled Packagespuppet-agent.x86_64 6.8.0-1.el7 @puppet6puppetdb-termini.noarch 6.5.0-1.el7 @puppet{code}We now have issues where the PuppetDB terminus is complaining about a lack of TLS-related files (CRL, CA, certificate, key) which would normally exist on a mastered Puppet installation, but don't on ours as they're not used. {{ So far, I have added: }} {code :java } localcacert = /etc/pki/tls/certs/ca-bundle.crtcertificate_revocation = false{code}To try and work around and stub out the SSL, but I am now left with:{code:java} Error: Failed to initialize SSL: The private key is missing from '/etc/puppetlabs/puppet/ssl/private_keys/[fqdn].pem'Error: Run `puppet agent -t`Error: The private key is missing from '/etc/puppetlabs/puppet/ssl/private_keys/[fqdn].pem'{code}I have tried rolling a temporary/throwaway local CA with no success.
Add Comment
Jira (PDB-4487) PuppetDB Terminus with Masterless Fails on SSL Errors
Title: Message Title Craig Watson created an issue PuppetDB / PDB-4487 PuppetDB Terminus with Masterless Fails on SSL Errors Issue Type: Task Affects Versions: PDB 6.5.0 Assignee: Unassigned Components: PuppetDB Created: 2019/08/22 9:08 AM Priority: Blocker Reporter: Craig Watson We are running Puppet masterless, connecting to a standalone PuppetDB cluster (6.5.0) with a shared PostgreSQL backend. SSL termination is handed by the load balancer, which is using a managed SSL certificate (from Google, signed by LetsEncrypt). routes.yaml: --- apply: catalog: terminus: compiler cache: puppetdb
Jira (PUP-6266) Systemd provider with ubuntu 16.04
Title: Message Title Craig Watson commented on PUP-6266 Re: Systemd provider with ubuntu 16.04 Interestingly, I'm also seeing this with Apache, Transmission and Postfix, with these community modules: https://forge.puppet.com/CraigWatson1987/transmission https://forge.puppet.com/puppetlabs/apache https://github.com/craigwatson/puppet-postfix Add Comment This message was sent by Atlassian JIRA (v6.4.13#64028-sha1:b7939e9) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
