Re: [Puppet Users] Re: Puppetserver 6.0 -> Error:num=20 and Error:num=21

[Josh Cooper]

On Fri, Jan 4, 2019 at 2:03 PM 'Michael Post' via Puppet Users <
puppet-users@googlegroups.com> wrote:

> Hello,
>
>>
>> Am Freitag, 4. Januar 2019 22:21:47 UTC+1 schrieb Michael Post:
>>
>>> Hello,
>>>
>>> yesterday and today i set up a new Debian Stretch VM and want to install
>>> a fresh environment with puppetserver 6.
>>>

 sometimes it is good to write and think and read more and more.
> I solved my problem.
> The exact steps are written in the documentation but you have to find it.
>
> It is written under
>
> https://puppet.com/docs/puppet/5.3/config_ssl_external_ca.html#option-2-puppet-server-functioning-as-an-intermediate-ca
>
> Puppet agent
> You need to do two things to prepare Puppet agent for this CA
> configuration:
> If you copy this file into place before the first Puppet run, you will not
> recieve any errors. If you attempt a Puppet run prior to this file being
> present you will receive errors since the auto-distributed ca.pem file
> doesn’t include the root CA..
> Example error:
> Error: Could not request certificate: SSL_connect returned=1 errno=0
> state=error: certificate verify failed: [unable to get local issuer
> certificate for /CN=]
>
> Copy the CA bundle in place prior to a Puppet run.
>
> Disable certificate revocation validation.
>
> Copy the CA bundle you created to /etc/puppetlabs/puppet/ssl/certs/ca.pem on
> every agent node.
> Set certificate_revocation = false in the [main] section of puppet.conf
> on every agent node:
>
> [main]
> certificate_revocation = false
>
> Once you’ve completed both of these steps, the agent can run successfully.
>
> Have a nice weekend,
>
> Michael
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/ed78a062-6db1-4636-bb78-c2bfbb01cb90%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

One clarification. Puppetserver6 has a new workflow for importing an
external CA certificate, and issuing an intermediate puppet CA from that.
Also puppet6 agents will correctly download the CA bundle and process
multiple CRLs, so it is not necessary to disable CRL checking. However the
steps you outlined are required for puppet5 agents talking to puppetserver6
when it is using intermediate CA certs, as older agents don't process
multiple CRLs correctly.

See https://puppet.com/docs/puppetserver/6.1/intermediate_ca.html for more
details..

Josh
-- 
Josh Cooper | Software Engineer
j...@puppet.com | @coopjn

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2Bu97u%3DWLyhfBvb8Hbj%3DUJ%2BNr3SVX7K%2BMAzEXxtSRFamy%3D8OzA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Bolt 1.8.1 now available

[Puppet Product Updates]

Greetings!

We're happy to announce the release of Bolt 1.8.1. We were so excited about
the addition of standard library functions in 1.8.0 that we missed actually
packaging them. This is the fix.

For more information about this release, check out the release notes:
https://puppet.com/docs/bolt/1.x/bolt_release_notes.html

To try this version of Bolt, follow the installation instructions for your
operating system:
https://puppet.com/docs/bolt/1.x/bolt_installing.html

Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%2Byhkz55SLYU7f5w2XCjf%2B%3Dyb9jqbK%3D_NCQL72t239i2zzrrw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Puppetserver 6.0 -> Error:num=20 and Error:num=21

['Michael Post' via Puppet Users]

Hello, 

>
> Am Freitag, 4. Januar 2019 22:21:47 UTC+1 schrieb Michael Post:
>
>> Hello,
>>
>> yesterday and today i set up a new Debian Stretch VM and want to install 
>> a fresh environment with puppetserver 6.
>>
>>>
>>> sometimes it is good to write and think and read more and more.
I solved my problem. 
The exact steps are written in the documentation but you have to find it.

It is written under 
https://puppet.com/docs/puppet/5.3/config_ssl_external_ca.html#option-2-puppet-server-functioning-as-an-intermediate-ca
 
Puppet agent
You need to do two things to prepare Puppet agent for this CA configuration:
If you copy this file into place before the first Puppet run, you will not 
recieve any errors. If you attempt a Puppet run prior to this file being 
present you will receive errors since the auto-distributed ca.pem file 
doesn’t include the root CA..
Example error:
Error: Could not request certificate: SSL_connect returned=1 errno=0 
state=error: certificate verify failed: [unable to get local issuer 
certificate for /CN=]

Copy the CA bundle in place prior to a Puppet run.

Disable certificate revocation validation.

Copy the CA bundle you created to /etc/puppetlabs/puppet/ssl/certs/ca.pem on 
every agent node.
Set certificate_revocation = false in the [main] section of puppet.conf on 
every agent node:

[main]
certificate_revocation = false

Once you’ve completed both of these steps, the agent can run successfully.

Have a nice weekend,

Michael

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/ed78a062-6db1-4636-bb78-c2bfbb01cb90%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Puppetserver 6.0 -> Error:num=20 and Error:num=21

['Michael Post' via Puppet Users]

Hello,

Am Freitag, 4. Januar 2019 22:21:47 UTC+1 schrieb Michael Post:
>
> Hello,
>
> yesterday and today i set up a new Debian Stretch VM and want to install a 
> fresh environment with puppetserver 6.
>
> sometimes it is good to write and think and read more and more.
I solved my problem. The exact steps are written in the documentation but 
you have to find it.

It is written under 
https://puppet.com/docs/puppet/5.3/config_ssl_external_ca.html#option-2-puppet-server-functioning-as-an-intermediate-ca

+ expand all 
 
- close menu 
 
Puppet Platform reference manual
   
   - Introduction 
   - *Puppet 5 Platform* 
   - *Quick start guides* 
   - *Deprecated features* 
   - *Installing and upgrading* 
   - *Configuration* 
   - *Important directories and files* 
   - *Environments* 
   - *Modules* 
   - *Puppet’s services and tools* 
   - *Puppet Server* 
   - *The Puppet language* 
   - *Writing custom functions* 
   - *Hiera* 
   - Facter 
   - *Resource types* 
   - *Reports: Tracking Puppet’s activity* 
   - *Extensions for assigning classes to nodes* 
   - *Misc. references (settings, functions, etc.)* 
   - *Man pages* 
   - *HTTP API* 
   - *SSL and certificates* 
  - Using an external CA 
  
  - Using an external CA with Puppet Server 
  
  - External SSL termination with Puppet Server 
  
  - Configuring autosigning 
  
  - CSR attributes and certificate extensions 
  
  - Regenerating all certificates in a deployment 
  
   - Adding file server mount points 
   
   - *Details about Puppet’s internals* 
   - *Experimental features* 


   1. Supported external CA configurations 
   

 
   2. General notes and requirements 
   

 
  1. PEM encoding of credentials is mandatory 
  

 
  2. Normal Puppet certificate requirements still apply 
  

 
   3. Option 1: Single CA 
   

 
  1. Puppet server 
  
 
  2. Puppet agent 
  
 
   4. Option 2: Puppet server functioning as an intermediate CA 
   

 
  1. Puppet Server 
  

 
  2. Puppet agent 
  
 
   
In lieu of its built-in certificate authority (CA) and public key 
infrastructure (PKI) tools, Puppet can use an existing external CA for all 
of its secure socket layer (SSL) communications.

This page describes the supported and tested configurations for external 
CAs in this version of Puppet. If you have an external CA use case that 
isn’t covered here, please contact Puppet so we can learn more about it.
Supported
 
external CA configurations 

This version of Puppet supports *some* external CA configurations, but not 
every possible arrangement. We fully support the following setups:

   1. Single self-signed CA which directly issues SSL certificates. 
   

 
   2. Puppet Server functioning as an intermediate CA of a root self-signed 
   CA. 
   

 

These are fully supported by Puppet, which means:

   - Issues that arise in one of these three arrangements are considered 
   *bugs,* and we’ll fix them ASAP. 
   - Issues that arise in any *other* external CA setup are consi

[Puppet Users] Re: Puppetserver 6.0 -> Error:num=20 and Error:num=21

['Michael Post' via Puppet Users]

Am Freitag, 4. Januar 2019 22:21:47 UTC+1 schrieb Michael Post:
>
> Hello,
>
>
 
Additional information to the problem:

On the node i can make an "puppet agent -t" and the first time the node is 
connecting to the puppetserver. At the puppetserver i sign this request 
with 'puppetserver ca sign --certname=..xxx' and afterwarts i 
see the node correct under the section of signed certificates in the list 
of 'puppetserver ca list --all'.

But on the next 'puppet agent -t' on the node i get the following output:

Info: Caching certificate for 1440zb827eb606d67.purematic.de

*Error: Could not request certificate: SSL_connect returned=1 errno=0 
state=error: certificate verify failed: [unable to get issuer certificate 
for /CN=Puppet CA: ..xxx]*

Exiting; failed to retrieve certificate and waitforcert is disabled

I did removing old stuff under /var/lib/puppet/ssl and tried it again with 
a new certification signing at the puppetserver, but with the same effect.

PS: I append multiple alt dns names for the certificate at the 
puppetserver. With the command 'puppetserver ca list --all' i see all alt 
dns name.

Greets,

Michael

>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5ff420a9-7af8-4b00-b08b-e8ca9c2f2daa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppetserver 6.0 -> Error:num=20 and Error:num=21

['Michael Post' via Puppet Users]

Hello,

yesterday and today i set up a new Debian Stretch VM and want to install a 
fresh environment with puppetserver 6.

I did it twice, but in both ways i got the same error.

:depth=0 CN = .xx.xxx

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN = .xx.xxx

verify error:num=21:unable to verify the first certificate

verify return:1



puppet agent -t works fine at the puppetserver-host.

But at the node, i got this error.


I could not find anything at the internet which will made me clear and 
describe my concrete situation.


Thanks for every hint and help.


Greetings,


Michael


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/73d3e984-db72-46ba-a922-11a4e4a1dd38%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Bolt 1.8.0 now available

[vlastimil . holer]

On Friday, January 4, 2019 at 5:28:29 PM UTC+1, Eric Sorenson wrote:
>
> Vlastimil - I'm forwarding this message to the puppet-users list instead 
> of puppet-announce.
>

Sorry, my fault. I have noticed the wrong group (since the announcements 
are the same in both) after I sent the question. Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/4b49cf8c-5862-4a45-9fd6-1ed5aa715cc4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Bolt 1.8.0 now available

[Eric Sorenson]

Vlastimil - I'm forwarding this message to the puppet-users list instead of 
puppet-announce.

--eric0

> From: vlastimil.ho...@gmail.com
> Subject: Re: Bolt 1.8.0 now available
> Date: January 4, 2019 at 3:46:31 AM PST
> To: Puppet Announce 
> 
> 
> Hello,
> 
> On Friday, January 4, 2019 at 12:01:51 AM UTC+1, Puppet Product Updates wrote:
> Greetings!
> 
> We're happy to announce the release of Bolt 1.8.0. Highlights in this release 
> include:
> Standard library functions
> 
> how to use those new functions?
> 
> Having a following simple plan:
> 
> plan profiles::test {
>   ctrl::sleep(5)
> }
> 
> Complains about unknown function:
> $ bolt --boltdir=$PWD plan run profiles::test
> Starting: plan profiles::test
> Finished: plan profiles::test in 0.02 sec
> {
>   "kind": "bolt/pal-error",
>   "msg": "Evaluation Error: Unknown function: 'ctrl::sleep'. (file: 
> .../bolt/site/profiles/plans/test.pp, line: 2, column: 3)",
>   "details": {
>   }
> }
> 
> Having Bolt 1.8 from packages for C7:
> $ rpm -q puppet-bolt
> puppet-bolt-1.8.0-1.el7.x86_64
> 
> Thank you,
> Vlastimil Holer
>  
> For more information, check out the release notes: 
> https://puppet.com/docs/bolt/1.x/bolt_release_notes.html 
> 
> 
> To try this version of Bolt, follow the installation instructions for your 
> operating system:
> https://puppet.com/docs/bolt/1.x/bolt_installing.html 
> 
> 
> Thanks!
> 
> 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/E916991D-48D3-4365-97AD-04A230803FF3%40puppet.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Bolt 1.8.0 now available

[Michael Smith]

Oof, we messed up packaging it. I’ll see about getting a new release out
today.

On Fri, Jan 4, 2019 at 03:54  wrote:

> Hello,
>
> On Friday, January 4, 2019 at 12:01:58 AM UTC+1, Puppet Product Updates
> wrote:
>>
>> Greetings!
>>
>> We're happy to announce the release of Bolt 1.8.0. Highlights in this
>> release include:
>>
>>- Standard library functions
>>
>>
> how to uses those new functions?
>
> I'm having following simple plan:
>
> *plan profiles::test {*
> *  ctrl::sleep(5)*
> *}*
>
> But, Bolt complains about unknown function:
>
> *$ bolt --boltdir=$PWD plan run profiles::test*
> *Starting: plan profiles::test*
> *Finished: plan profiles::test in 0.02 sec*
> *{*
> *  "kind": "bolt/pal-error",*
> *  "msg": "Evaluation Error: Unknown function: 'ctrl::sleep'. (file:
> ...bolt/site/profiles/plans/test.pp, line: 2, column: 3)",*
> *  "details": {*
> *  }*
> *}*
>
> I have Bolt 1.8.0 packaged for the C7:
>
> *$ rpm -q puppet-bolt*
> *puppet-bolt-1.8.0-1.el7.x86_64*
>
> Thank you,
> Vlastimil Holer
>
> For more information, check out the release notes:
>> https://puppet.com/docs/bolt/1.x/bolt_release_notes.html
>>
>> To try this version of Bolt, follow the installation instructions for
>> your operating system:
>> https://puppet.com/docs/bolt/1.x/bolt_installing.html
>>
>> Thanks!
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/819d7517-f412-498b-b1c4-a7b7cc66639c%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CABy1mMJSjrn34PLh-6WKCexbezS0yCEVqY95p4LzxBkAkAxYrg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Bolt 1.8.0 now available

[vlastimil . holer]

Hello,

On Friday, January 4, 2019 at 12:01:58 AM UTC+1, Puppet Product Updates 
wrote:
>
> Greetings!
>
> We're happy to announce the release of Bolt 1.8.0. Highlights in this 
> release include:
>
>- Standard library functions
>
>
how to uses those new functions?

I'm having following simple plan:

*plan profiles::test {*
*  ctrl::sleep(5)*
*}*

But, Bolt complains about unknown function:

*$ bolt --boltdir=$PWD plan run profiles::test*
*Starting: plan profiles::test*
*Finished: plan profiles::test in 0.02 sec*
*{*
*  "kind": "bolt/pal-error",*
*  "msg": "Evaluation Error: Unknown function: 'ctrl::sleep'. (file: 
...bolt/site/profiles/plans/test.pp, line: 2, column: 3)",*
*  "details": {*
*  }*
*}*

I have Bolt 1.8.0 packaged for the C7:

*$ rpm -q puppet-bolt*
*puppet-bolt-1.8.0-1.el7.x86_64*

Thank you,
Vlastimil Holer

For more information, check out the release notes: 
> https://puppet.com/docs/bolt/1.x/bolt_release_notes.html
>
> To try this version of Bolt, follow the installation instructions for your 
> operating system:
> https://puppet.com/docs/bolt/1.x/bolt_installing.html
>
> Thanks!
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/819d7517-f412-498b-b1c4-a7b7cc66639c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.