Jira (PDB-4540) DNS_ALT_NAMES set by docker puppetdb >= 6.6.0

[Christoph Roeder (JIRA)]

Christoph Roeder created an issue

PuppetDB / PDB-4540 DNS_ALT_NAMES set by docker puppetdb >= 6.6.0 Issue Type: Bug Affects Versions: PDB 6.6.0 Assignee: Unassigned Created: 2019/10/03 6:16 AM Fix Versions: PDB 6.5.0 Priority: Major Reporter: Christoph Roeder Puppet Version: 6.7.0 Puppet Server Version: 6.7.0 OS Name/Version: Ubuntu 18.04 puppetdb 6.6.0 and upwards creates an dns alt cert even if no env variable DNS_ALT_NAMES is set. Desired Behavior: create an cert for puppetdb Actual Behavior: created an cert for puppetdb with alt name "puppetdb," puppetdb_1 | Running /docker-entrypoint.d/30-configure-ssl.sh puppetdb_1 | (/ssl.sh) Using configuration values: puppetdb_1 | (/ssl.sh) * CERTNAME: 'puppetdb' (/CN=puppetdb) puppetdb_1 | (/ssl.sh) * DNS_ALT_NAMES: 'puppetdb,' puppetdb_1 | (/ssl.sh) * CA: 'https://puppet:8140/puppet-ca/v1' puppetdb_1 | (/ssl.sh) * SSLDIR: '/opt/puppetlabs/server/data/puppetdb/certs' puppetdb_1 | (/ssl.sh) * WAITFORCERT: '120' seconds puppetdb_1 | subject=CN = Puppet CA: puppet.home.roeder.io puppetdb_1 | issuer=CN = Puppet CA: puppet.home.roeder.io puppetdb_1 | (/ssl.sh) Error: CA already has signed certificate for 'puppetdb' Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[Christoph Roeder (JIRA)]

Christoph Roeder updated an issue

PuppetDB / PDB-4540 DNS_ALT_NAMES set by docker puppetdb >= 6.6.0

Change By: Christoph Roeder *Puppet Version: 6.7.0* *Puppet Server Version: 6.7.0* *OS Name/Version: Ubuntu 18.04*

puppetdb 6.6.0 and upwards creates an dns alt cert even if no env variable DNS_ALT_NAMES is set.

*Desired Behavior:* create an cert for puppetdb *Actual Behavior:* created an cert for puppetdb with alt name "puppetdb,"

puppetdb_1 | Running /docker-entrypoint.d/30-configure-ssl.sh puppetdb_1 | (/ssl.sh) Using configuration values: puppetdb_1 | (/ssl.sh) * CERTNAME: 'puppetdb' (/CN=puppetdb)

{color:# FF0000 ff0000 }puppetdb_1 | (/ssl.sh) * DNS_ALT_NAMES: 'puppetdb,' {color}

puppetdb_1 | (/ssl.sh) * CA: 'https://puppet:8140/puppet-ca/v1' puppetdb_1 | (/ssl.sh) * SSLDIR: '/opt/puppetlabs/server/data/puppetdb/certs' puppetdb_1 | (/ssl.sh) * WAITFORCERT: '120' seconds puppetdb_1 | subject=CN = Puppet CA: puppet.home.roeder.io puppetdb_1 | issuer=CN = Puppet CA: puppet.home.roeder.io puppetdb_1 | (/ssl.sh) Error: CA already has signed certificate for 'puppetdb'

The Problem was introduced here [https://github.com/puppetlabs/puppetdb/commit/023bfcd0fd9e703e384e8167c768e61f22e46919]

Add Comment

[Morgan Rhodes (JIRA)]

Morgan Rhodes assigned an issue to Morgan Rhodes

PuppetDB / PDB-4540 DNS_ALT_NAMES set by docker puppetdb >= 6.6.0

Change By: Morgan Rhodes Assignee: Morgan Rhodes

Add Comment

[Morgan Rhodes (JIRA)]

Morgan Rhodes updated an issue

PuppetDB / PDB-4540 DNS_ALT_NAMES set by docker puppetdb >= 6.6.0

Change By: Morgan Rhodes Team: Release Engineering Sprint: Release Engineering Kanban

Add Comment

[Morgan Rhodes (JIRA)]

Morgan Rhodes commented on PDB-4540

Re: DNS_ALT_NAMES set by docker puppetdb >= 6.6.0 Hi Christoph Roeder, Apologies for the delay in getting back to you, it's been a rather busy week. I have a PR up with a fix, just waiting on review/merge from the developer who added the DNS_ALT_NAMES to puppetdb. Will update here when that's been merged/published

Add Comment

[Morgan Rhodes (JIRA)]

Morgan Rhodes commented on PDB-4540

Re: DNS_ALT_NAMES set by docker puppetdb >= 6.6.0

A fix for this has been published in puppet/puppetdb:6.7.1

Add Comment

[John Jeffers (JIRA)]

John Jeffers commented on PDB-4540

Re: DNS_ALT_NAMES set by docker puppetdb >= 6.6.0

Still crashing for me on 6.7.1 puppetdb Running /docker-entrypoint.d/30-configure-ssl.sh puppetdb (/ssl.sh) Using configuration values: puppetdb (/ssl.sh) * CERTNAME: 'puppetdb' (/CN=puppetdb) puppetdb (/ssl.sh) * DNS_ALT_NAMES: '' puppetdb (/ssl.sh) * CA: 'https://puppet:8140/puppet-ca/v1' puppetdb (/ssl.sh) * SSLDIR: '/opt/puppetlabs/server/data/puppetdb/certs' puppetdb (/ssl.sh) * WAITFORCERT: '120' seconds puppetdb subject=CN = Puppet CA: puppet-7bcd8b4474-p6fzk.puppet.svc.cluster.local puppetdb issuer=CN = Puppet CA: puppet-7bcd8b4474-p6fzk.puppet.svc.cluster.local puppetdb (/ssl.sh) Error: CA already has signed certificate for 'puppetdb' Last version that works as expected is 6.5.0.

Add Comment

[Morgan Rhodes (JIRA)]

Morgan Rhodes commented on PDB-4540

Re: DNS_ALT_NAMES set by docker puppetdb >= 6.6.0

Hi Christoph Roeder, can you send me more information on how you're running the containers? I see in your output that the DNS alt names aren't getting set any more, but I need more details to diagnose the issue. If you're starting this up with compose a copy of the docker-compose.yml file you're using would be helpful.

Add Comment

[John Jeffers (JIRA)]

John Jeffers commented on PDB-4540

Re: DNS_ALT_NAMES set by docker puppetdb >= 6.6.0

Morgan Rhodes I believe that was directed at me, not Christoph. I'm running in Kubernetes, pulling images straight from Docker Hub. Not modifying the puppetdb image in any way, just attempting to use it as-is. If I use the 6.5.0 image in my deployment, puppetdb starts up just fine. Anything later than that, and I get the error above. Please let me know what other info you need.

Add Comment

[Morgan Rhodes (JIRA)]

Morgan Rhodes commented on PDB-4540

Re: DNS_ALT_NAMES set by docker puppetdb >= 6.6.0

John Jeffers ah, yes, you're right Ok, I have an idea for what the issue might be here. We moved the SSL dir for more consistency with other containers. So, in your k8s config if you have a volume mounting to `/etc/puppetlabs/puppet/ssl/` in the pdb container, try changing that to `/opt/puppetlabs/server/data/puppetdb/certs/`. If that doesn't work, and info on volumes / env variables would be helpful for trying to replicate.

Add Comment

[John Jeffers (JIRA)]

John Jeffers commented on PDB-4540

Re: DNS_ALT_NAMES set by docker puppetdb >= 6.6.0

Morgan Rhodes That was it. I updated the path in the volume mount to `/opt/puppetlabs/server/data/puppetdb/certs/` and it started successfully with 6.7.1. Thanks!

Add Comment

[Morgan Rhodes (JIRA)]

Morgan Rhodes commented on PDB-4540

Re: DNS_ALT_NAMES set by docker puppetdb >= 6.6.0

Awesome, glad to hear it John Jeffers! Apologies for the breakage, we're unfortunately still in a state where there are some potentially disruptive changes we want to make, but also not a great way to communicate those.

Add Comment

[John Jeffers (JIRA)]

John Jeffers commented on PDB-4540

Re: DNS_ALT_NAMES set by docker puppetdb >= 6.6.0

Gotcha. Appreciate the quick reply!

Add Comment

[Austin Blatt (JIRA)]

Austin Blatt updated an issue

PuppetDB / PDB-4540

DNS_ALT_NAMES set by docker puppetdb >= 6.6.0

Change By: Austin Blatt Fix Version/s: PDB 6.7.2

Add Comment