Jira (PDB-4604) Certificate errors on puppet-master to puppetdb connection when using external CA on initial puppet agent run

[Wojtek (JIRA)]

Wojtek created an issue

PuppetDB / PDB-4604 Certificate errors on puppet-master to puppetdb connection when using external CA on initial puppet agent run Issue Type: Bug Assignee: Unassigned Components: PuppetDB Created: 2019/12/16 5:53 AM Priority: Normal Reporter: Wojtek Hello, We are running puppet master and puppetdb setup with external CA (using Hashicorp Vault as a PKI). The problem is the puppet master is trying to generate the certs from nonexistent CA on the initial puppet run. Below are snippets from puppet agent and puppet server: ### puppet-agent puppet agent -t Warning: Unable to fetch my node definition, but the agent run will continue: Warning: Error 500 on SERVER: Server Error: Could not retrieve facts for puppet-agent.example.net: Failed to find facts from PuppetDB at puppet:8140: Unknown signature algorithm ''  ### puppet-master 2019-12-16 13:15:51,520 INFO  [puppetserver] Puppet Creating a new SSL key for puppet-master.example.net 2019-12-16 13:15:54,534 INFO  [puppetserver] Puppet csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml 2019-12-16 13:15:54,535 INFO  [puppetserver] Puppet Creating a new SSL certificate request for puppet-master.example.net X509::Request#version= has no effect on certification request WARNING: unimplemented method called: request#signature_algorithm 2019-12-16 13:15:54,592 ERROR [puppetserver] Puppet Server Error: Could not retrieve facts for puppet-agent.example.net: Failed to find facts from PuppetDB at puppet:8140: Unknown signature algorithm '' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/facts/puppetdb.rb:86:in `find' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler/around_profiler.rb:58:in `profile' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler.rb:51:in `profile' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/puppetdb.rb:99:in `profile' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/facts/puppetdb.rb:57:in `find' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:198:in `find' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/node.rb:135:in `fact_merge' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/node/plain.rb:18:in `find' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:198:in `find' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/api/indirected_routes.rb:121:in `do_find' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/api/indirected_routes.rb:48:in `call' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:65:in `override' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:260:in `override' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/api/indirected_routes.rb:47:in `call' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/route.rb:82:in `process' org/jruby/RubyArray.java:1613:in `each' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/route.rb:81:in `process' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/route.rb:87:in `process' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/route.rb:87:in `process' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:64:in `process' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler/around_profiler.rb:58:in `profile' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/profiler.rb:51:in `profile' /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:62:in `process' file:/opt/puppetlabs/server/apps/puppetserver/puppet-server-release.jar!/puppetserver-lib/puppet/server/master.rb:42:in `handleRequest' Puppet$$Server$$Master_2064192297.gen:13:in `handleRequest' request_handler_core.clj:273:in `invoke' jruby_request.clj:48:in `invoke' jruby_request.clj:33:in `invoke' request_handler_service.clj:47:in `handle_request' request_handler.clj:3:in `invoke' core.clj:2515:in `invoke' ring_middleware.clj:290:in `invoke' core.clj:170:in `invoke' core.clj:216:in `invoke' core.clj:47:in `invoke' core.clj:357:in `invoke' core.clj:53:in `invoke' ringutils.clj:83:in `invoke' master_core.clj:721:in `invoke' ring.cljc:25:in `invoke' ring.cljc:16:in `invoke' comidi.clj:245:in `invoke' http.clj:152:in `invoke' http.clj:152:in `invoke' http.clj:148:in `invoke' comidi.clj:332:in `invoke' jetty9_core.clj:434:in `invoke' normalized_uri_helpers.clj:74:in `invoke' My puppetdb.conf on puppet-master cat /etc/puppetlabs/puppet/puppetdb.conf [main] server_urls = https://puppetdb.example.net:24042 On the subsequent run everything seems to be fine and no 500 error is thrown. Is there any way to tell puppet master not to generate the certs upon connecting to puppetdb ?   Any help appreciated Thanks a lot Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)