Jira (PUP-10365) puppet agent unable to fetch file from https source - Error: certificate verify failed

0 views
Skip to first unread message

Josh Cooper (Jira)

unread,
Mar 11, 2020, 6:58:03 PM3/11/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
 
Puppet / Bug PUP-10365
puppet agent unable to fetch file from https source - Error: certificate verify failed
Change By: Josh Cooper
Fix Version/s: PUP 6.14.0
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

Josh Cooper (Jira)

unread,
Mar 11, 2020, 6:58:04 PM3/11/20
to puppe...@googlegroups.com
Josh Cooper moved an issue
Change By: Josh Cooper
Fix Version/s: puppet-agent 6.13.0
Fix Version/s: PUP 6.14.0
Key: PA PUP - 3168 10365
Affects Version/s: puppet-agent 6.14.0
Affects Version/s: PUP 6.14.0
Project: Puppet Agent

Josh Cooper (Jira)

unread,
Mar 12, 2020, 2:11:03 AM3/12/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 6.15.0

Josh Cooper (Jira)

unread,
Mar 12, 2020, 2:13:03 AM3/12/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Team: Coremunity

Josh Cooper (Jira)

unread,
Mar 12, 2020, 2:13:04 AM3/12/20
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-10365
 
Re: puppet agent unable to fetch file from https source - Error: certificate verify failed

The file type needs to pass the include_system_store keyword argument:

diff --git a/lib/puppet/type/file/source.rb b/lib/puppet/type/file/source.rb
 
index bb215d59c4..3d445bbe5a 100644
 
--- a/lib/puppet/type/file/source.rb
 
+++ b/lib/puppet/type/file/source.rb
 
@@ -298,7 +298,7 @@ module Puppet
 
 
     def get_from_http_source(url, &block)
 
       client = Puppet.runtime['http']
 
-      client.get(url) do |response|
 
+      client.get(url, include_system_store: true) do |response|
 
         raise Puppet::HTTP::ResponseError.new(response) unless response.success?
 
 
         response.read_body(&block)

Josh Cooper (Jira)

unread,
Mar 12, 2020, 1:40:02 PM3/12/20
to puppe...@googlegroups.com
Josh Cooper assigned an issue to Josh Cooper
 
Change By: Josh Cooper
Assignee: Josh Cooper

Josh Cooper (Jira)

unread,
Mar 12, 2020, 1:40:03 PM3/12/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Platform Core KANBAN

Josh Cooper (Jira)

unread,
Mar 12, 2020, 4:21:04 PM3/12/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Epic Link: PUP-8550

Josh Cooper (Jira)

unread,
Mar 12, 2020, 6:24:03 PM3/12/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Release Notes: Bug Fix
Release Notes Summary: Fixes a regression in 6.14.0 that prevented puppet agents from retrieving file content from "https" sources when the server's certificate was issued by a CA other than the puppet CA.

Melissa Stone (Jira)

unread,
Mar 18, 2020, 6:39:03 PM3/18/20
to puppe...@googlegroups.com

Melissa Stone (Jira)

unread,
Mar 19, 2020, 1:48:03 PM3/19/20
to puppe...@googlegroups.com

This has passed ci as a part of puppet-agent 6.14.0.84.g4db3cb9c

Maximilian Philipps (Jira)

unread,
Mar 20, 2020, 6:52:03 AM3/20/20
to puppe...@googlegroups.com

Are there any plans for a bug fix release including this? Just spend several hours debugging this only to finally come up with the same fix, followed by me finding this bug report.

I have also tried to always include the system store, but apparently include here means replace the puppetmaster CA, not add to it.

The best workaround I can think of right now is to have a puppet file_line resource patch puppet, which doesn't feel right.

Josh Cooper (Jira)

unread,
Mar 20, 2020, 11:29:02 AM3/20/20
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-10365

Our next planned release is 6.15.0 in early April.

One workaround is to include the non-root CA (and intermediates) to the Puppet[:localcacert] file on the agents. However, that is a potential security risk as the agent would trust non-puppet CAs when downloading a catalog, pluginsync'ing, etc, so I can't recommend that.

Josh Cooper (Jira)

unread,
Mar 24, 2020, 11:59:03 AM3/24/20
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-10365

This issue was caused by PUP-10260

Kevin Reeuwijk (Jira)

unread,
Mar 26, 2020, 7:55:04 AM3/26/20
to puppe...@googlegroups.com

I've developed this workaround that can be used in the mean time, simply add the following code to your baseline:

file_line { 'workaround-puppet-agent-6-14-ssl-issue':
 
    ensure => present,
 
    path   => "${facts['rubysitedir']}/../../vendor_ruby/puppet/type/file/source.rb",
 
    line   => '      client.get(url, include_system_store: true) do |response|',
 
    match  => '^      client.get\(url\) do \|response\|',
 
}

 

Claire Cadman (Jira)

unread,
Apr 6, 2020, 9:40:04 AM4/6/20
to puppe...@googlegroups.com
Claire Cadman updated an issue
 
Change By: Claire Cadman
Labels: doc_reviewed
Reply all
Reply to author
Forward
0 new messages