| Puppet Version: agent 6.14.0-1-el7
Puppet Server Version: pupperware 3.7
OS Name/Version: centos7 This is somewhat like https://tickets.puppetlabs.com/browse/PUP-8889 I have the letsencrypt certificate bundles and things set up in /etc/pki/ca-trust/source/anchors/ and a symlink in the puppet certs place and done a c_rehash:
- ls -la /opt/puppetlabs/puppet/ssl/certs
total 0
drwxr-xr-x. 2 root root 62 Apr 15 15:04 .
drwxr-xr-x. 5 root root 178 Apr 15 14:38 ..
lrwxrwxrwx 1 root root 30 Apr 15 15:04 4f06f81d.0 -> letsencryptauthorityx3.pem.txt
lrwxrwxrwx 1 root root 63 Apr 15 10:34 letsencryptauthorityx3.pem.txt -> /etc/pki/ca-trust/source/anchors/letsencryptauthorityx3.pem.txt
I am using a letsencrypt certificate on our internal downloads server, from which I am pulling a file. With agent 6.14 I get a certificate failure. With 6.12 I don't get a cert error. I have tried many different things to try and find out why, even running the agent will full debug from strace!! Desired Behavior: this should work:
file { '/usr/local/bin/vault_linux_amd64': ensure => file, source => 'https://intranet.example.com/download/vault_linux_amd64', checksum => mtime, mode => '0755', owner => root, group => root, } Actual Behavior: But what actually happens is you get this cert error Error: certificate verify failed [unable to get local issuer certificate for CN=intranet.example.com]
Error: /Stage[main]/blahblah::Install/File['/usr/local/bin/vault_linux_amd64']/ensure: change from 'absent' to 'file' failed: certificate verify failed [unable to get local issuer certificate for CN=intranet.example.com] (corrective) When I downgraded our puppet agents from 6.14.0-1.el7 to 6.12.0-1.el7.x86_64 then it worked again |
