PuppetDB Service Won't Install/Start

[Dan]

Hi,

I've just started to build a Centos 7 puppet master and I've applied the puppetdb classes as follows:

  class { 'puppetdb':  }


  class { 'puppetdb::master::config':
    require => Class['puppetdb']
  }

The whole catalog runs fine also installing puppetserver but when it gets to starting the puppetdb service it blows up and if I check the service status I get:

[root@basecentos ~]# systemctl status puppetdb.service

puppetdb.service - puppetdb Service

   Loaded: loaded (/usr/lib/systemd/system/puppetdb.service; disabled)

   Active: failed (Result: exit-code) since Fri 2015-10-09 04:05:02 JST; 25min ago

  Process: 21591 ExecStartPost=/bin/bash ${INSTALL_DIR}/ezbake-functions.sh wait_for_app (code=exited, status=1/FAILURE)

  Process: 21590 ExecStart=/usr/bin/java $JAVA_ARGS -XX:OnOutOfMemoryError=kill -9 %%p -Djava.security.egd=/dev/urandom -cp ${INSTALL_DIR}/puppetdb.jar clojure.main -m puppetlabs.puppetdb.main --config ${CONFIG} -b ${BOOTSTRAP_CONFIG} $@ (code=exited, status=1/

FAILURE)

 Main PID: 21590 (code=exited, status=1/FAILURE)

Oct 09 04:05:02 basecentos java[21590]: clojure.main$main.doInvoke (main.clj:421)

Oct 09 04:05:02 basecentos java[21590]: clojure.lang.RestFn.invoke (RestFn.java:512)

Oct 09 04:05:02 basecentos java[21590]: clojure.lang.Var.invoke (Var.java:409)

Oct 09 04:05:02 basecentos java[21590]: clojure.lang.AFn.applyToHelper (AFn.java:178)

Oct 09 04:05:02 basecentos java[21590]: clojure.lang.Var.applyTo (Var.java:700)

Oct 09 04:05:02 basecentos java[21590]: clojure.main.main (main.java:37)

Oct 09 04:05:02 basecentos systemd[1]: puppetdb.service: main process exited, code=exited, status=1/FAILURE

Oct 09 04:05:02 basecentos systemd[1]: puppetdb.service: control process exited, code=exited status=1

Oct 09 04:05:02 basecentos systemd[1]: Failed to start puppetdb Service.

Oct 09 04:05:02 basecentos systemd[1]: Unit puppetdb.service entered failed state.

I've been looking around and have no idea how how to get past this next bit....any suggestions?

Thanks

Dan

[Wyatt Alt]

Hey Dan,

I see the bottom of a java stacktrace in your log snippet there -- could
you get the full stacktrace from journalctl and stick it in a gist?

Wyatt

[Dan]

Hi Wyatt,

Thanks for the pointer!  I found the full stack trace which gives a better error:

I just need to workout how to configure the SSL configuration now.

2015-10-09 20:28:24,184 INFO  [p.p.pdb-routing] Starting PuppetDB, entering maintenance mode

2015-10-09 20:28:24,257 INFO  [p.t.s.n.nrepl-service] nREPL service disabled, not starting

2015-10-09 20:28:24,258 INFO  [p.t.s.w.jetty9-service] Starting web server(s).

2015-10-09 20:28:24,293 ERROR [p.t.internal] Error during service start!!!

java.lang.IllegalArgumentException: Missing some SSL configuration; must provide either :ssl-cert, :ssl-key, and :ssl-ca-cert, OR :truststore, :trust-password, :keystor

e, and :key-password.

        at puppetlabs.trapperkeeper.services.webserver.jetty9_config$eval28763$get_jks_keystore_config_BANG___28764$fn__28768.invoke(jetty9_config.clj:288) ~[na:na]

        at puppetlabs.trapperkeeper.services.webserver.jetty9_config$eval28763$get_jks_keystore_config_BANG___28764.invoke(jetty9_config.clj:282) ~[na:na]

        at puppetlabs.trapperkeeper.services.webserver.jetty9_config$eval28787$get_keystore_config_BANG___28788$fn__28789.invoke(jetty9_config.clj:307) ~[na:na]

        at puppetlabs.trapperkeeper.services.webserver.jetty9_config$eval28787$get_keystore_config_BANG___28788.invoke(jetty9_config.clj:300) ~[na:na]

        at puppetlabs.trapperkeeper.services.webserver.jetty9_config$eval28963$maybe_get_https_connector__28964$fn__28965.invoke(jetty9_config.clj:399) ~[na:na]

        at puppetlabs.trapperkeeper.services.webserver.jetty9_config$eval28963$maybe_get_https_connector__28964.invoke(jetty9_config.clj:390) ~[na:na]

        at puppetlabs.trapperkeeper.services.webserver.jetty9_config$eval29004$maybe_add_https_connector__29005$fn__29006.invoke(jetty9_config.clj

Thanks

Dan

[Ken Barber]

On Fri, Oct 9, 2015 at 4:35 AM, Dan <d...@ifunky.net> wrote:
> Hi Wyatt,
>
> Thanks for the pointer! I found the full stack trace which gives a better
> error:
>
> I just need to workout how to configure the SSL configuration now.

Try `puppetdb ssl-setup` on the command line. It requires that you've
done a full puppet agent run first, since it re-uses Puppet's SSL
certs/key files. Otherwise, you can create new ones manually using the
`puppet cert` tooling:
https://docs.puppetlabs.com/references/4.2.0/man/cert.html. Just be
mindful that normal SSL validation rules apply here with the
certificate hostnames. So you must match the real clients hostname,
much like a browser, or the client will reject the server.

> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/03974e18-839d-4aab-bddc-f4c42a9928c7%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.

[Dan]

Excellent thanks guys that got me going on the right path looking at the certs.  I'm using puppet apply to build the initial puppet master so the agent won't have executed when it gets to installing puppetdb so I'll need to work around this somehow.

Dan

[Ken Barber]

On Tue, Oct 13, 2015 at 11:13 PM, Dan <d...@ifunky.net> wrote:
> Excellent thanks guys that got me going on the right path looking at the
> certs. I'm using puppet apply to build the initial puppet master so the
> agent won't have executed when it gets to installing puppetdb so I'll need
> to work around this somehow.
>
> Dan

Use puppet cert generate to make the certs before building your master
perhaps? ie. take the step the master normally does for you out of
band, and do it yourself. afaik its own certificate generation steps
are totally reproducible. If you're building masters from scratch its
good to have control of this step anyway, since you often want to
manage the CA.

> https://groups.google.com/d/msgid/puppet-users/b5e6cbdc-02c8-49a9-8d66-a0aa0373e85f%40googlegroups.com.

[Wes Miles]

Hi,

Like Dan's original post I am also installing onto Centos 7 and running puppet masterless to install my puppetserver and puppetdb.

Upon startup of the puppetserver service it correctly generates the required ssl files under /etc/puppetlabs/puppet/ssl

When running a manual yum install puppetdb the ssl-setup script correctly identifies no ssl directory under /etc/puppetlabs/puppetdb

and copies in the required files and updates the jetty.ini with the paths. I can then start puppetdb with no problems.

However when running the same command through puppet using the puppetlabs/puppetdb community module the puppetdb is installed but the ssl files are not copied over and the jetty.ini isn't updated suggesting the ssl-setup isn't even being run or if it is I don't know where to look to confirm it ran but had an error.

I am using:

puppetserver version: 2.2.1

puppetdb version: 3.2.3

Any help would be greatly appreciated.

Wes