Jira (PUP-8889) Puppet Agent : cannot add certificates for HTTPS

3 views
Skip to first unread message

Branan Riley (JIRA)

unread,
May 24, 2018, 4:32:03 PM5/24/18
to puppe...@googlegroups.com
Branan Riley moved an issue
 
Puppet / Bug PUP-8889
Puppet Agent : cannot add certificates for HTTPS
Change By: Branan Riley
Affects Version/s: puppet-agent 5.5.1
Affects Version/s: puppet-agent 1.10.9
Affects Version/s: PUP 4.10.9
Affects Version/s: PUP 5.5.1
Key: PA PUP - 2059 8889
Project: Puppet Agent
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Craig Gomes (JIRA)

unread,
May 29, 2018, 12:44:03 PM5/29/18
to puppe...@googlegroups.com
Craig Gomes updated an issue
Change By: Craig Gomes
Team: Coremunity

Thomas Mueller (JIRA)

unread,
Jun 6, 2018, 7:24:02 AM6/6/18
to puppe...@googlegroups.com
Thomas Mueller commented on Bug PUP-8889
 
Re: Puppet Agent : cannot add certificates for HTTPS

Franck Jouvanceau 08fa37bb.0 is some hash id of the CA cert. this is an OpenSSL thing.

after putting a cert into the directory with a human-readable filename you'll need to run c_rehash /opt/puppetlabs/puppet/ssl/certs/ (https://www.openssl.org/docs/man1.0.2/apps/c_rehash.html) to create hash symlinks.

Franck Jouvanceau (JIRA)

unread,
Jun 6, 2018, 8:05:02 AM6/6/18
to puppe...@googlegroups.com

Ok, thanks a lot for the information.

yes, we are using /etc/pki/ca-trust/source/anchors

ok we'll do something like :

file { '/opt/puppetlabs/puppet/ssl/certs':
 
  ensure  => 'directory',
 
  source  => '/etc/pki/ca-trust/source/anchors',
 
  recurse => true,
 
}
 
~> exec { 'rehash puppetlabs certs':
 
  command     => '/opt/puppetlabs/puppet/bin/c_rehash /opt/puppetlabs/puppet/ssl/certs',
 
  refreshonly => true,
 
}

 

 

 

Franck Jouvanceau (JIRA)

unread,
Jun 6, 2018, 9:32:02 AM6/6/18
to puppe...@googlegroups.com

Thomas Mueller thanks again, tested everything is fine, this issue can be closed

Thomas Mueller (JIRA)

unread,
Jun 6, 2018, 8:43:00 PM6/6/18
to puppe...@googlegroups.com

just FYI: on EL (RHEL/CentOS) and Fedora System CA trust certs in PEM format is managed in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (by the update-ca-trust utility). There's also a java keystore: /etc/pki/ca-trust/extracted/java/cacerts

If I wan't to add a custom/enterprise cert for my systems I'll add it to /etc/pki/ca-trust/source/anchors/ and after executing update-ca-trust system cert bundles contain my certs and wget/curl/openjdk will accept my TLS connections - but not puppet, because of its own openssl libs.

Josh Cooper (JIRA)

unread,
Aug 2, 2018, 1:20:03 AM8/2/18
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-8889

Thanks Thomas Mueller and Franck Jouvanceau, closing.

zendesk.jira (Jira)

unread,
Feb 16, 2021, 1:14:02 AM2/16/21
to puppe...@googlegroups.com
zendesk.jira updated an issue
 
Change By: zendesk.jira
Zendesk Ticket Count: 1
Zendesk Ticket IDs: 43200
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

zendesk.jira (Jira)

unread,
Feb 16, 2021, 1:14:03 AM2/16/21
to puppe...@googlegroups.com
zendesk.jira updated an issue
Change By: zendesk.jira
Labels: jira_escalated
Reply all
Reply to author
Forward
0 new messages