Jira (PUP-10626) puppet node deactivate and external CA - cert revocation can't be disabled

[Steve Traylen (Jira)]

Steve Traylen created an issue

Puppet / PUP-10626 puppet node deactivate and external CA - cert revocation can't be disabled Issue Type: Bug Affects Versions: PUP 6.15.0 Assignee: Unassigned Created: 2020/08/19 2:08 AM Priority: Normal Reporter: Steve Traylen Puppet Version: 6.15.0 Puppet Server Version: 6.11.1 OS Name/Version: CentOS 7 When using an external certificate authority it's assumed that a working puppet-ca endpoint is not required. However `puppet node deactivate` always attempts a revocation and fails as a result.   Desired Behavior: puppet node deactivate foo.example.org should delete node from PDB as is the case with puppetdb 5 Actual Behavior: With puppet 6 puppet node deactivate b7g19n0014.cern.ch Error: Request to https://puppet:8140/puppet-ca/v1 failed after 0.004 seconds: Failed to open TCP connection to puppet:8140 (getaddrinfo: Name or service not known) Wrapped exception:   we have no configuration for ca_server so default puppet is chosen. For info we are running pupetserver with: cat /etc/puppetlabs/puppetserver/services.d/ca.cfg puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service Add Comment

This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-10626 puppet node deactivate and external CA - cert revocation can't be disabled

Change By: Josh Cooper *Puppet Version: 6.15.0* *Puppet Server Version: 6.11.1* *OS Name/Version: CentOS 7*

When using an external certificate authority it's assumed that a working puppet-ca endpoint is not required. However {{puppet node deactivate}} always attempts a revocation and fails as a result.

*Desired Behavior:* {{puppet node deactivate foo.example.org}} should delete node from PDB as is the case with puppetdb 5 *Actual Behavior:* With puppet 6 {noformat} puppet node deactivate b7g19n0014.cern.ch *

Error: Request to https://puppet:8140/puppet-ca/v1 failed after 0.004 seconds: Failed to open TCP connection to puppet:8140 (getaddrinfo: Name or service not known) Wrapped exception:

{noformat}

we have no configuration for ca_server so default puppet is chosen. For info we are running pupetserver with:

{noformat} # cat /etc/puppetlabs/puppetserver/services.d/ca.cfg puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service {noformat}

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-10626 puppet node deactivate and external CA - cert revocation can't be disabled Change By: Josh Cooper

*Puppet Version: 6.15.0* *Puppet Server Version: 6.11.1* *OS Name/Version: CentOS 7* When using an external certificate authority it's assumed that a working puppet-ca endpoint is not required. However ` {{ puppet node deactivate ` }} always attempts a revocation and fails as a result.   *Desired Behavior:*

* {{ puppet node deactivate foo.example.org * * }} should delete node from PDB as is the case with puppetdb 5 * *Actual Behavior:* * With puppet 6 * * {noformat} puppet node deactivate b7g19n0014.cern.ch* * Error: Request to https://puppet:8140/puppet-ca/v1 failed after 0.004 seconds: Failed to open TCP connection to puppet:8140 (getaddrinfo: Name or service not * * known) * * Wrapped exception: *

{noformat}   we have no configuration for ca_server so default puppet is chosen. For info we are running pupetserver with: {noformat} # cat /etc/puppetlabs/puppetserver/services.d/ca.cfg puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service {noformat}

Add Comment

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-10626

Re: puppet node deactivate and external CA - cert revocation can't be disabled Steve Traylen could you run with --trace and include the backtrace? Also can you include the puppet.conf on the node where you're running puppet node? I'm guessing this is related to http client changes in puppet, but the deactivate action comes from the puppetdb repo, so it could be a combination of things. /cc Austin Blatt

Add Comment

[Steve Traylen (Jira)]

Steve Traylen updated an issue

Puppet / PUP-10626

puppet node deactivate and external CA - cert revocation can't be disabled

Change By: Steve Traylen Attachment: trace.txt

Add Comment

[Steve Traylen (Jira)]

Steve Traylen updated an issue

Puppet / PUP-10626 puppet node deactivate and external CA - cert revocation can't be disabled

Change By: Steve Traylen Attachment: puppet.conf

Add Comment

[Steve Traylen (Jira)]

Steve Traylen commented on PUP-10626

Re: puppet node deactivate and external CA - cert revocation can't be disabled Thanks for replying, A bit more info. It seems to be more to do with CRL download then certificate revoke. Attached configuration and trace of a node deactivate. It's probably also worth adding that  puppet agent -t -v results in a warning. Info: Certificate revocation is disabled, skipping CRL download and checking  puppet agent --genconfig | grep certificate_revoca certificate_revocation = false which is guess default for  agent section of configuration file. Now  puppet node deactivate webafs617.cern.ch does work if I explicitly add    puppet node deactivate webafs617.cern.ch certificate_revocation = false to the main section. So if anything the only problem is that default value for puppet agent  and puppet node deactivate seems to be different. In real life not actual problem here for us. We can set "certificate_revocation = false" . We shoudl probably actually enable  CRLs of course but that is a different problem.         puppet.conf  trace.txt

Add Comment

[Steve Traylen (Jira)]

Steve Traylen commented on PUP-10626

Re: puppet node deactivate and external CA - cert revocation can't be disabled

Close this.

Add Comment

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-10626

Re: puppet node deactivate and external CA - cert revocation can't be disabled

Ok, thanks for letting us know!

Add Comment