SRV-Records and puppetserver
356 views
Skip to first unread message
Karsten Heymann
May 24, 2019, 8:29:31 AM5/24/19
to puppet...@googlegroups.com
Hi everyone,
I have a question: Is the puppetserver expected to honor the srv
records to find the puppet ca server? We have the problem that since
switching our puppet server detection from explicit settings in the
puppet.conf-File to srv records, we cannot remove certificates from
puppetserver any more and get the following error:
root@<puppetmaster>:~# puppetserver ca clean --certname <some-client>
[... long delay ...]
Fatal error when running action 'clean'
Error: Failed connecting to
https://puppet:8140/puppet-ca/v1/certificate_status/
Root cause: execution expired
We use a non-standard name for our puppet/puppetca host, and have that
correctly (I hope so set up) in the DNS:
# dig +short -t SRV _x-puppet-ca._tcp.<our-domain>
10 0 8140 <our puppet-ca-server>.
The relevant puppet config looks like this:
# grep -e ^\\[ -e srv -e ca /etc/puppetlabs/puppet/puppet.conf
[main]
srv_domain = mip-platform.net
use_srv_records = true
vardir = /opt/puppetlabs/puppet/cache
[agent]
localconfig = $vardir/localconfig
usecacheonfailure = true
[master]
ca = true
We are using puppet/pupperserver 5:
# puppetserver --version
puppetserver version: 5.3.8
root@puppet-b1-01:~# puppet --version
5.5.14
Any hints would be greatly appreciated!
Best regards
Karsten
I have a question: Is the puppetserver expected to honor the srv
records to find the puppet ca server? We have the problem that since
switching our puppet server detection from explicit settings in the
puppet.conf-File to srv records, we cannot remove certificates from
puppetserver any more and get the following error:
root@<puppetmaster>:~# puppetserver ca clean --certname <some-client>
[... long delay ...]
Fatal error when running action 'clean'
Error: Failed connecting to
https://puppet:8140/puppet-ca/v1/certificate_status/
Root cause: execution expired
We use a non-standard name for our puppet/puppetca host, and have that
correctly (I hope so set up) in the DNS:
# dig +short -t SRV _x-puppet-ca._tcp.<our-domain>
10 0 8140 <our puppet-ca-server>.
The relevant puppet config looks like this:
# grep -e ^\\[ -e srv -e ca /etc/puppetlabs/puppet/puppet.conf
[main]
srv_domain = mip-platform.net
use_srv_records = true
vardir = /opt/puppetlabs/puppet/cache
[agent]
localconfig = $vardir/localconfig
usecacheonfailure = true
[master]
ca = true
We are using puppet/pupperserver 5:
# puppetserver --version
puppetserver version: 5.3.8
root@puppet-b1-01:~# puppet --version
5.5.14
Any hints would be greatly appreciated!
Best regards
Karsten
Karsten Heymann
May 24, 2019, 10:41:18 AM5/24/19
to Puppet Users
Addition:
'puppet cert clean <someclient>' still works. So this looks very much like a regression introduced by the switch from puppet to puppetserver for certificate handling. @Puppetlabs people: Should I open a jira ticket for this?
Best regards
Karsten
Maggie Dreyer
May 24, 2019, 11:16:38 AM5/24/19
to puppet...@googlegroups.com
Yes, this is a known bug, and we do already have a ticket for it, https://tickets.puppetlabs.com/browse/SERVER-2451. We are planning a round of improvements and bug fixes for the `puppetserver ca` CLI, and this is high on the list.
I'm glad you found a workaround. Since the CLI tool is shipped as a gem, if you would like to continue using the new CLI once this has been fixed, you can update just the gem out of band using
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/2ef8b5aa-7093-42ff-9999-c8c69bea9ad9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Karsten Heymann
May 24, 2019, 3:26:37 PM5/24/19
to Puppet Users
Hi Maggie,
thanks for the confirmation, I will certainly keep an eye on that jira issue. In the meantime I'm fine with using the old cli interface. As our puppet master has no access to the internet and only uses an internal mirror of the puppetlabs apt repo, installing gems is usually not worth the effort.
Best regards
Karsten
Reply all
Reply to author
Forward
0 new messages