puppetmaster ca generate fails - v 6.15.3 and 6.16.0

[Dave Beedle]

We have, in the past, generated cert on our puppet server using:

/opt/puppetlabs/bin/puppetserver ca generate --ca-client --certname test.out.domain --subject-alt-names <bunch of alt names>

But this began failing as we updated to Puppetserver v6.15.3.  Seems to be unhappy with some gems (log below).  I have resintalled the puppetserver-ca gem (same version) and updated puppetserver to 6.16.0, same result.  Would anyone have any suggestions?

 

Traceback (most recent call last):

        6: from /opt/puppetlabs/server/apps/puppetserver/cli/apps/ca:5:in `<main>'

        5: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.9.4/lib/puppetserver/ca/cli.rb:96:in `run'

        4: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.9.4/lib/puppetserver/ca/action/generate.rb:144:in `run'

        3: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.9.4/lib/puppetserver/ca/action/generate.rb:163:in `generate_authorized_certs'

        2: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.9.4/lib/puppetserver/ca/action/generate.rb:163:in `map'

        1: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.9.4/lib/puppetserver/ca/action/generate.rb:174:in `block in generate_authorized_certs'

/opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.9.4/lib/puppetserver/ca/local_certificate_authority.rb:158:in `sign_authorized_cert': undefined method `subject' for nil:NilClass (NoMethodError)

[Maggie Dreyer]

Might you be hitting https://tickets.puppetlabs.com/browse/SERVER-3036? Can you check if all of your CA files are present and correct?

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/51cce0ff-3615-4ba1-b434-330c808e1f77n%40googlegroups.com.

[Dave Beedle]

Thanks for the quick response!  This may apply, we may well manipulate the certs...some of our processes predate me  so, I'll poke around to see if I can figure out where they are supposed to be and where we put them!

[Maggie Dreyer]

You can use `puppet config print [cakey|cacrl|cacert]` to find out where it expects them to be.

`cacert` and `cacrl` should both be either

* a single self-signed CA certificate and its CRL

* a chain of certs from your signing CA cert to a root cert and the CRLs for each cert in the chain.

You can use openssl to inspect the contents (though it will only parse the first thing in each file, so if you have chains, you may need to split them up to verify them this way).

`cakey` should be the private key corresponding to your CA signing cert.

Hope this helps, let us know if everything looks right and we can help you dig in more.

Maggie

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/64fba6fd-90f9-4f12-a0d8-86542c7068b3n%40googlegroups.com.

[Dave Beedle]

This is our problem! Our certs are elsewhere.  Copying or linking to them allows the cert generation to succeed.  

Thanks for the help!

[Maggie Dreyer]

Out of curiosity, were your certs somewhere totally custom? Was Puppet finding them successfully, or were there other issues besides the `generate` call?

The CLI is supposed to respect settings in `puppet.conf`, which is also what puppetserver reads to find the files. So I would be a little surprised if the rest of the system is working but `generate` is not. Trying to make sure there's not a larger bug here...

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/e5af3c32-c806-4bcc-b5a1-b5360ca841bdn%40googlegroups.com.