strange things is that

puppet infrastructure status

does not show the node but

puppet infrastructure upgrade compiler

tries to upgrade it

its still in the pe_compiler and pe_master groups because it matches the following rule: trusted.extensions.pp_auth_role = pe_compiler

puppet node purge

compiler

?

it will remove it from puppetdb and hence from classifier

That ^, or clear out csr_attributes.yaml and regenerate the cert on the node if you still want to keep it around. We really should add a

forget compiler

command.

it should also unpin it from from node groups, but I don't remember if it was fixed or not

This message was deleted.

This message was deleted.

This message was deleted.

Just gonna drop this here in case anyone would like to use it 🙂 http://pup.pt/ideas

We're getting dinged for using PE's built-in CA for host agents. While researching how to use a custom CA, I ran into this -- https://puppet.com/docs/pe/2019.8/use_an_independent_intermediate_ca.html -- which states: "You must complete this configuration during installation.". Does this mean what I think it means: I would have to do a re-install of PE to set it up?

Not really, you would have to regenerate all certificates though

whew, that I expected. that little line concerned me though.

having said that, you should fight your security folks. It's perfectly normal to use internal CA for internal use. Change certificate to the console, since it's exposed to the workstations, but that's it

There's no reason for puppet to trust other systems (that's bad) and no reason for other systems to trust puppet (less bad, but still not a good idea)

See: Separation of Duties (AKA - if this were Kerberos, nobody would even bat an eye)

And yes, independent intermediate CA is only supported for configuration during installation. There is no documented procedure for converting an existing installation to use that config.

Conversion could be done, it's not technically impossible. But the support team doesn't have a doc to give you that explains how to do it because said doc does not exist 😉

This message was deleted.

Hello, I've added a new replica server to my primary, but some services are "unreachable" like the "File Sync Client Service". When I do a manual curl on the URL I have this message :

curl: (60) SSL certificate problem: unable to get local issuer certificate

More details here: <https://curl.haxx.se/docs/sslcerts.html>

curl failed to verify the legitimacy of the server and therefore could not

establish a secure connection to it. To learn more about this situation and

how to fix it, please visit the web page mentioned above.

Any idea how i can debug this ? Thanks in advance

when you do a manual curl you're not going to be checking against the correct certificate authority. use the

-k

option to ignore SSL errors when making the request

Indeed, but even in the logs I have this message :

2022-08-16T13:07:54.200Z ERROR [clojure-agent-send-off-pool-35] [p.e.file-sync-errors] File Sync failure during sync or fetch phase: Unable to get latest-commits from server (<https://url:8140/file-sync/v1/latest-commits>).

javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

The usual cause for something like that is an intercepting proxy jumping into the connection between the replica and the primary.

The usual cause for something like that is an intercepting proxy jumping into the connection between the replica and the primary.

The replica needs clear network routes to ports on the primary: https://puppet.com/docs/pe/2021.6/system_configuration.html#firewall_standard

Thanks a lot ! It was the proxy, I had one configured 🥴

Network troubleshooting guide: It's DNS. Except when it's not, in which case it's a proxy. 🧌

It’s always DNS

hey people, someone has experience with loadbalancing pxp-agents to the brokers? We've an F5 that handles around 850 pxp-agents to 4 compilers/brokers. It loadbalances based on least connection and has an idle timeout of 16minutes. Around 30% of pxp-agents have multiple timed out connections per day (WebSocket onPongTimeout event). If I grep in all pxp-agent logs, all agents have this error. I don't really know how to debug this. the orchestrator seems to have a hardcoded timeout of 15 minutes after which connections are closed (at least the docs say that). and the pxp-agent sends a pong event every 120s. Are there any relevant metrics for the broker I could collect? Any debugging I could configure? I didn't find anything related.

are there any other network devices between the agent and the broker?