Puppet Community #puppet

natemccurdy

05/06/2022, 6:11 PM

Yup. That’s a Ruby version mismatch. I’d bet you’re on an old version of Puppet yet using the latest version of the mount_core module.

Kwadster

05/06/2022, 7:09 PM

i am puppet version 5.5.I would have expected it to fail all the time.I’ll try an upgrade.

natemccurdy

05/06/2022, 7:12 PM

Hmm… that’s an error from the Puppetserver during catalog compilation. Do you have more than one Puppetserver?

bastelfreak

05/06/2022, 7:16 PM

or different environments or a recently updated module?

natemccurdy

05/06/2022, 9:17 PM

Interestingly, https://github.com/puppetlabs/facter/pull/2480

sh6624gsj8

05/09/2022, 7:54 AM

message has been deleted

goeldi

05/09/2022, 12:03 PM

I am totally lost after missing the pe-puppetserver ca certificate validity ended yesterday.

puppet infrastructure run regenerate_master_certificate

and also

regenerate_agent_certificate

does not work.

rebuild_certificate_authority

seemed to work, but now pe-puppetmaster does not start anymore:

An illegal reflective access operation has occurred

...

/etc/puppetlabs/puppet/ssl/certs/blabla.pem (No such file or directory)

This is pe-puppetserver 2019.8.10 and puppet agent 6.26.0 I cannot find documentation for this situation.

vchepkov

05/09/2022, 12:05 PM

Since it's a PE, open a support ticket, they will assist you. But since CA has expired, I think you need

puppet infrastructure run rebuild_certificate_authority

vchepkov

05/09/2022, 12:05 PM

Although, there are ways to extend in a less destructive way

vchepkov

05/09/2022, 12:06 PM

puppetlabs/ca_extend

Dr Bunsen Honeydew

05/09/2022, 12:06 PM

See the

puppetlabs-ca_extend

module at https://forge.puppet.com/puppetlabs/ca_extend?src=slack&channel=puppet

Slackbot

05/09/2022, 12:19 PM

This message was deleted.

vchepkov

05/09/2022, 12:22 PM

message has been deleted

goeldi

05/09/2022, 12:23 PM

Thank you, ca_extend looks promising. Although I'm stuck again when executing

bolt plan run ca_extend::extend_ca_cert regen_primary_cert=true --targets <local://blabla> compilers=blabla --run-as root

It works up to this:

INFO: Extending CA certificate on <local://blabla>

Starting: task ca_extend::extend_ca_cert on <local://blabla>

Finished: task ca_extend::extend_ca_cert with 1 failure in 1.54 sec

Finished: plan ca_extend::extend_ca_cert in 8.36 sec

Then I get this error:

Failed on <local://blabla>:

The task failed with exit code 1

"status": "error",

"message": "Error extending CA certificate expiry date",

"stderr": "CA certificate file: /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem CA private key file: /etc/puppetlabs/puppet/ssl/ca/ca_key.pem  Checking CA chain length... 2 certificates were found in: /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem This script only works on CA files that contain a single certificate. "

goeldi

05/09/2022, 12:23 PM

Thank you, ca_extend looks promising. Although I'm stuck again when executing

bolt plan run ca_extend::extend_ca_cert regen_primary_cert=true --targets <local://blabla> compilers=blabla --run-as root

It works up to this:

INFO: Extending CA certificate on <local://blabla>

Starting: task ca_extend::extend_ca_cert on <local://blabla>

Finished: task ca_extend::extend_ca_cert with 1 failure in 1.54 sec

Finished: plan ca_extend::extend_ca_cert in 8.36 sec

Then I get this error:

Failed on <local://blabla>:

The task failed with exit code 1

"status": "error",

"message": "Error extending CA certificate expiry date",

"stderr": "CA certificate file: /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem CA private key file: /etc/puppetlabs/puppet/ssl/ca/ca_key.pem  Checking CA chain length... 2 certificates were found in: /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem This script only works on CA files that contain a single certificate. "

vchepkov

05/09/2022, 12:26 PM

oh, yeah, there is that :(

goeldi

05/09/2022, 12:28 PM

Shall I simply delete one of the two certs in ca_crt.pem?

vchepkov

05/09/2022, 12:29 PM

I wouldn't.

rebuild_certificate_authority

is probably your best bet

vchepkov

05/09/2022, 12:36 PM

Although I am surprised a CA with intermediate CA already expired. I thought PE started to generate 20+ years certs when switched to it

goeldi

05/09/2022, 12:36 PM

I already did a

puppet infrastructure run rebuild_certificate_authority

which did not help. Now I deleted one of the two certs and ca_extend runs to the end but still has a key verification error (fingerprint unknown):

Starting: task service::linux on blabla

Finished: task service::linux with 1 failure in 0.13 sec

Finished: plan ca_extend::extend_ca_cert in 1 min, 21 sec

Failed on blabla:

Host key verification failed for blabla: fingerprint SHA256:XYZ123/..... is unknown for "blabla,1.2.3.4"

vchepkov

05/09/2022, 12:38 PM

Did you try?

Copy code

puppet infrastructure run rebuild_certificate_authority force=true

goeldi

05/09/2022, 12:40 PM

force=true does not work (invalid option). The rebuild ran without error though, but afterwards, pe-puppetserver does no more start (An illegal reflective access operation has occurred)

vchepkov

05/09/2022, 12:41 PM

strange, what version of PE do you have?

goeldi

05/09/2022, 12:41 PM

2019.8.0.37

vchepkov

05/09/2022, 12:41 PM

you need to

puppet infrastructure run regenerate_master_certificate

too

vchepkov

05/09/2022, 12:42 PM

I have 2019.8.10, parameter is there

vchepkov

05/09/2022, 12:43 PM

Copy code

plan enterprise_tasks::rebuild_ca(
  Optional[TargetSpec] $master          = 'localhost',
  Optional[Boolean] $manage_pxp_service = true,
  Optional[Boolean] $force              = false,
) {

goeldi

05/09/2022, 12:50 PM

where is this plan? i.e. where do I enter these parameters? in ca_extend

bolt plan show

does not list

enterprise_tasks

vchepkov

05/09/2022, 12:53 PM

you would run it from your CA server, and you use puppet infrastructure run instead of bolt, sorry

vchepkov

05/09/2022, 12:53 PM

you need to

puppet infrastructure run regenerate_master_certificate

too