I’ve been trying to implement the foreman_proxy module (https://forge.puppet.com/theforeman/foreman_proxy) in our environment and having cert issues.
The setup goal is to have proxy02 as a local puppet master using foreman01 as it’s “puppet master” and CA.
I can build a host, then apply the module with all the configuration options we need but after the initial puppet run where all the configs are applied I get:
[root@foreman-proxy02 puppet]# puppet agent --enable;puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=foreman01.popID.some.domain.net]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using ‘eval_generate’: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=foreman01.popID.some.domain.net]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=foreman01.popID.some.domain.net]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using ‘eval_generate’: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=foreman01.popID.some.domain.net]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=foreman01.popID.some.domain.net]
Info: Loading facts
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=foreman01.popID.some.domain.net]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=foreman01.popID.some.domain.net]
It seems like it did some fiddling with the key that didn’t get pushed to foreman01? So what I’ve tried is rebuilding the cert (#client = proxy02, #server = foreman01):
#client
systemctl stop puppetserver puppet
mv /etc/puppetlabs/puppet/ssl /etc/puppetlabs/puppet/ssl.OLD#server
puppet cert clean#client
puppet agent --test#server
puppet cert sign#client
puppet agent --test
The first “puppet agent --test” (puppetserver is restarted there) runs fine but following that it begins to fail with the original cert error I listed above.
I’m obviously missing some dangling cert file somewhere or just not understanding what the problem is. Any suggestions?