Cert failure using smartproxy puppet module

Mike_Wilson · September 6, 2018, 5:11pm

I’ve been trying to implement the foreman_proxy module (https://forge.puppet.com/theforeman/foreman_proxy) in our environment and having cert issues.

The setup goal is to have proxy02 as a local puppet master using foreman01 as it’s “puppet master” and CA.

I can build a host, then apply the module with all the configuration options we need but after the initial puppet run where all the configs are applied I get:

[root@foreman-proxy02 puppet]# puppet agent --enable;puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=foreman01.popID.some.domain.net]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using ‘eval_generate’: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=foreman01.popID.some.domain.net]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=foreman01.popID.some.domain.net]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using ‘eval_generate’: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=foreman01.popID.some.domain.net]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=foreman01.popID.some.domain.net]
Info: Loading facts
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=foreman01.popID.some.domain.net]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=foreman01.popID.some.domain.net]

It seems like it did some fiddling with the key that didn’t get pushed to foreman01? So what I’ve tried is rebuilding the cert (#client = proxy02, #server = foreman01):

#client
systemctl stop puppetserver puppet
mv /etc/puppetlabs/puppet/ssl /etc/puppetlabs/puppet/ssl.OLD

#server
puppet cert clean

#client
puppet agent --test

#server
puppet cert sign

#client
puppet agent --test

The first “puppet agent --test” (puppetserver is restarted there) runs fine but following that it begins to fail with the original cert error I listed above.

I’m obviously missing some dangling cert file somewhere or just not understanding what the problem is. Any suggestions?

Mike_Wilson · September 6, 2018, 7:45pm

To be clear I meant the “first” puppet agent --test that was run after the cert was signed runs fine. After that is fails.

Mike_Wilson · September 11, 2018, 5:17pm

To follow up on my own post. This seems to have been the resolution. It seems to default to server_ca = true when you set the smart proxy module to ca = false even.

This fixed it for me so far it seems

class { '::puppet': 
      server    => true,
      server_ca => false,
    }