Problem:
I am trying to add a puppetserver on our new el9 content proxy following this: Configuring hosts by using Puppet
We don’t want to use a separate puppetca but instead use the one on the main server (foreman8.example.com) only. The content proxy is already registered as puppet client to the main server.
# foreman-installer \
--enable-puppet \
--foreman-proxy-puppet true \
--foreman-proxy-puppetca false \
--puppet-server true \
--puppet-ca-server foreman8.example.com
However it fails. It seems as if it wants to set up a puppetserver ca anyway. During the first run, I did not add the last option --puppet-ca-server
[root@foreman9-content ~]# foreman-installer --enable-puppet --foreman-proxy-puppet true --puppet-server true
2024-09-24 07:26:35 [NOTICE] [root] Loading installer configuration. This will take some time.
2024-09-24 07:26:40 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2024-09-24 07:26:40 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
2024-09-24 07:26:49 [NOTICE] [configure] Starting system configuration.
2024-09-24 07:27:14 [NOTICE] [configure] 250 configuration steps out of 1530 steps complete.
2024-09-24 07:27:18 [ERROR ] [configure] '/opt/puppetlabs/bin/puppetserver ca setup' returned 1 instead of one of [0]
2024-09-24 07:27:18 [ERROR ] [configure] /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: change from 'notrun' to ['0'] failed: '/opt/puppetlabs/bin/puppetserver ca setup' returned 1 instead of one of [0]
2024-09-24 07:27:24 [ERROR ] [configure] /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]: Failed to call refresh: '/opt/puppetlabs/bin/puppetserver ca setup' returned 1 instead of one of [0]
2024-09-24 07:27:24 [ERROR ] [configure] /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]: '/opt/puppetlabs/bin/puppetserver ca setup' returned 1 instead of one of [0]
2024-09-24 07:27:24 [NOTICE] [configure] 500 configuration steps out of 1533 steps complete.
2024-09-24 07:27:25 [NOTICE] [configure] 750 configuration steps out of 1538 steps complete.
2024-09-24 07:27:25 [NOTICE] [configure] 1000 configuration steps out of 1539 steps complete.
2024-09-24 07:27:25 [NOTICE] [configure] 1250 configuration steps out of 1539 steps complete.
2024-09-24 07:27:34 [NOTICE] [configure] 1500 configuration steps out of 1540 steps complete.
2024-09-24 07:27:37 [NOTICE] [configure] System configuration has finished.
Error 1: Puppet Exec resource 'puppet_server_config-generate_ca_cert' failed. Logs:
/Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/require
require to Concat[/etc/puppetlabs/puppet/puppet.conf]
require to Exec[puppet_server_config-create_ssl_dir]
/Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]
Starting to evaluate the resource (493 of 1533)
Failed to call refresh: '/opt/puppetlabs/bin/puppetserver ca setup' returned 1 instead of one of [0]
'/opt/puppetlabs/bin/puppetserver ca setup' returned 1 instead of one of [0]
Evaluated in 9.63 seconds
/Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/creates
Checking that 'creates' path '/etc/puppetlabs/puppetserver/ca/ca_crt.pem' exists
Checking that 'creates' path '/etc/puppetlabs/puppetserver/ca/ca_crt.pem' exists
Exec[puppet_server_config-generate_ca_cert](provider=posix)
Executing '/opt/puppetlabs/bin/puppetserver ca setup'
Executing '/opt/puppetlabs/bin/puppetserver ca setup'
/Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns
Error:
Missing public key to match private key at /etc/puppetlabs/puppet/ssl/private_keys/foreman9-content.example.com.pem
Missing public key to match private key at /etc/puppetlabs/puppet/ssl/private_keys/foreman9-content.example.com.pem
change from 'notrun' to ['0'] failed: '/opt/puppetlabs/bin/puppetserver ca setup' returned 1 instead of one of [0]
Error:
Missing public key to match private key at /etc/puppetlabs/puppet/ssl/private_keys/foreman9-content.example.com.pem
Missing public key to match private key at /etc/puppetlabs/puppet/ssl/private_keys/foreman9-content.example.com.pem
1 error was detected during installation.
Please address the errors and re-run the installer to ensure the system is properly configured.
Failing to do so is likely to result in broken functionality.
The next run with the option didn’t help either:
[root@foreman9-content ~]# foreman-installer --enable-puppet --foreman-proxy-puppet true --puppet-server true --puppet-ca-server foreman8.example.com
2024-09-24 07:32:29 [NOTICE] [root] Loading installer configuration. This will take some time.
2024-09-24 07:32:33 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2024-09-24 07:32:33 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
2024-09-24 07:32:40 [NOTICE] [configure] Starting system configuration.
2024-09-24 07:32:48 [NOTICE] [configure] 250 configuration steps out of 1537 steps complete.
2024-09-24 07:32:53 [ERROR ] [configure] '/opt/puppetlabs/bin/puppetserver ca setup' returned 1 instead of one of [0]
2024-09-24 07:32:53 [ERROR ] [configure] /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: change from 'notrun' to ['0'] failed: '/opt/puppetlabs/bin/puppetserver ca setup' returned 1 instead of one of [0]
2024-09-24 07:32:53 [NOTICE] [configure] 500 configuration steps out of 1540 steps complete.
2024-09-24 07:32:54 [NOTICE] [configure] 1000 configuration steps out of 1546 steps complete.
2024-09-24 07:32:54 [NOTICE] [configure] 1250 configuration steps out of 1546 steps complete.
2024-09-24 07:33:02 [NOTICE] [configure] 1500 configuration steps out of 1547 steps complete.
2024-09-24 07:33:05 [NOTICE] [configure] System configuration has finished.
Error 1: Puppet Exec resource 'puppet_server_config-generate_ca_cert' failed. Logs:
/Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/require
require to Concat[/etc/puppetlabs/puppet/puppet.conf]
require to Exec[puppet_server_config-create_ssl_dir]
/Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]
Starting to evaluate the resource (495 of 1540)
Evaluated in 5.03 seconds
/Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/creates
Checking that 'creates' path '/etc/puppetlabs/puppetserver/ca/ca_crt.pem' exists
Exec[puppet_server_config-generate_ca_cert](provider=posix)
Executing '/opt/puppetlabs/bin/puppetserver ca setup'
/Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns
Error:
Missing public key to match private key at /etc/puppetlabs/puppet/ssl/private_keys/foreman9-content.example.com.pem
Missing public key to match private key at /etc/puppetlabs/puppet/ssl/private_keys/foreman9-content.example.com.pem
change from 'notrun' to ['0'] failed: '/opt/puppetlabs/bin/puppetserver ca setup' returned 1 instead of one of [0]
1 error was detected during installation.
Please address the errors and re-run the installer to ensure the system is properly configured.
Failing to do so is likely to result in broken functionality.
I suspect it got “confused” because there is already a puppet cert and key on the new content proxy as it’s running as client.
I can see that foreman-installer set the server with ca in puppet.conf:
# cat /etc/puppetlabs/puppet/puppet.conf
...
[server]
autosign = /etc/puppetlabs/puppet/autosign.conf { mode = 0664 }
ca = false
certname = foreman9-content.example.com
...
Expected outcome:
Working installation.
Foreman and Proxy versions:
foreman-installer-3.11.2-1.el9.noarch
foreman-installer-katello-3.11.2-1.el9.noarch
foreman-proxy-3.11.2-1.el9.noarch
foreman-proxy-content-4.13.1-1.el9.noarch
puppet-agent-7.33.0-1.el9.x86_64
puppet-agent-oauth-0.5.10-1.el9.noarch
puppetserver-7.17.2-1.el9.noarch
Distribution and version:
AlmaLinux 9.4 on the new content proxy, AlmaLinux 8.10 on the main server.