Problems with foreman_puppetdb plugin

I'm implementing Foreman as a replacement for Puppet Enterprise, and I had
to add PuppetDB to support our existing modules that use exported
resources. I've gotten that part working, I see the resources being
exported and collected correctly. When I try to use the foreman_puppetdb
plugin however, I can't seem to get that part working.

My Foreman server is also hosting PuppetDB, so I had to move the plaintext
port to 8082 to avoid conflict with candlepin, but left SSL on 8081. I've
configured the puppetdb_adress (and tried about lots of different
combinations of host names and IP addresses). I can see that things are
being added to the DB via the dashboard. When I try to delete a host, I get
the following error:

*Error: *Could not deactivate host on PuppetDB: SSL_connect returned=1
errno=0 state=SSLv3 read server certificate B: certificate verify failed

I've checked everything I can think of with certificates, and everything
looks correct, based on looking at my PE install, and other working OSS
puppet environments.

Does anyone have any clue on this? It's preventing me from moving forward
with this project.

james

Hi James. I had almost this exact issue 2 days ago and haven't managed to do fix it yet. Mine is always trying to connect to puppetdb instead of foreman.example.com and saying that the cert doesn't match the hostname. How did you manage to configure the puppetdb host/URL for foreman and the puppet master? I've tried a couple of things and is always trying to connect as puppetdb.

During puppetdb installation, it found the certs and copied them to the appropriate path so I think for me is the host name issue instead of wrong certificates. I had to stop testing it cause I was doing on a production server with 500 hosts and once you configure a puppetdb wrong everything stops working. Please write back if you manage to find a solution. I'll do the same if I find some time to work on it.

Cheers

> I'm implementing Foreman as a replacement for Puppet Enterprise, and I had
> to add PuppetDB to support our existing modules that use exported
> resources. I've gotten that part working, I see the resources being
> exported and collected correctly. When I try to use the foreman_puppetdb
> plugin however, I can't seem to get that part working.
>
> My Foreman server is also hosting PuppetDB, so I had to move the plaintext
> port to 8082 to avoid conflict with candlepin, but left SSL on 8081. I've
> configured the puppetdb_adress (and tried about lots of different
> combinations of host names and IP addresses). I can see that things are
> being added to the DB via the dashboard. When I try to delete a host, I get
> the following error:
>
> *Error: *Could not deactivate host on PuppetDB: SSL_connect returned=1
> errno=0 state=SSLv3 read server certificate B: certificate verify failed

I don't know exactly how your certs are setup, but here's some
background on what's going on to help you debug.

This is the API request from Foreman to PuppetDB failing. It uses the
certificates you see under Administer -> Settings -> Auth, SSL CA file,
SSL certificate and SSL private key.

Are you able to send manually API requests from the Foreman host to
PuppetDB using those certs?

You can check the source too

PuppetDB was setup using the puppetlabs/puppetdb (version 4.3.0) module,
pretty much as default. Since we're running puppet 3.8, it chose PuppetDB
2.3.8 to install. It setup the certificates itself, from the puppet
installation.

I tried replacing the PuppetDB certs with the ones you pointed out, but
that caused puppet to not be able to retrieve facts or submit facts and
catalogs.

I'd like to have the integration so that foreman can deactivate hosts in
PuppetDB, but it's not a vital feature for our environment.

I have to admit I'm not an SSL certificate expert, so I do get confused by
the various certs and where they need to be used. Anything I can learn will
be appreciated, as SSL issues have been a large part of this project!

james