Puppet Class applied in Foreman has no effect on hosts


I have created a new Puppet module, added it to /etc/puppetlabs/code/modules on the Foreman server, and successfully imported the module and its sole class in the Foreman UI via Configure > Puppet ENC > Classes. This matches our process for dozens of existing modules. When I add the class to a Host Group or a single Puppet client and do a Puppet run, the resources for that class are not applied and appear to be totally ignored. There aren’t any errors present during or after the Puppet run, and running with --debug does not show the class present in the output as I’d expect. Running hammer host puppet-classes --host <HOSTNAME> in Foreman shows the class present in the list. The Puppet code passes both puppet parser validate and puppet-lint.

Interestingly, copying the modules directory to the local filesystem on the client and running puppet apply --modulepath=/root/modules/ -e "include <MODULE_NAME>" works and applies all module resources as expected.

Expected outcome:

Successful application of all file, exec, and package resources on hosts with the class applied.

Foreman and Proxy versions:

Foreman: 3.9.1
Proxy: 3.9.1

Foreman and Proxy plugin versions:
foreman_puppet: 6.1.1

Distribution and version:

Ubuntu 20.04

Other relevant data:

This is being tested on clients with Oracle Linux 7, Oracle Linux 8, Ubuntu 20.04, and Ubuntu 22.04. All are experiencing the same behavior.

When class changes are made for other modules, everything works as expected.

If you go to the host in foreman, choose Legacy UI, and then the “Puppet YAML” option, does the class show up there under “classes:”?

Yes, it does.

Sounds more like a puppet server thing. If it’s showing up there, that is what foreman is sending the puppet server for the ENC data for that host.

Your /etc/pupppetlabs/puppet/puppet.conf file should have a section in it called “[server]” with an entry of “external_nodes = /etc/puppetlabs/puppet/node.rb”

If you run “/etc/puppetlabs/puppet/node.rb fqdn” of the host, it should spit out the same data that the “Puppet YAML” gave you. If it is doing that, your issue is on the puppet side. As long as that node.rb is spitting out a valid YAML file with the info in it that you think should be there it’s no longer in foreman’s hands.

Good catch - thanks for that info. Running /etc/puppetlabs/puppet/node.rb <hostname> on the Foreman server does not show the class listed as it does in the Puppet YAML web UI page.

Seems like you were right and the puppetserver is to blame. Looking in puppetserver.log shows many occurrences of this:

Serving cached ENC: Could not send facts to Foreman: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)

We have an internal CA and stuff like this comes up often. I think I at least have an idea of where to begin. Thanks again for the help!

This has been resolved using the foreman-installer options found here: Replacing self-signed certificates