Puppet SSH error and Provisioning host

Hello @Marek_Hulan /@ekohl
Are there any feedback/ pointers regarding the above error?

1 Like

yes, definitely want to be able to have the workflow provision generic nodes too and not just RHvirt nodes. my goal now is to use the foreman / katello servers to facilitate the production of an evolving silverblue image

Overtime we’ll want to have several different ostree image builds based on hardware configurations and some other stuff; but this is sorta the direction we hope to go

1 Like

Hey @ekohl

Is this anything obvious to you? When I search the error messages back through the post history, I have never found a post with a marked solution.

1 Like

Thanks for the information. I’d first try to

curl https://foreman-katello.us-central1-a.c.socios-linux.internal:8140/puppet-ca/v1/certificate_revocation_list/ca --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem

post what it does. If you get SSL error, that means Puppet CA is using a certificate that was not signed by the expected CA. If you get the the CRL list back (starting with -----BEGIN X509 CRL-----) you can investigate it like this

curl https://foreman-katello.us-central1-a.c.socios-linux.internal:8140/puppet-ca/v1/certificate_revocation_list/ca --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem | openssl crl  -text -noout

That gives you the list of revocations, perhaps the dates will give you some information about how the certificate could get to the revocation list. You can also take a look at puppetserver ca list --all.

If it is revoked, you can’t do much more than create a new one. puppetserver generate --ca-client --certname ... is probably something you’ll need. Before you do that, make sure to read https://puppet.com/docs/puppet/7/puppet_server_ca_cli.html and making a backup. You’ll need to do this while puppet server is offline.

Based on the initial comments, is this a new setup? Can you just start from scratch? It seems there must have been some explicit action taken that “broke” it. Looking at the log you’ve provided, there’s

2021-04-29T07:54:10 0317b069 [I] Finished DELETE /puppet/ca/autosign/foreman-katello.us-central1-a.c.socios-linux.internal with 404 (0.98 ms)
2021-04-29T07:54:10 0317b069 [I] Started DELETE /puppet/ca/foreman-katello.us-central1-a.c.socios-linux.internal
2021-04-29T07:54:10 0317b069 [E] Failed to remove certificate(s) for foreman-katello.us-central1-a.c.socios-linux.internal: SSL_connect returned=1 errno=0 state=error: sslv3 alert certificate unkn

That seems like Foreman ask to revoke the certificate it uses itself. Did you try to provision/cancel provisioning of a host, that you run Foreman on? That would explain it.

1 Like

Hello @Marek_Hulan
As you suggested we investigate these below comment “curl https://foreman-katello.us-central1-a.c.socios-linux.internal:8140/puppet-ca/v1/certificate_revocation_list/ca --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem” and “curl https://foreman-katello.us-central1-a.c.socios-linux.internal:8140/puppet-ca/v1/certificate_revocation_list/ca --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem | openssl crl -text -noout” we are found that there is not puppet CA is not avaliable on the puppet servers.
We followed this document “https://puppet.com/docs/puppet/7/puppet_server_ca_cli.html” and we have removed the puppet service and reinstalled it again. once we did that we can generate a new CA for the puppet services.
Currently, we are working on using an upstream URL to host this build iso image. we will keep posted here. Thanks!

1 Like