Puppet Upgrade foreman/katello from 3 - 4 ("issue_kind":"RUNTIME_ERROR")

Support
1

Hi,

i used foreman / katello 3.2. Puppet 3.8.7 to 4.8.1 i upgrade from puppet 3

  • 4 with foreman-installer --upgrade-puppet

i get the following error on client

Error: Could not retrieve catalog from remote server: Error 500 on SERVER:
{"message":"Server Error: Failed when searching for node test.example.com:
Failed to find test.example.com via exec: Execution of
'/etc/puppetlabs/puppet/node.rb test.example.com' returned 1:
","issue_kind":"RUNTIME_ERROR"}

on master / server

/etc/puppetlabs/puppet/node.rb test.exmaple.com

Could not send facts to Foreman: SSL_connect returned=1 errno=0 state=SSLv3
read server session ticket A: tlsv1 alert unknown ca

any idea or help what could be wrong?

thanks

Sven

2

We found the solution.

We debug the node.rb file and checked the certificates which was send to
the katello/foreman server.

we have found out that node.rb use the following paths and ca/cert and key
file

/etc/puppetlabs/puppet/ssl/client_cert.pem
/etc/puppetlabs/puppet/ssl/client_key.pem
/etc/puppetlabs/puppet/ssl/ssl_ca.pem

after that we checked the /etc/httpd/conf.d/05-foreman-ssl.conf file.

the foreman-installer seems not correct set the paths to the files…

SSLCertificateFile
"/etc/puppetlabs/puppet/ssl/certs/test.example.com.pem"
SSLCertificateKeyFile
"/etc/puppetlabs/puppet/ssl/private_keys/test.example.com.pem"
SSLCertificateChainFile "/etc/puppetlabs/puppet/ssl/ssl_ca.pem"
SSLCACertificateFile "/etc/puppetlabs/puppet/ssl/ssl_ca.pem"

node.rb called files are differen to the 05-foreman-ssl.conf. we change all
files into 05-foreman-ssl.conf to

SSL directives

SSLEngine on
SSLCertificateFile "/etc/puppetlabs/puppet/ssl/client_cert.pem"
SSLCertificateKeyFile "/etc/puppetlabs/puppet/ssl/client_key.pem"
SSLCertificateChainFile "/etc/puppetlabs/puppet/ssl/ssl_ca.pem"
SSLCACertificateFile "/etc/puppetlabs/puppet/ssl/ssl_ca.pem"
SSLCARevocationFile "/etc/puppetlabs/puppet/ssl/crl.pem"
SSLVerifyClient optional
SSLVerifyDepth 3
SSLOptions +StdEnvVars +ExportCertData

after restart tls error was gone.

we checked it on a node with puppet agent --test and got the next error.

Error: Could not retrieve catalog from remote server: Error 500 on SERVER:
Server Error: Failed when searching for node kvm02.oscloud.local: Exception
while executing '/etc/puppetlabs/puppet/node.rb': Cannot run program
"/etc/puppetlabs/puppet/node.rb" (in directory "."): error=13, Permission
denied

we found that the node.rb dont has puppet right correctly. maybe also a
error in upgrade. we changes /etc/puppetlabs/puppet and node.rb to puppet
user and group

total 48
drwxrwx–x 8 puppet puppet 4096 Dec 14 12:43 ssl
-rw-r–r-- 1 root root 2687 Dec 14 12:43 puppet.conf
-r-xr-x— 1 root root 11725 Dec 15 14:39 node.rb.changed
-r-xr-x— 1 puppet puppet 11345 Dec 15 13:34 node.rb
-rw-r–r-- 1 root root 371 Dec 6 01:17 hiera.yaml
-rw-r----- 1 root puppet 365 Dec 14 12:43 foreman.yaml
-rw-rw-r-- 1 puppet puppet 0 Dec 14 12:43 autosign.conf
-rw-r–r-- 1 root root 4505 Dec 14 12:43 auth.conf

i am open for suggestions if the other files also need puppet rights?!

i hope it helps anyone.

thanks

Sven

··· Am Donnerstag, 15. Dezember 2016 01:35:32 UTC+1 schrieb svenvogel: > > Hi, > > i used foreman / katello 3.2. Puppet 3.8.7 to 4.8.1 i upgrade from puppet > 3 - 4 with foreman-installer --upgrade-puppet > > i get the following error on client > > Error: Could not retrieve catalog from remote server: Error 500 on SERVER: > {"message":"Server Error: Failed when searching for node test.example.com: > Failed to find test.example.com via exec: Execution of > '/etc/puppetlabs/puppet/node.rb test.example.com' returned 1: > ","issue_kind":"RUNTIME_ERROR"} > > on master / server > > /etc/puppetlabs/puppet/node.rb test.exmaple.com > > Could not send facts to Foreman: SSL_connect returned=1 errno=0 > state=SSLv3 read server session ticket A: tlsv1 alert unknown ca > > any idea or help what could be wrong? > > thanks > > Sven >