PuppetDB certificate trouble

goeldi · November 3, 2023, 3:20pm

Problem:
Clicking on Monitor → Reports → PuppetDB Nodes throws this error:

Permission denied @ rb_sysopen - /etc/puppetlabs/puppetdb/ssl/private.pem

Expected outcome:
Getting a list of the Nodes in PuppetDB

Foreman and Proxy versions:
both 3.8.0

Foreman and Proxy plugin versions:

foreman_puppet 6.0.1
foreman_setup 8.0.1
puppetdb_foreman 6.0.2
foreman-plugin-puppetdb-api-version = 4

Distribution and version:
Ubuntu 20.04

Other relevant data:
Puppet 7.26.0
Puppetserver 7.13.0
PuppetDB 7.14.0

In the webgui Administer → Settings → PuppetDB I have these settings:
puppetdb_ssl_ca_file = /etc/puppetlabs/puppetdb/ssl/ca.pem
puppetdb_ssl_certificate = /etc/puppetlabs/puppet/ssl/certs/puppet.example.com.pem
puppetdb_ssl_private_key = /etc/puppetlabs/puppetdb/ssl/private.pem

There is no certificate file in /etc/puppetlabs/puppetdb/ssl, only the files ca.pem, private.pem and public.pem. So I set the path to the certficate file in …puppet/ssl/certs

I already tried all the ‘solutions’ I found online like
puppetdb ssl-setup -f + restarting everything

Owner of the files in /etc/puppetlabs/puppetdb/ssl is puppetdb.
I tried to change the directory and file permissions to 755 (read + execute for group and others).

Apache runs perfect with letsencrypt, and also the Puppetserver has no problem. Only https://puppet.example.com/puppetdb_foreman/nodes throws above mentioned error.

The moment of the click according the log files:

/var/log/foreman/production.log

2023-11-03T15:49:04 [I|app|a64ef436] Processing by PuppetdbForeman::NodesController#index as HTML
2023-11-03T15:49:04 [W|app|a64ef436] Permission denied @ rb_sysopen - /etc/puppetlabs/puppetdb/ssl/private.pem
2023-11-03T15:49:04 [I|app|a64ef436] Backtrace for 'Permission denied @ rb_sysopen - /etc/puppetlabs/puppetdb/ssl/private.pem' error (Errno::EACCES): Permission denied @ rb_sysopen - /etc/puppetlabs/puppetdb/ssl/private.pem
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/puppetdb_foreman-6.0.2/app/services/puppetdb_client/base.rb:111:in `read'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/puppetdb_foreman-6.0.2/app/services/puppetdb_client/base.rb:111:in `ssl_private_key'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/puppetdb_foreman-6.0.2/app/services/puppetdb_client/base.rb:98:in `auth_options'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/puppetdb_foreman-6.0.2/app/services/puppetdb_client/base.rb:72:in `request_options'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/puppetdb_foreman-6.0.2/app/services/puppetdb_client/base.rb:39:in `connection'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/puppetdb_foreman-6.0.2/app/services/puppetdb_client/base.rb:53:in `get'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/puppetdb_foreman-6.0.2/app/services/puppetdb_client/base.rb:23:in `query_nodes'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/puppetdb_foreman-6.0.2/app/services/puppetdb_client/v4.rb:36:in `query_nodes'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/puppetdb_foreman-6.0.2/app/controllers/puppetdb_foreman/nodes_controller.rb:13:in `index'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_controller/metal/basic_implicit_render.rb:6:in `send_action'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/abstract_controller/base.rb:228:in `process_action'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_controller/metal/rendering.rb:30:in `process_action'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/abstract_controller/callbacks.rb:42:in `block in process_action'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/activesupport-6.1.7.6/lib/active_support/callbacks.rb:117:in `block in run_callbacks'
 a64ef436 | /usr/share/foreman/app/controllers/concerns/foreman/controller/timezone.rb:10:in `set_timezone'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/activesupport-6.1.7.6/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
 a64ef436 | /usr/share/foreman/app/models/concerns/foreman/thread_session.rb:32:in `clear_thread'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/activesupport-6.1.7.6/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
 a64ef436 | /usr/share/foreman/app/controllers/concerns/foreman/controller/topbar_sweeper.rb:12:in `set_topbar_sweeper_controller'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/activesupport-6.1.7.6/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/audited-5.4.0/lib/audited/sweeper.rb:16:in `around'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/activesupport-6.1.7.6/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/audited-5.4.0/lib/audited/sweeper.rb:16:in `around'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/activesupport-6.1.7.6/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/activesupport-6.1.7.6/lib/active_support/callbacks.rb:137:in `run_callbacks'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/abstract_controller/callbacks.rb:41:in `process_action'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_controller/metal/rescue.rb:22:in `process_action'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_controller/metal/instrumentation.rb:34:in `block in process_action'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/activesupport-6.1.7.6/lib/active_support/notifications.rb:203:in `block in instrument'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/activesupport-6.1.7.6/lib/active_support/notifications/instrumenter.rb:24:in `instrument'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/activesupport-6.1.7.6/lib/active_support/notifications.rb:203:in `instrument'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_controller/metal/instrumentation.rb:33:in `process_action'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_controller/metal/params_wrapper.rb:249:in `process_action'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/activerecord-6.1.7.6/lib/active_record/railties/controller_runtime.rb:27:in `process_action'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/abstract_controller/base.rb:165:in `process'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionview-6.1.7.6/lib/action_view/rendering.rb:39:in `process'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_controller/metal.rb:190:in `dispatch'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_controller/metal.rb:254:in `dispatch'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_dispatch/routing/route_set.rb:50:in `dispatch'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_dispatch/routing/route_set.rb:33:in `serve'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_dispatch/journey/router.rb:50:in `block in serve'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_dispatch/journey/router.rb:32:in `each'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_dispatch/journey/router.rb:32:in `serve'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_dispatch/routing/route_set.rb:842:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/apipie-dsl-2.5.0/lib/apipie_dsl/static_dispatcher.rb:67:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/apipie-rails-1.2.3/lib/apipie/static_dispatcher.rb:68:in `call'
 a64ef436 | /usr/share/foreman/lib/foreman/middleware/libvirt_connection_cleaner.rb:9:in `call'
 a64ef436 | /usr/share/foreman/lib/foreman/middleware/telemetry.rb:10:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/apipie-rails-1.2.3/lib/apipie/middleware/checksum_in_headers.rb:27:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/rack-2.2.8/lib/rack/tempfile_reaper.rb:15:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/rack-2.2.8/lib/rack/etag.rb:27:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/rack-2.2.8/lib/rack/conditional_get.rb:27:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/rack-2.2.8/lib/rack/head.rb:12:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_dispatch/http/permissions_policy.rb:22:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_dispatch/http/content_security_policy.rb:19:in `call'
 a64ef436 | /usr/share/foreman/lib/foreman/middleware/logging_context_session.rb:22:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/rack-2.2.8/lib/rack/session/abstract/id.rb:266:in `context'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/rack-2.2.8/lib/rack/session/abstract/id.rb:260:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_dispatch/middleware/cookies.rb:697:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/activesupport-6.1.7.6/lib/active_support/callbacks.rb:98:in `run_callbacks'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_dispatch/middleware/callbacks.rb:26:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_dispatch/middleware/actionable_exceptions.rb:18:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_dispatch/middleware/debug_exceptions.rb:29:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/railties-6.1.7.6/lib/rails/rack/logger.rb:37:in `call_app'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/railties-6.1.7.6/lib/rails/rack/logger.rb:28:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/sprockets-rails-3.4.2/lib/sprockets/rails/quiet_assets.rb:13:in `call'
 a64ef436 | /usr/share/foreman/lib/foreman/middleware/logging_context_request.rb:11:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/request_store-1.5.1/lib/request_store/middleware.rb:19:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_dispatch/middleware/request_id.rb:26:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/rack-2.2.8/lib/rack/method_override.rb:24:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/rack-2.2.8/lib/rack/runtime.rb:22:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/activesupport-6.1.7.6/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_dispatch/middleware/executor.rb:14:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/rack-2.2.8/lib/rack/sendfile.rb:110:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_dispatch/middleware/ssl.rb:77:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/actionpack-6.1.7.6/lib/action_dispatch/middleware/host_authorization.rb:142:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/secure_headers-6.5.0/lib/secure_headers/middleware.rb:11:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/railties-6.1.7.6/lib/rails/engine.rb:539:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/railties-6.1.7.6/lib/rails/railtie.rb:207:in `public_send'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/railties-6.1.7.6/lib/rails/railtie.rb:207:in `method_missing'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/rack-2.2.8/lib/rack/urlmap.rb:74:in `block in call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/rack-2.2.8/lib/rack/urlmap.rb:58:in `each'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/rack-2.2.8/lib/rack/urlmap.rb:58:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/puma-6.4.0/lib/puma/configuration.rb:272:in `call'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/puma-6.4.0/lib/puma/request.rb:100:in `block in handle_request'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/puma-6.4.0/lib/puma/thread_pool.rb:378:in `with_force_shutdown'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/puma-6.4.0/lib/puma/request.rb:99:in `handle_request'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/puma-6.4.0/lib/puma/server.rb:443:in `process_client'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/puma-6.4.0/lib/puma/server.rb:241:in `block in run'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/puma-6.4.0/lib/puma/thread_pool.rb:155:in `block in spawn_thread'
 a64ef436 | /usr/share/foreman/vendor/ruby/2.7.0/gems/logging-2.3.1/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'
2023-11-03T15:49:04 [I|app|a64ef436]   Rendered common/500.html.erb within layouts/application (Duration: 2.2ms | Allocations: 1185)
2023-11-03T15:49:04 [I|app|a64ef436]   Rendered layouts/base.html.erb (Duration: 4.3ms | Allocations: 3755)
2023-11-03T15:49:04 [I|app|a64ef436]   Rendered layout layouts/application.html.erb (Duration: 8.6ms | Allocations: 5995)
2023-11-03T15:49:04 [I|app|a64ef436] Completed 500 Internal Server Error in 28ms (Views: 11.5ms | ActiveRecord: 3.3ms | Allocations: 14265)