Closed dvaerum closed 3 years ago
Same here.
Seems that ssl setup on puppetdb does not look at subject, only parses altname. But altname does not provide originally puppetdb string. So to get the output below, i had to workaround in the compose file. See below.
X509v3 Subject Alternative Name: DNS:puppetdb
Workaround was to add to docker-compose.yaml LNE 55
- DNS_ALT_NAMES="puppetdb ${DNS_ALT_NAMES:-}"
@cxn-sjuhasz that is correct - newer versions of Java are stricter about RFC 2818, which requires that if an alt name is specified, it must also include the CN (as the CN is effectively ignored when SANs are specified).
The correct solution is to ensure that DNS_ALT_NAMES
provides the primary CN as well as any other SANs that are intended to be used.
It seems the issue is still present. The change seems to not make it to the docker-compose.yaml file? docker-compose.shared.yaml vanished from the repo?!?
I have digged deeper into this. I had imported my old SSL cert structure from a non-pupperware host. The cert had CN=puppetdb and one DNS Alt Name puppetmaster.$DOMAIN set within the cert.
I was not able to get this running even with DNS_ALT_NAMES set correctly. Solution was for me to revoke the old puppetdb cert, remove the cert from the puppetserver storage and issue a new puppetdb cert without any DNS alt names. I used puppetserver ca calls for this and afterwards copied the puppetdb.pem from pupperware_puppetserver-config to the pupperware_puppetdb volume:
./pupperware_puppetserver-config/_data/ssl/public_keys/puppetdb.pem
./pupperware_puppetserver-config/_data/ssl/ca/signed/puppetdb.pem```
are copied to:
```./pupperware_puppetdb/_data/certs/private_keys/puppetdb.pem
./pupperware_puppetdb/_data/certs/certs/puppetdb.pem
./pupperware_puppetdb/_data/certs/public_keys/puppetdb.pem
Maybe this helps someone when trying to import a SSL CA into the setup.
In addition I stumbled about an issue, when multiple certs were present in the certs directories. I had ca.pem, puppetdb.pem and puppetmaster.$DOMAIN.pem in my certs directory and this seem to confuse startup. After remove the FQDN one with only ca.pem and puppetdb.pem present, everything worked fine.
The mentioned issue with too many ssl pem files was possibly in script 90-log-config.sh:
System configuration values:
* HOSTNAME: 'puppet'
* hostname -f: 'puppet'
* PUPPETSERVER_HOSTNAME:PUPPET_MASTERPORT: 'puppet:8140'
* Generated certname: 'puppet.pem'
* DNS_ALT_NAMES: 'HIDDEN'
* SSLDIR: '/etc/puppetlabs/puppet/ssl'```
After that I had some file not found messages.
The problem that I found is that, once you alredy started the stack with the wrong DNS_ALT_NAMES, it doesn't matter if you set the right value later because the certificate already exists and is not updated.
In order to fix it I just regenerated the puppetdb certificate with the right configuration:
1.- In the puppetdb container remove the old certificate and related files:
$ rm /opt/puppetlabs/server/data/puppetdb/certs/certs/puppetdb.pem
$ rm /opt/puppetlabs/server/data/puppetdb/certs/private_keys/puppetdb.pem
$ rm /opt/puppetlabs/server/data/puppetdb/certs/public_keys/puppetdb.pem
$ rm /opt/puppetlabs/server/data/puppetdb/certs/certificate_requests/puppetdb.pem
2.- In the puppetserver clean the old certificate
$ puppetserver ca clean --certname puppetdb
Revoked certificate for puppetdb
Cleaned files related to puppetdb
3.- In the puppetdb container rerun the configure ssl script to create a new certificate (With the right DNS_ALT_NAMES value)
$ export DNS_ALT_NAMES=puppetdb
$ /docker-entrypoint.d/20-configure-ssl.sh
(/ssl.sh) Using configuration values:
(/ssl.sh) * HOSTNAME: 'puppetdb'
(/ssl.sh) * hostname -f: 'puppetdb'
(/ssl.sh) * CERTNAME: 'puppetdb' (/CN=puppetdb)
(/ssl.sh) * DNS_ALT_NAMES: 'puppetdb,muppet.skimlinks.net'
(/ssl.sh) * CA: 'puppet:8140/puppet-ca/v1'
(/ssl.sh) * SSLDIR: '/opt/puppetlabs/server/data/puppetdb/certs'
(/ssl.sh) * WAITFORCERT: '120' seconds
(/ssl.sh) Waiting for master puppet to be running to generate certificates...
subject=CN = "Puppet Enterprise CA generated on puppet at 2020-09-24 17:36:11 +0000"
issuer=CN = Puppet Root CA: 8c0e4e6d86f20d
Generating RSA private key, 4096 bit long modulus (2 primes)
........................................................++++
................................................................................++++
....
X509v3 Subject Alternative Name:
DNS:puppetdb
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
(/ssl.sh) Successfully signed certificate '/opt/puppetlabs/server/data/puppetdb/certs/certs/puppetdb.pem'
Then I just restarted the puppetdb container with docker-compose restart puppetdb
and the error messges were gone
Describe the Bug
I get the following errors every time I add a node to my setup
Expected Behavior
I expected to not get the following error when I added nodes to Puppet Server
Steps to Reproduce
Steps to reproduce the behavior:
cd pupperware
docker-compose up -d
docker-compose logs -f
Environment
Additional Context
I figured out that if I make the variable
PUPPETDB_SERVER_URLS
contain a full domain (see docker-compose.yml) I don't get the errors.Example if I change
to
and add an
aliases:
thepuppetdb
service (see docker-compose.yml)Are there other there have had this problem?