Meaningful SSL/TLS error messages from puppetserver

[H6pOJTyp]

Use Case

The open-source version (8.4.1) of puppetserver refuses to store reports in puppetdb (7.1.12) — after creating the config with puppetdb ssl-setup. The error message is of the form

ERROR [qtp910896516-5525] [puppetserver] Puppet Report processor failed: Failed to execute
'/pdb/cmd/v1?checksum=a17ff53c5dfebc2153295bf8e5f346fe15d4924e&version=8&certname=client1.example.com&command=store_report&producer-timestamp=2024-09-02T12:32:43.375Z' on at least 1 of the following 'server_urls': https://127.0.0.1:8081

Describe the Solution You Would Like

I have now spent a lot of time trying to debug this. It would be helpful if the puppetserver would specify the cause of the problem, as for example:

• the cert is expired
• the CN in the cert does not match the hostname 127.0.0.1
• the cert's issuer is not in some obscure java-specific truststore
• the cert's signature is invalid
• a client-certificate is required to authenticate but is not configured/invalid
• TLS cipher mismatch
• timeout
• internal server error from puppetdb, specifically the string that puppetdb sent back
• etc

[austb]

What version of the PuppetDB terminus are you using?

Commands are submitted to PuppetDB from Puppetserver using the PuppetDB terminus, and it is unsupported to submit commands to PuppetDB from a newer terminus than it was released with. Since your Puppetserver node is using Puppet Platform 8, I'm assuming it is also using a puppetdb-termini package version from the 8 series, which would be too new for PuppetDB 7. So in this case I would recommend upgrading PuppetDB to an 8 version.

In general, deployments of Puppet with components split over a major version are likely to hit problems, especially with TLS, because the major version is an opportunity to take up larger updates to openssl/bouncycastle.