Open jschuck opened 1 year ago
Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey. Please be sure to review our Code of Conduct. Also, check out some of our community resources including:
There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. If you have additional questions, email us at saltproject@vmware.com. We’re glad you’ve joined our community and look forward to doing awesome things with you!
That sounds like #62637, which should have been fixed in 3005.1
Not quite. #62637 failed to load the certificate, now it outright refuses to connect to server with a valid cert. I don't have the insight to state how much this really is the same problem or if there is some other certificate related problem at play here.
Description Salt-Master is not connecting to a Gitlab instance with a letsencrypt certificate on a fresh onedir installation as an ext_pillar.
The same configuration is working with another salt-master, same version. The only difference being that the working one is a classic installation.
Noteworthy as well: The gitfs connection using the same Gitlab instance works.
If i uninstall the salt-master onedir version and install the classic version instead it works. No other changes are made at that point.
Setup
Please be as specific as possible and give set-up details.
The git-Server in question is a Gitlab installation with a letsencrypt certificate.
For reference the used gitfs configuration works:
But the corresponding ext_pillar configuration fails:
I did not change the providers away from pygit2!
Steps to Reproduce the behavior Produced Error :
Certificate on the gitlab instance is a valid letsencrypt wildcard certificate.
The only thing i did to get this error is installing the salt-master as a onedir installation.
Expected behavior Behaving the same way as a classic installation.
Versions Report
salt --versions-report
(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) ```yaml Salt Version: Salt: 3005.1 Dependency Versions: cffi: 1.14.6 cherrypy: 18.6.1 dateutil: 2.8.1 docker-py: Not Installed gitdb: 4.0.9 gitpython: 3.1.29 Jinja2: 3.1.0 libgit2: 1.5.0 M2Crypto: Not Installed Mako: Not Installed msgpack: 1.0.2 msgpack-pure: Not Installed mysql-python: Not Installed pycparser: 2.21 pycrypto: Not Installed pycryptodome: 3.9.8 pygit2: 1.10.1 Python: 3.9.14 (main, Oct 3 2022, 21:19:30) python-gnupg: 0.4.8 PyYAML: 5.4.1 PyZMQ: 23.2.0 smmap: 5.0.0 timelib: 0.2.4 Tornado: 4.5.3 ZMQ: 4.3.4 System Versions: dist: debian 11 bullseye locale: utf-8 machine: x86_64 release: 5.10.0-18-amd64 system: Linux version: Debian GNU/Linux 11 bullseye ``` For comparison: The working master: ```yaml Salt Version: Salt: 3005.1 Dependency Versions: cffi: Not Installed cherrypy: unknown dateutil: 2.8.1 docker-py: Not Installed gitdb: 4.0.5 gitpython: 3.1.14 Jinja2: 2.11.3 libgit2: 1.1.0 M2Crypto: Not Installed Mako: Not Installed msgpack: 1.0.0 msgpack-pure: Not Installed mysql-python: Not Installed pycparser: Not Installed pycrypto: Not Installed pycryptodome: 3.9.7 pygit2: 1.4.0 Python: 3.9.2 (default, Feb 28 2021, 17:03:44) python-gnupg: Not Installed PyYAML: 5.3.1 PyZMQ: 20.0.0 smmap: 4.0.0 timelib: Not Installed Tornado: 4.5.3 ZMQ: 4.3.4 System Versions: dist: debian 11 bullseye locale: utf-8 machine: x86_64 release: 5.10.0-18-amd64 system: Linux version: Debian GNU/Linux 11 bullseye ```Additional context
Comparing the versions on the two masters i changed the pygit2 version in the onedir installation:
After this the master startet working as expected. So it seems that something significantly changed from pygit2 1.4.0 to 1.10.1.
I'm currently using this as a workaround.