rwaffen
commented
8 months ago hmm strange, this should work, will try to reproduce
Open muscat opened 8 months ago
rwaffen
commented
8 months ago hmm strange, this should work, will try to reproduce
rwaffen
commented
8 months ago I normally run it from a compose.yaml. maybe this helps
services:
puppet:
image: ghcr.io/container-puppetserver:7.14.0-latest
hostname: puppet
environment:
- PUPPETSERVER_HOSTNAME=puppet
- PUPPETSERVER_PORT=8140
- PUPPETDB_HOSTNAME=puppetdb
- PUPPETDB_SSL_PORT=8081
- USE_PUPPETDB=true
- AUTOSIGN=true
# For private repos, use git@github.com:user/repo.git and provide SSH keys
# - R10K_REMOTE=https://github.com/betadots/demo-control-repo.git
volumes:
- puppetserver:/opt/puppetlabs/server/data/puppetserver
- puppetserver-ssl:/etc/puppetlabs/puppet/ssl
- puppetserver-ca:/etc/puppetlabs/puppetserver/ca
restart: always
ports:
- 8140:8140
muscat
commented
8 months ago Thank you for your response and advice.
I tried to reproduce...
I took a clean Ubuntu22 on ARM architecture at AWS.
Ubuntu 22.04 LTS, arm64 jammy image build on 2023-12-07
t4g.smalll, 2 vCPU, 2 GiB Memory, 20Gb EBS volume.The security group is clear: allowing any traffic to any. An external IP was added, domain 'puppet.vpn.rv.ua' was pointed to this external IP.
On this server, I performed the following tasks:
Using EXACTLY your file, I got these errors:"
ERROR: Named volume "puppetserver:/opt/puppetlabs/server/data/puppetserver:rw" is used in service "puppet" but no declaration was found in the volumes section.
and
ERROR: Head "https://ghcr.io/v2/container-puppetserver/manifests/7.14.0-latest": name invalid
i manually get an image:
root@puppet:~# docker pull voxpupuli/container-puppetserver:7.14.0-latest
...
Status: Downloaded newer image for voxpupuli/container-puppetserver:7.14.0-latest
docker.io/voxpupuli/container-puppetserver:7.14.0-latestadjusted file to this state (just add volumes and use already downloaded image):
services:
puppet:
image: voxpupuli/container-puppetserver:7.14.0-latest
hostname: puppet
environment:
- PUPPETSERVER_HOSTNAME=puppet
- PUPPETSERVER_PORT=8140
- PUPPETDB_HOSTNAME=puppetdb
- PUPPETDB_SSL_PORT=8081
- USE_PUPPETDB=true
- AUTOSIGN=true
# For private repos, use git@github.com:user/repo.git and provide SSH keys
# - R10K_REMOTE=https://github.com/betadots/demo-control-repo.git
volumes:
- puppetserver:/opt/puppetlabs/server/data/puppetserver
- puppetserver-ssl:/etc/puppetlabs/puppet/ssl
- puppetserver-ca:/etc/puppetlabs/puppetserver/ca
restart: always
ports:
- 8140:8140
volumes:
puppetserver:
puppetserver-ssl:
puppetserver-ca:
run:
root@puppet:~# docker-compose up -d --build
Creating network "root_default" with the default driver
Creating volume "root_puppetserver" with default driver
Creating volume "root_puppetserver-ssl" with default driver
Creating volume "root_puppetserver-ca" with default driver
Creating root_puppet_1 ... done
container is successfully running:
root@puppet:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2251fc060859 voxpupuli/container-puppetserver:7.14.0-latest "dumb-init /docker-eā¦" About a minute ago Up About a minute (healthy) 0.0.0.0:8140->8140/tcp, :::8140->8140/tcp root_puppet_1
logs are healthy:
...
2024-01-23 08:31:53,970 INFO [p.s.a.analytics-service] Puppet Server Update Service has successfully started and will run in the background
2024-01-23 08:31:53,988 INFO [p.s.m.master-service] Puppet Server has successfully started and is now ready to handle requests
2024-01-23 08:31:55,629 INFO [p.d.version-check] Newer version 8.4.0 is available! Visit https://puppet.com/docs/puppetserver/latest/release_notes.html for details.
127.0.0.1 - - - 23/Jan/2024:08:32:04 +0000 "GET /status/v1/simple HTTP/1.1" 200 7 127.0.0.1 127.0.0.1 8140 109now, going on the client instance it's almost exactly the same instance, just on x86_64.
install puppet agent:
root@ip-172-31-0-177:~# apt update
root@ip-172-31-0-177:~# apt install puppet
...
Setting up puppet (5.5.22-4ubuntu0.2) ...create a minimal config for puppet agent:
root@ip-172-31-0-177:~# cat /etc/puppet/puppet.conf
[main]
server = puppet.vpn.rv.ua
certname = test1
runinterval = 30m
and run agent:
root@ip-172-31-0-177:~# puppet agent -t
Info: Creating a new SSL key for test1
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for test1
Info: Certificate Request fingerprint (SHA256): F4:13:68:AD:A2:91:64:12:91:A0:76:CA:10:40:C7:3A:2F:CD:87:89:49:DC:3B:15:72:54:42:5D:85:F5:F0:3F
Info: Caching certificate for test1
Error: request https://puppet.vpn.rv.ua:8140//puppet-ca/v1/certificate_revocation_list/ca failed: SSL_connect returned=1 errno=0 peeraddr=18.157.83.126:8140 state=error: certificate verify failed (unable to get issuer certificate)
Error: Could not request certificate: SSL_connect returned=1 errno=0 peeraddr=18.157.83.126:8140 state=error: certificate verify failed (unable to get issuer certificate): [unable to get issuer certificate for /CN=Puppet CA generated on puppet at 2024-01-23 08:31:14 \+0000]
Exiting; failed to retrieve certificate and waitforcert is disabled
server logs shown:
18.185.90.160 - - - 23/Jan/2024:08:39:30 +0000 "GET /puppet-ca/v1/certificate/ca?environment=production&fail_on_404=true HTTP/1.1" 200 2774 18.185.90.160 18.185.90.160 8140 34
18.185.90.160 - - - 23/Jan/2024:08:39:30 +0000 "GET /puppet-ca/v1/certificate/test1?environment=production& HTTP/1.1" 404 32 18.185.90.160 18.185.90.160 8140 4
18.185.90.160 - - - 23/Jan/2024:08:39:30 +0000 "GET /puppet-ca/v1/certificate_request/test1?environment=production& HTTP/1.1" 404 40 18.185.90.160 18.185.90.160 8140 5
2024-01-23 08:39:31,124 INFO [p.p.certificate-authority] Signed certificate request for test1
18.185.90.160 - - - 23/Jan/2024:08:39:31 +0000 "PUT /puppet-ca/v1/certificate_request/test1?environment=production& HTTP/1.1" 200 0 18.185.90.160 18.185.90.160 8140 595
18.185.90.160 - - - 23/Jan/2024:08:39:31 +0000 "GET /puppet-ca/v1/certificate/test1?environment=production& HTTP/1.1" 200 1575 18.185.90.160 18.185.90.160 8140 6
the problem still persist :( please, help me solve a problem.
I can provide access to both the server and the client.
muscat
commented
8 months ago rwaffen
commented
8 months ago so you have two vms? on one docker with the puppetserver running? and the second vm is an agent?
when you start the server with docker internal name puppet and vm external name puppet.vpn.rv.ua this will be a cert miss match. try to set DNS_ALT_NAMES.
services:
puppet:
image: voxpupuli/container-puppetserver:7.14.0-latest
hostname: puppet
environment:
- PUPPETSERVER_HOSTNAME=puppet
- DNS_ALT_NAMES=puppet.vpn.rv.ua
...there for you might need to throw your ca away. you can do that by purging the puppetserver-ssl, puppetserver-ca volumes or just use local bind mounts if you arent used to volumes.
you might use full pathes or relativ pathes
volumes:
- ./puppetserver:/opt/puppetlabs/server/data/puppetserver
- ./puppetserver-ssl:/etc/puppetlabs/puppet/ssl
- /my/path/on/the/host/puppetserver-ca:/etc/puppetlabs/puppetserver/caso you have two vms? on one docker with the puppetserver running? and the second vm is an agent?
no. It is a two separate machines (EC2). on first is running puppet-server as a docker container. the second one - is a 'destination', which should be provisioned by the puppet server
when you start the server with docker internal name
puppetand vm external namepuppet.vpn.rv.uathis will be a cert miss match. try to set DNS_ALT_NAMES.
- PUPPETSERVER_HOSTNAME=puppet
- DNS_ALT_NAMES=puppet.vpn.rv.ua
ok, will check soon
muscat
commented
8 months ago bad news, everyone
I used the next docker-compose.yml file on the server (a virgin clean new EC2):
services:
puppet:
image: voxpupuli/container-puppetserver:7.14.0-latest
hostname: puppet
environment:
- PUPPETSERVER_HOSTNAME=puppet
- DNS_ALT_NAMES=puppet.vpn.rv.ua
- PUPPETSERVER_PORT=8140
- PUPPETDB_HOSTNAME=puppetdb
- PUPPETDB_SSL_PORT=8081
- USE_PUPPETDB=true
- AUTOSIGN=true
# For private repos, use git@github.com:user/repo.git and provide SSH keys
# - R10K_REMOTE=https://github.com/betadots/demo-control-repo.git
volumes:
- ./data:/opt/puppetlabs/server/data/puppetserver
- ./ssl:/etc/puppetlabs/puppet/ssl
- ./ca:/etc/puppetlabs/puppetserver/ca
restart: always
ports:
- 8140:8140
changes are in: envs - add DNS_ALT_NAMES volumes - point directs to local folders
maintenance tasks: set hostname, install docker & docker-composer, create docker-compose.yml, ...
run:
root@ip-172-31-0-184:~# docker-compose up -d --build
Creating network "root_default" with the default driver
Pulling puppet (voxpupuli/container-puppetserver:7.14.0-latest)...
7.14.0-latest: Pulling from voxpupuli/container-puppetserver
ce9ebea987c2: Pull complete
...
a7120fa89f31: Pull complete
Digest: sha256:65a37305a1e5a54703224af59157c275c8b8e2f8c87a47361c17e7f7d00a83f1
Status: Downloaded newer image for voxpupuli/container-puppetserver:7.14.0-latest
Creating root_puppet_1 ... doneserver starts as it should:
root@ip-172-31-0-184:~# docker logs root_puppet_1 --follow
...
System configuration values:
* HOSTNAME: 'puppet'
* hostname -f: 'puppet'
* PUPPETSERVER_HOSTNAME: 'puppet'
* PUPPETSERVER_PORT: '8140'
* Certname: 'puppet.pem'
* DNS_ALT_NAMES: 'puppet.vpn.rv.ua'
* SSLDIR: '/etc/puppetlabs/puppet/ssl'
CA Certificate:
subject=CN = "Puppet CA generated on puppet at 2024-01-23 17:26:03 +0000"
issuer=CN = Puppet Root CA: 0e0f3db1b15c83
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
7B:77:5F:3F:23:DD:75:FF:86:9E:F2:6D:D5:9E:30:77:7D:F1:1B:AB
Netscape Comment:
Puppet Server Internal Certificate
X509v3 Authority Key Identifier:
6C:62:FB:CE:C0:D3:A8:3E:BC:3C:F0:26:80:01:6F:D9:EC:F1:FA:9A
Certificate puppet.pem:
subject=CN = puppet
issuer=CN = "Puppet CA generated on puppet at 2024-01-23 17:26:03 +0000"
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
Netscape Comment:
Puppet Server Internal Certificate
X509v3 Authority Key Identifier:
7B:77:5F:3F:23:DD:75:FF:86:9E:F2:6D:D5:9E:30:77:7D:F1:1B:AB
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
EE:AA:7A:38:DE:CC:68:E1:80:42:4D:5B:D0:EC:B7:26:05:2D:61:C8
1.3.6.1.4.1.34380.1.3.39:
..true
X509v3 Subject Alternative Name:
DNS:puppet, DNS:puppet.vpn.rv.ua
...
2024-01-23 17:26:33,734 INFO [p.s.a.analytics-service] Puppet Server Update Service has successfully started and will run in the background
2024-01-23 17:26:33,759 INFO [p.s.m.master-service] Puppet Server has successfully started and is now ready to handle requests
2024-01-23 17:26:33,866 WARN [c.p.p.ShellUtils] Executed an external process which logged to STDERR: /opt/puppetlabs/puppet/bin/ruby: No such file or directory -- /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde (LoadError)
2024-01-23 17:26:33,883 WARN [p.s.a.dropsonde] Failed to submit module metrics via Dropsonde. Error: /opt/puppetlabs/puppet/bin/ruby: No such file or directory -- /opt/puppetlabs/server/data/puppetserver/dropsonde/bin/dropsonde (LoadError)
2024-01-23 17:26:34,406 INFO [p.d.version-check] Newer version 8.4.0 is available! Visit https://puppet.com/docs/puppetserver/latest/release_notes.html for details.
. . . . .
go to the client's side
start a fresh new ubuntu22 @ x86_64 EC2:
install puppet create a config for puppet agent:
[main]
server = puppet.vpn.rv.ua
certname = test1
runinterval = 30m
try to run:
ubuntu@ip-172-31-0-187:~$ sudo puppet agent -t
Info: Creating a new SSL key for test1
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for test1
Info: Certificate Request fingerprint (SHA256): 93:70:EE:57:7C:45:66:EE:71:D1:2B:AF:0B:9B:AA:D9:94:86:D1:2A:0F:96:CD:8D:FA:CF:0B:CA:15:75:EF:3F
Info: Caching certificate for test1
Error: request https://puppet.vpn.rv.ua:8140//puppet-ca/v1/certificate_revocation_list/ca failed: SSL_connect returned=1 errno=0 peeraddr=18.157.83.126:8140 state=error: certificate verify failed (unable to get issuer certificate)
Error: Could not request certificate: SSL_connect returned=1 errno=0 peeraddr=18.157.83.126:8140 state=error: certificate verify failed (unable to get issuer certificate): [unableto get issuer certificate for /CN=Puppet CA generated on puppet at 2024-01-23 17:26:03 \+0000]
Exiting; failed to retrieve certificate and waitforcert is disabledserver says:
3.67.19.230 - - - 23/Jan/2024:18:19:16 +0000 "GET /puppet-ca/v1/certificate/ca?environment=production&fail_on_404=true HTTP/1.1" 200 2773 3.67.19.230 3.67.19.230 8140 22
3.67.19.230 - - - 23/Jan/2024:18:19:16 +0000 "GET /puppet-ca/v1/certificate/test1?environment=production& HTTP/1.1" 404 32 3.67.19.230 3.67.19.230 8140 3
3.67.19.230 - - - 23/Jan/2024:18:19:16 +0000 "GET /puppet-ca/v1/certificate_request/test1?environment=production& HTTP/1.1" 404 40 3.67.19.230 3.67.19.230 8140 4
2024-01-23 18:19:17,076 INFO [p.p.certificate-authority] Signed certificate request for test1
3.67.19.230 - - - 23/Jan/2024:18:19:17 +0000 "PUT /puppet-ca/v1/certificate_request/test1?environment=production& HTTP/1.1" 200 0 3.67.19.230 3.67.19.230 8140 523
3.67.19.230 - - - 23/Jan/2024:18:19:17 +0000 "GET /puppet-ca/v1/certificate/test1?environment=production& HTTP/1.1" 200 1574 3.67.19.230 3.67.19.230 8140 4
127.0.0.1 - - - 23/Jan/2024:18:19:17 +0000 "GET /status/v1/simple HTTP/1.1" 200 7 127.0.0.1 127.0.0.1 8140 8
127.0.0.1 - - - 23/Jan/2024:18:19:38 +0000 "GET /status/v1/simple HTTP/1.1" 200 7 127.0.0.1 127.0.0.1 8140 8
client successfully resolve the DNS:
ubuntu@ip-172-31-0-187:~$ host puppet.vpn.rv.ua
puppet.vpn.rv.ua has address 18.157.83.126server is located on the desired IP:
root@puppet:~# curl 2ip.ua
ip : 18.157.83.126
hostname : ec2-18-157-83-126.eu-central-1.compute.amazonaws.com
provider : Amazon.com Inc.
location : Germany (DE), Frankfurt Am Main
. . .
folders 'data', 'ssl', 'ca' on the server contain fresh data.
root@puppet:~# ls -l data ssl ca
ca:
total 48
-rw-r----- 1 lxd docker 1978 Jan 23 17:26 ca_crl.pem
-rw-r----- 1 lxd docker 3899 Jan 23 17:26 ca_crt.pem
-rw-r----- 1 lxd docker 3243 Jan 23 17:26 ca_key.pem
-rw-r----- 1 lxd docker 800 Jan 23 17:26 ca_pub.pem
-rw-r----- 1 lxd docker 1978 Jan 23 17:26 infra_crl.pem
-rw-r----- 1 lxd docker 1 Jan 23 17:26 infra_inventory.txt
-rw-r----- 1 lxd docker 1 Jan 23 17:26 infra_serials
-rw-r----- 1 lxd docker 127 Jan 23 18:19 inventory.txt
drwxr-x--- 2 lxd docker 4096 Jan 23 18:19 requests
-rw-r----- 1 lxd docker 3243 Jan 23 17:26 root_key.pem
-rw-r--r-- 1 lxd docker 4 Jan 23 18:19 serial
drwxr-x--- 2 lxd docker 4096 Jan 23 18:19 signed
data:
total 44
drwxr-x--- 2 lxd docker 4096 Jan 23 17:26 bucket
drwxr-x--- 2 lxd docker 4096 Jan 23 17:26 facts.d
drwxr-x--- 2 lxd docker 4096 Jan 23 17:26 lib
drwxr-x--- 2 lxd docker 4096 Jan 23 17:26 locales
drwxr-x--- 2 lxd docker 4096 Jan 23 17:26 preview
drwxr-x--- 2 lxd docker 4096 Jan 23 17:26 reports
-rw-r----- 1 lxd docker 1 Jan 23 17:26 restartcounter
drwxr-x--- 2 lxd docker 4096 Jan 23 17:26 server_data
drwxr-xr-t 2 lxd docker 4096 Jan 23 17:26 state
drwxr-xr-x 10 lxd docker 4096 Jan 23 17:25 vendored-jruby-gems
drwxr-x--- 2 lxd docker 4096 Jan 23 17:26 yaml
ssl:
total 24
lrwxrwxrwx 1 lxd docker 31 Jan 23 17:26 ca -> /etc/puppetlabs/puppetserver/ca
drwxr-xr-x 2 lxd docker 4096 Jan 23 17:26 certificate_requests
drwxr-xr-x 2 lxd docker 4096 Jan 23 17:26 certs
-rw-r--r-- 1 lxd docker 1978 Jan 23 17:26 crl.pem
drwxr-x--- 2 lxd docker 4096 Jan 23 17:26 private
drwxr-x--- 2 lxd docker 4096 Jan 23 17:26 private_keys
drwxr-xr-x 2 lxd docker 4096 Jan 23 17:26 public_keys
i really need help
muscat
commented
8 months ago weird situation: I set up a similar puppet server (as a docker container too) on the x86_64 architecture several months ago and I didn't imagine that I could get stuck on that kind of problem
i used this config: docker run -t \ --log-opt max-size=10000m --log-opt max-file=1 \ --name puppet \ --hostname puppet.domain.com \ -p 8140:8140 \ -v /root/puppet/environments:/etc/puppetlabs/code/environments \ -d \ puppet/puppetserver:5.3.7
and everything working fine
rwaffen
commented
8 months ago i will try to reproduce this again. in all my tests while building the images i didn't had such problems
muscat
commented
8 months ago thanks a lot. I can provide access to my EC2 for tests.
rwaffen
commented
8 months ago hmm maybe my comment was missleading. when you dont have/want a puppetdb you shouldn't configure it.
I tested your setup.
one vm (at gcp) as puppetserver: puppet.priv.rw.betadots.training one vm (at gcp) as agent: worker-0.priv.rw.betadots.training both Ubuntu 22.04.3 LTS. Internal network open for all traffic.
on puppet.priv.rw.betadots.training installed docker. and run this compose.yaml
services:
puppet:
image: voxpupuli/container-puppetserver:7.14.0-latest
hostname: puppet
environment:
- PUPPETSERVER_HOSTNAME=puppet
- DNS_ALT_NAMES=puppet.priv.rw.betadots.training
- PUPPETSERVER_PORT=8140
- USE_PUPPETDB=false
- AUTOSIGN=true
volumes:
- ./data:/opt/puppetlabs/server/data/puppetserver
- ./ssl:/etc/puppetlabs/puppet/ssl
- ./ca:/etc/puppetlabs/puppetserver/ca
restart: always
ports:
- 8140:8140root@puppet:~# docker compose up
...
puppet-1 | 2024-01-24 16:48:52,058 INFO [p.s.m.master-service] Puppet Server has successfully started and is now ready to handle requestson worker-0.priv.rw.betadots.training I installed puppet agent. version 7.28.0.
root@worker-0:~# cat /etc/puppetlabs/puppet/puppet.conf
[agent]
server = puppet.priv.rw.betadots.training
certname = test1Agent Run
root@worker-0:~# puppet agent -t
Info: Creating a new RSA SSL key for test1
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for test1
Info: Certificate Request fingerprint (SHA256): E2:A3:F0:0C:51:99:2A:AE:6D:6C:DE:A8:B8:F2:A6:04:2B:F1:D5:5B:F3:32:4F:D8:3E:35:16:DB:38:3B:E4:00
Info: Downloaded certificate for test1 from https://puppet.priv.rw.betadots.training:8140/puppet-ca/v1
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Notice: Requesting catalog from puppet.priv.rw.betadots.training:8140 (10.0.1.1)
Info: Caching catalog for test1
Info: Applying configuration version '1706115646'
Notice: Applied catalog in 0.01 secondsPuppetServer Log
puppet-1 | 10.0.1.20 - - - 24/Jan/2024:17:00:10 +0000 "GET /puppet-ca/v1/certificate/ca HTTP/1.1" 200 2776 10.0.1.20 10.0.1.20 8140 23
puppet-1 | 10.0.1.20 - - - 24/Jan/2024:17:00:10 +0000 "GET /puppet-ca/v1/certificate_revocation_list/ca HTTP/1.1" 200 1464 10.0.1.20 10.0.1.20 8140 7
puppet-1 | 2024-01-24 17:00:14,628 INFO [p.p.certificate-authority] Signed certificate request for test1
puppet-1 | 10.0.1.20 - - - 24/Jan/2024:17:00:14 +0000 "PUT /puppet-ca/v1/certificate_request/test1 HTTP/1.1" 200 0 10.0.1.20 10.0.1.20 8140 475
puppet-1 | 127.0.0.1 - - - 24/Jan/2024:17:00:29 +0000 "GET /status/v1/simple HTTP/1.1" 200 7 127.0.0.1 127.0.0.1 8140 10
puppet-1 | 10.0.1.20 - - - 24/Jan/2024:17:00:44 +0000 "GET /puppet-ca/v1/certificate/test1 HTTP/1.1" 200 1573 10.0.1.20 10.0.1.20 8140 6
puppet-1 | 10.0.1.20 - - - 24/Jan/2024:17:00:45 +0000 "GET /puppet/v3/file_metadatas/plugins?recurse=false&links=manage&checksum_type=sha256&source_permissions=ignore&environment=production HTTP/1.1" 200 198 10.0.1.20 10.0.1.20 8140 337
puppet-1 | 10.0.1.20 - - - 24/Jan/2024:17:00:45 +0000 "GET /puppet/v3/file_metadatas/pluginfacts?recurse=true&max_files=-1&ignore=.svn&ignore=CVS&ignore=.git&ignore=.hg&links=follow&checksum_type=sha256&source_permissions=use&environment=production HTTP/1.1" 200 197 10.0.1.20 10.0.1.20 8140 36
puppet-1 | 10.0.1.20 - - - 24/Jan/2024:17:00:45 +0000 "GET /puppet/v3/file_metadatas/plugins?recurse=true&max_files=-1&ignore=.svn&ignore=CVS&ignore=.git&ignore=.hg&links=follow&checksum_type=sha256&source_permissions=ignore&environment=production HTTP/1.1" 200 200 10.0.1.20 10.0.1.20 8140 26
puppet-1 | 2024-01-24 17:00:46,451 INFO [puppetserver] Puppet Compiled catalog for test1 in environment production in 0.27 seconds
puppet-1 | 10.0.1.20 - - - 24/Jan/2024:17:00:46 +0000 "POST /puppet/v3/catalog/test1?environment=production HTTP/1.1" 200 307 10.0.1.20 10.0.1.20 8140 594
puppet-1 | 2024-01-24 17:00:46,636 INFO [puppetserver] //test1/Puppet Using environment 'production'
puppet-1 | 2024-01-24 17:00:46,637 INFO [puppetserver] //test1/Puppet Retrieving pluginfacts
puppet-1 | 2024-01-24 17:00:46,637 INFO [puppetserver] //test1/Puppet Retrieving plugin
puppet-1 | 2024-01-24 17:00:46,638 INFO [puppetserver] //test1/Puppet Requesting catalog from puppet.priv.rw.betadots.training:8140 (10.0.1.1)
puppet-1 | 2024-01-24 17:00:46,638 INFO [puppetserver] //test1/Puppet Caching catalog for test1
puppet-1 | 2024-01-24 17:00:46,639 INFO [puppetserver] //test1/Puppet Applying configuration version '1706115646'
puppet-1 | 2024-01-24 17:00:46,639 INFO [puppetserver] //test1/Puppet Applied catalog in 0.01 seconds
puppet-1 | 10.0.1.20 - - - 24/Jan/2024:17:00:46 +0000 "PUT /puppet/v3/report/test1?environment=production HTTP/1.1" 200 7 10.0.1.20 10.0.1.20 8140 108This is working for me. š¤
your EC2 instances use public ips? there isnt any filter in between? local firewall?
your log line looks a bit odd
Error: request https://puppet.vpn.rv.ua:8140//puppet-ca/v1/certificate_revocation_list/ca failed: SSL_connect returned=1 errno=0 peeraddr=18.157.83.126:8140 state=error: certificate verify failed (unable to get issuer certificate)why is there a double slash š¤ puppet.vpn.rv.ua:8140//puppet-ca
but this shouldn't cause such problems. š¤
tuxmea
commented
8 months ago Are you sure, that you can run a Puppet 5 agent against a Puppet 7 server? Your old example also uses Puppet 5 server. Please use a Puppet 7 agent (or at least a Puppet 6 agent) Puppet documentation says puppet 7 (and 8) are compatible with Puppet agent 4 or newer. But I doubt that this is true.
muscat
commented
8 months ago yes, i know that was Puppet Server version 5 but I don't think the way it works has changed significantly in version 7
today i tried your configs as expected, it didn't work, the same error occurred :(
meanwhile, i installed Puppet Server 7.15.0 not as a container, but just on the host for testing i checked the agent ā there's no problem with the certificate
but there's a strange thing: the Puppet Server is not listening to IPv4, only IPv6 But everything works
root@puppet:~# netstat -tulpan | grep LIST
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 349/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 619/sshd: /usr/sbin
tcp6 0 0 :::8140 :::* LISTEN 1846/java hmmmm very strange.... but netstat is sometimes missleading, it says tcp6 but means tcp4 and tcp6 š¤
shallot
commented
5 months ago I happened to come across the same issue, installed the server from the crafty repo docker compose setup, tried both 8.4 and 8.5, yet the 5.5.x client from a Ubuntu 22 LTS won't connect:
Error: Could not request certificate: SSL_connect returned=1 errno=0 peeraddr=x.y.z.w:8140 state=error: certificate verify failed (unable to get issuer certificate): [unable to get issuer certificate for /CN=Puppet CA generated on puppet-1.our.domain at 2024-04-11 09:17:52 +0000]
A 7.23 client from a Debian 12 does successfully connect.
A matching version 8.5 client from Windows also complains it can't verify the certificate
muscat
commented
5 months ago I've figured out:
Only a puppet-agent version 8 can connect to a Puppet server installed in a Docker container. Puppet agents of lower versions cannot connect due to an issue with a double slash in the certificate path.
However, if the Puppet server is installed directly on a host, any version of puppet-agent can connect to it.
rwaffen
commented
5 months ago still do not know where the //does come from, in my demo setups i couldn't reproduce this :(
hi!
I'm trying to use your image on a Raspberry Pi 4. aarch64 (ARM), 8Gb RAM, 22Gb free disk space.
I'm launching it with the recommended parameters:
docker run --name puppet --hostname puppet.vpn.rv.ua -p 8140:8140 -v ./code:/etc/puppetlabs/code -v ./ca:/etc/puppetlabs/puppetserver/ca ghcr.io/voxpupuli/container-puppetserverThe server starts up. Here are the logs.
`
puppet agent config:
When a client tries to connect, I get an "unable to get issuer certificate" error. logs on the client:
logs on the server at the same moment:
The client is a fresh EC2 instance, x86_64, Ubuntu 22 LTS. only puppet-agent is installed, and the server configuration is specified.
please, help, how to solve it ? thanks in advance