Closed byteflood closed 2 years ago
Same problem here. I found out, that adding the cacert of your own PKI to /opt/puppetlabs/puppet/ssl/cert.pem
solves the problem. But that might not be the cleanest solution…
@chrisongthb Thanks for the tip.
It probably wouldn't be too much work to make the verify mode configurable. https://github.com/voxpupuli/puppet-gitlab_ci_runner/blob/f829a91d1e9ef207f5ff9bc3ad45cd3a84211690/lib/puppet_x/gitlab/runner.rb#L40
or add a parameter that allowed you to override the cert store used. (ie use the system certificate store instead of /opt/puppetlabs/puppet/ssl/cert.pem
)
I might not be able to look at this for while, but meanwhile, PRs extremely welcome.
There is still an issue with initial run. We use in-house CA certificate. If the CA certificate is not yet on the machine, this won't execute.
Problem lies in too soon execution of URL fetching. Puppet did not had a chance to install the required CA.
In my case, a solution is to use Puppet's ca file, but seems not a proper solution.
you can avoid the problem of the deferred function running before the certificate is available in puppet >= 7.17 via on demand deferrred functions
They allow you to execute catalog code before deferred functions are evaluated, they also respect normal puppet orderings. https://www.puppet.com/docs/puppet/7/release_notes_puppet.html#enhancements_puppet_x-7-17-0-PUP-9323 https://github.com/puppetlabs/puppet/pull/8902
Affected Puppet, Ruby, OS and module versions/distributions
How to reproduce (e.g Puppet code you use)
What are you seeing
What behaviour did you expect instead
Output log
Any additional information you'd like to impart