-
-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
certificate verify failed (unable to get issuer certificate) #48
Comments
hmm strange, this should work, will try to reproduce |
I normally run it from a compose.yaml. maybe this helps services:
puppet:
image: ghcr.io/container-puppetserver:7.14.0-latest
hostname: puppet
environment:
- PUPPETSERVER_HOSTNAME=puppet
- PUPPETSERVER_PORT=8140
- PUPPETDB_HOSTNAME=puppetdb
- PUPPETDB_SSL_PORT=8081
- USE_PUPPETDB=true
- AUTOSIGN=true
# For private repos, use [email protected]:user/repo.git and provide SSH keys
# - R10K_REMOTE=https://github.com/betadots/demo-control-repo.git
volumes:
- puppetserver:/opt/puppetlabs/server/data/puppetserver
- puppetserver-ssl:/etc/puppetlabs/puppet/ssl
- puppetserver-ca:/etc/puppetlabs/puppetserver/ca
restart: always
ports:
- 8140:8140 |
Thank you for your response and advice. I tried to reproduce... I took a clean Ubuntu22 on ARM architecture at AWS.
The security group is clear: allowing any traffic to any. On this server, I performed the following tasks:
Using EXACTLY your file, I got these errors:" i manually get an image:
adjusted file to this state (just add volumes and use already downloaded image):
run:
container is successfully running:
logs are healthy:
now, going on the client instance install puppet agent:
create a minimal config for puppet agent:
and run agent:
server logs shown:
the problem still persist :( I can provide access to both the server and the client. |
so you have two vms? on one docker with the puppetserver running? and the second vm is an agent?
|
there for you might need to throw your ca away. you can do that by purging the puppetserver-ssl, puppetserver-ca volumes or just use local bind mounts if you arent used to volumes. you might use full pathes or relativ pathes
|
no. It is a two separate machines (EC2).
ok, will check soon |
bad news, everyone I used the next docker-compose.yml file on the server (a virgin clean new EC2):
changes are in: maintenance tasks: run:
server starts as it should:
. go to the client's side start a fresh new ubuntu22 @ x86_64 EC2: install puppet
try to run:
server says:
client successfully resolve the DNS:
server is located on the desired IP:
. folders 'data', 'ssl', 'ca' on the server contain fresh data.
i |
weird situation: I set up a similar puppet server (as a docker container too) on the x86_64 architecture several months ago i used this config: and everything working fine |
i will try to reproduce this again. in all my tests while building the images i didn't had such problems |
thanks a lot. |
hmm maybe my comment was missleading. when you dont have/want a puppetdb you shouldn't configure it. I tested your setup. one vm (at gcp) as puppetserver: puppet.priv.rw.betadots.training on puppet.priv.rw.betadots.training installed docker. and run this compose.yaml services:
puppet:
image: voxpupuli/container-puppetserver:7.14.0-latest
hostname: puppet
environment:
- PUPPETSERVER_HOSTNAME=puppet
- DNS_ALT_NAMES=puppet.priv.rw.betadots.training
- PUPPETSERVER_PORT=8140
- USE_PUPPETDB=false
- AUTOSIGN=true
volumes:
- ./data:/opt/puppetlabs/server/data/puppetserver
- ./ssl:/etc/puppetlabs/puppet/ssl
- ./ca:/etc/puppetlabs/puppetserver/ca
restart: always
ports:
- 8140:8140
on worker-0.priv.rw.betadots.training I installed puppet agent. version 7.28.0.
Agent Run
PuppetServer Log
This is working for me. 🤔 your EC2 instances use public ips? there isnt any filter in between? local firewall? your log line looks a bit odd
why is there a double slash 🤔 but this shouldn't cause such problems. 🤔 |
Are you sure, that you can run a Puppet 5 agent against a Puppet 7 server? |
yes, i know that was Puppet Server version 5 today i tried your configs meanwhile, i installed Puppet Server 7.15.0 but there's a strange thing: the Puppet Server is not listening to IPv4, only IPv6
|
hmmmm very strange.... but netstat is sometimes missleading, it says tcp6 but means tcp4 and tcp6 🤔 |
I happened to come across the same issue, installed the server from the crafty repo docker compose setup, tried both 8.4 and 8.5, yet the 5.5.x client from a Ubuntu 22 LTS won't connect: Error: Could not request certificate: SSL_connect returned=1 errno=0 peeraddr=x.y.z.w:8140 state=error: certificate verify failed (unable to get issuer certificate): [unable to get issuer certificate for /CN=Puppet CA generated on puppet-1.our.domain at 2024-04-11 09:17:52 +0000] A 7.23 client from a Debian 12 does successfully connect. A matching version 8.5 client from Windows also complains it can't verify the certificate |
I've figured out: Only a puppet-agent version 8 can connect to a Puppet server installed in a Docker container. Puppet agents of lower versions cannot connect due to an issue with a double slash in the certificate path. However, if the Puppet server is installed directly on a host, any version of puppet-agent can connect to it. |
still do not know where the |
hi!
I'm trying to use your image on a Raspberry Pi 4.
aarch64 (ARM), 8Gb RAM, 22Gb free disk space.
I'm launching it with the recommended parameters:
docker run --name puppet --hostname puppet.vpn.rv.ua -p 8140:8140 -v ./code:/etc/puppetlabs/code -v ./ca:/etc/puppetlabs/puppetserver/ca ghcr.io/voxpupuli/container-puppetserver
The server starts up. Here are the logs.
`
puppet agent config:
When a client tries to connect, I get an "unable to get issuer certificate" error.
logs on the client:
logs on the server at the same moment:
The client is a fresh EC2 instance, x86_64, Ubuntu 22 LTS.
only puppet-agent is installed, and the server configuration is specified.
please, help, how to solve it ?
thanks in advance
The text was updated successfully, but these errors were encountered: