Out of curiosity, were your certs somewhere totally custom? Was Puppet finding them successfully, or were there other issues besides the `generate` call?
The CLI is supposed to respect settings in `puppet.conf`, which is also what puppetserver reads to find the files. So I would be a little surprised if the rest of the system is working but `generate` is not. Trying to make sure there's not a larger bug here... On Thu, Jul 8, 2021 at 12:58 PM Dave Beedle <[email protected]> wrote: > This is our problem! Our certs are elsewhere. Copying or linking to them > allows the cert generation to succeed. > > Thanks for the help! > > On Thursday, July 8, 2021 at 11:14:55 AM UTC-5 Maggie Dreyer wrote: > >> You can use `puppet config print [cakey|cacrl|cacert]` to find out where >> it expects them to be. >> >> `cacert` and `cacrl` should both be either >> * a single self-signed CA certificate and its CRL >> * a chain of certs from your signing CA cert to a root cert and the CRLs >> for each cert in the chain. >> >> You can use openssl to inspect the contents (though it will only parse >> the first thing in each file, so if you have chains, you may need to split >> them up to verify them this way). >> >> `cakey` should be the private key corresponding to your CA signing cert. >> >> Hope this helps, let us know if everything looks right and we can help >> you dig in more. >> Maggie >> >> On Thu, Jul 8, 2021 at 9:03 AM Dave Beedle <[email protected]> wrote: >> >>> Thanks for the quick response! This may apply, we may well manipulate >>> the certs...some of our processes predate me so, I'll poke around to see >>> if I can figure out where they are supposed to be and where we put them! >>> >>> On Thursday, July 8, 2021 at 10:14:14 AM UTC-5 Maggie Dreyer wrote: >>> >>>> Might you be hitting https://tickets.puppetlabs.com/browse/SERVER-3036? >>>> Can you check if all of your CA files are present >>>> <https://github.com/puppetlabs/puppetserver-ca-cli/blob/main/lib/puppetserver/ca/local_certificate_authority.rb#L60-L62> >>>> and correct? >>>> >>>> On Thu, Jul 8, 2021 at 8:02 AM Dave Beedle <[email protected]> wrote: >>>> >>>>> We have, in the past, generated cert on our puppet server using: >>>>> /opt/puppetlabs/bin/puppetserver ca generate --ca-client --certname >>>>> test.out.domain --subject-alt-names <bunch of alt names> >>>>> >>>>> But this began failing as we updated to Puppetserver v6.15.3. Seems >>>>> to be unhappy with some gems (log below). I have resintalled the >>>>> puppetserver-ca gem (same version) and updated puppetserver to 6.16.0, >>>>> same >>>>> result. Would anyone have any suggestions? >>>>> >>>>> >>>>> Traceback (most recent call last): >>>>> >>>>> 6: from >>>>> /opt/puppetlabs/server/apps/puppetserver/cli/apps/ca:5:in `<main>' >>>>> >>>>> 5: from >>>>> /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.9.4/lib/puppetserver/ca/cli.rb:96:in >>>>> `run' >>>>> >>>>> 4: from >>>>> /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.9.4/lib/puppetserver/ca/action/generate.rb:144:in >>>>> `run' >>>>> >>>>> 3: from >>>>> /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.9.4/lib/puppetserver/ca/action/generate.rb:163:in >>>>> `generate_authorized_certs' >>>>> >>>>> 2: from >>>>> /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.9.4/lib/puppetserver/ca/action/generate.rb:163:in >>>>> `map' >>>>> >>>>> 1: from >>>>> /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.9.4/lib/puppetserver/ca/action/generate.rb:174:in >>>>> `block in generate_authorized_certs' >>>>> /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.9.4/lib/puppetserver/ca/local_certificate_authority.rb:158:in >>>>> `sign_authorized_cert': undefined method `subject' for nil:NilClass >>>>> (NoMethodError) >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Puppet Users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/puppet-users/51cce0ff-3615-4ba1-b434-330c808e1f77n%40googlegroups.com >>>>> <https://groups.google.com/d/msgid/puppet-users/51cce0ff-3615-4ba1-b434-330c808e1f77n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Puppet Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/puppet-users/64fba6fd-90f9-4f12-a0d8-86542c7068b3n%40googlegroups.com >>> <https://groups.google.com/d/msgid/puppet-users/64fba6fd-90f9-4f12-a0d8-86542c7068b3n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/e5af3c32-c806-4bcc-b5a1-b5360ca841bdn%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/e5af3c32-c806-4bcc-b5a1-b5360ca841bdn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAMstjg11kuc6ksezDHA02qjUxg062Ka-_B08QRxgkrcsJrECdg%40mail.gmail.com.
