Thanks so much for answering! I certainly restarted puppet and puppetdb services (using systemctl). Restarted the node, as well. The issue is that something is still missing/conflicting on the master. Running puppet agent on the master itself fails. Indeed, today, as this was linked with Foreman 1.19, I re-traced using this reference: https://alexshepherd.me/posts/changing-foremans-ssl-certificate/
* "server_ssl_cert" (/etc/foreman-installer/scenarios.d/foreman-answers.yaml) does already match SSLCertificateFile (/etc/httpd/conf.d/05-foreman-ssl.conf) * "server_ssl_chain" from above is one of the files generated from the recent puppet action (puppetserver ca generate --config) It does match "SSLCertificateChainFile" on the latter SSL conf. * "server_ssl_key" (/etc/foreman-installer/scenarios.d/foreman-answers.yaml) already matches SSLCertificateKeyFile (/etc/httpd/conf.d/05-foreman-ssl.conf) * "puppet_ssl_ca" /etc/puppetlabs/puppet/ssl/certs/ca.pem; that matches "server_ssl_chain" /etc/puppetlabs/puppet/ssl/certs/ca.pem But it does NOT match "server_ssl_chain_filepath" (/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem) I don't know if that matters; It is present in the foreman-answers.yaml. There are newly generated items in all those places, but I can't figure out what remains broken... On Wednesday, September 28, 2022 at 8:03:52 PM UTC-4 [email protected] wrote: > On 28.09.22 23:52, JB SysAdmin wrote: > > I followed a combination of what I saw: > > > > On puppet master: > > > > rm -rf /etc/puppetlabs/puppetdb/ssl > > puppetserver ca generate --config /etc/puppetlabs/puppet/puppet.conf > > puppet master --no-daemonize --verbose > > puppet resource service puppetserver ensure=running > > puppet resource service puppet ensure=running > > From your descriptions it doesn't look like you actually restarted > Puppetserver after regenerating the CA, so maybe try that first: > "systemctl restart puppetserver" (as root). > > > /opt/puppetlabs/server/apps/puppetdb/bin/puppetdb ssl-setup -f > > puppet resource service puppetdb ensure=running > > Similarly restart PuppetDB, "systemctl restart puppetdb". > > The "puppet resource ... ensure=running" commands don't restart any > service. They would just start a service if it wasn't running. > > > But on the master itself, and certainly a separate client/agent, there > > are any number or errors. > > Not sure if you did that already, but when regenerating the CA, as you > have done, you'll need to issue new certificates to all Puppet agent nodes. > > On a Puppet agent node: > > rm -rf /etc/puppetlabs/puppet/ssl > puppet agent -t --waitforcert 30 > > On the Puppetmaster (= Puppet CA server): > > puppetserver ca list > puppetserver ca sign --certname <NODE_CERTNAME> > > Do that for all Puppet agent nodes. > > HTH, > > Andreas > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/e00f30b4-bb97-42df-ada6-f852361e303dn%40googlegroups.com.
