Also, the "puppetserver ca list" returns errors. Excerpt:
/opt/puppetlabs/puppet/lib/ruby/2.4.0/net/protocol.rb:44:in
`connect_nonblock': SSL_connect returned=1 errno=0 state=error: certificate
verify failed (OpenSSL::SSL::SSLError)
from /opt/puppetlabs/puppet/lib/ruby/2.4.0/net/protocol.rb:44:in
`ssl_socket_connect'
from /opt/puppetlabs/puppet/lib/ruby/2.4.0/net/http.rb:948:in
`connect'
from /opt/puppetlabs/puppet/lib/ruby/2.4.0/net/http.rb:887:in
`do_start'
from /opt/puppetlabs/puppet/lib/ruby/2.4.0/net/http.rb:876:in
`start'
from /opt/puppetlabs/puppet/lib/ruby/2.4.0/net/http.rb:608:in
`start'
On Thu, Sep 29, 2022 at 7:05 PM JB SysAdmin <[email protected]> wrote:
> Thanks so much for answering! I certainly restarted puppet and puppetdb
> services (using systemctl). Restarted the node, as well. The issue is that
> something is still missing/conflicting on the master. Running puppet agent
> on the master itself fails. Indeed, today, as this was linked with Foreman
> 1.19, I re-traced using this reference:
> https://alexshepherd.me/posts/changing-foremans-ssl-certificate/
>
> * "server_ssl_cert"
> (/etc/foreman-installer/scenarios.d/foreman-answers.yaml) does already
> match SSLCertificateFile (/etc/httpd/conf.d/05-foreman-ssl.conf)
> * "server_ssl_chain" from above is one of the files generated from the
> recent puppet action (puppetserver ca generate --config) It does match
> "SSLCertificateChainFile" on the latter SSL conf.
> * "server_ssl_key"
> (/etc/foreman-installer/scenarios.d/foreman-answers.yaml) already matches
> SSLCertificateKeyFile (/etc/httpd/conf.d/05-foreman-ssl.conf)
> * "puppet_ssl_ca" /etc/puppetlabs/puppet/ssl/certs/ca.pem; that matches
> "server_ssl_chain" /etc/puppetlabs/puppet/ssl/certs/ca.pem
> But it does NOT match "server_ssl_chain_filepath"
> (/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem) I don't know if that matters; It
> is present in the foreman-answers.yaml.
>
> There are newly generated items in all those places, but I can't figure
> out what remains broken...
>
> On Wednesday, September 28, 2022 at 8:03:52 PM UTC-4 [email protected]
> wrote:
>
>> On 28.09.22 23:52, JB SysAdmin wrote:
>> > I followed a combination of what I saw:
>> >
>> > On puppet master:
>> >
>> > rm -rf /etc/puppetlabs/puppetdb/ssl
>> > puppetserver ca generate --config /etc/puppetlabs/puppet/puppet.conf
>> > puppet master --no-daemonize --verbose
>> > puppet resource service puppetserver ensure=running
>> > puppet resource service puppet ensure=running
>>
>> From your descriptions it doesn't look like you actually restarted
>> Puppetserver after regenerating the CA, so maybe try that first:
>> "systemctl restart puppetserver" (as root).
>>
>> > /opt/puppetlabs/server/apps/puppetdb/bin/puppetdb ssl-setup -f
>> > puppet resource service puppetdb ensure=running
>>
>> Similarly restart PuppetDB, "systemctl restart puppetdb".
>>
>> The "puppet resource ... ensure=running" commands don't restart any
>> service. They would just start a service if it wasn't running.
>>
>> > But on the master itself, and certainly a separate client/agent, there
>> > are any number or errors.
>>
>> Not sure if you did that already, but when regenerating the CA, as you
>> have done, you'll need to issue new certificates to all Puppet agent
>> nodes.
>>
>> On a Puppet agent node:
>>
>> rm -rf /etc/puppetlabs/puppet/ssl
>> puppet agent -t --waitforcert 30
>>
>> On the Puppetmaster (= Puppet CA server):
>>
>> puppetserver ca list
>> puppetserver ca sign --certname <NODE_CERTNAME>
>>
>> Do that for all Puppet agent nodes.
>>
>> HTH,
>>
>> Andreas
>>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Puppet Users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/puppet-users/LNbSFcwUq3g/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/e00f30b4-bb97-42df-ada6-f852361e303dn%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/e00f30b4-bb97-42df-ada6-f852361e303dn%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAPKpH7QmENmevuvz9Zg%3Dh%3Di34r_dGv3iSJ9ofQX0rhNaM8FmMA%40mail.gmail.com.
