Out of curiosity, were your certs somewhere totally custom? Was Puppet finding them successfully, or were there other issues besides the `generate` call?
The CLI is supposed to respect settings in `puppet.conf`, which is also what puppetserver reads to find the files. So I would be a little surprised if the rest of the system is working but `generate` is not. Trying to make sure there's not a larger bug here... On Thu, Jul 8, 2021 at 12:58 PM Dave Beedle <hmov...@gmail.com> wrote: > This is our problem! Our certs are elsewhere. Copying or linking to them > allows the cert generation to succeed. > > Thanks for the help! > > On Thursday, July 8, 2021 at 11:14:55 AM UTC-5 Maggie Dreyer wrote: > >> You can use `puppet config print [cakey|cacrl|cacert]` to find out where >> it expects them to be. >> >> `cacert` and `cacrl` should both be either >> * a single self-signed CA certificate and its CRL >> * a chain of certs from your signing CA cert to a root cert and the CRLs >> for each cert in the chain. >> >> You can use openssl to inspect the contents (though it will only parse >> the first thing in each file, so if you have chains, you may need to split >> them up to verify them this way). >> >> `cakey` should be the private key corresponding to your CA signing cert. >> >> Hope this helps, let us know if everything looks right and we can help >> you dig in more. >> Maggie >> >> On Thu, Jul 8, 2021 at 9:03 AM Dave Beedle <hmo...@gmail.com> wrote: >> >>> Thanks for the quick response! This may apply, we may well manipulate >>> the certs...some of our processes predate me so, I'll poke around to see >>> if I can figure out where they are supposed to be and where we put them! >>> >>> On Thursday, July 8, 2021 at 10:14:14 AM UTC-5 Maggie Dreyer wrote: >>> >>>> Might you be hitting https://tickets.puppetlabs.com/browse/SERVER-3036? >>>> Can you check if all of your CA files are present >>>> <https://github.com/puppetlabs/puppetserver-ca-cli/blob/main/lib/puppetserver/ca/local_certificate_authority.rb#L60-L62> >>>> and correct? >>>> >>>> On Thu, Jul 8, 2021 at 8:02 AM Dave Beedle <hmo...@gmail.com> wrote: >>>> >>>>> We have, in the past, generated cert on our puppet server using: >>>>> /opt/puppetlabs/bin/puppetserver ca generate --ca-client --certname >>>>> test.out.domain --subject-alt-names <bunch of alt names> >>>>> >>>>> But this began failing as we updated to Puppetserver v6.15.3. Seems >>>>> to be unhappy with some gems (log below). I have resintalled the >>>>> puppetserver-ca gem (same version) and updated puppetserver to 6.16.0, >>>>> same >>>>> result. Would anyone have any suggestions? >>>>> >>>>> >>>>> Traceback (most recent call last): >>>>> >>>>> 6: from >>>>> /opt/puppetlabs/server/apps/puppetserver/cli/apps/ca:5:in `<main>' >>>>> >>>>> 5: from >>>>> /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.9.4/lib/puppetserver/ca/cli.rb:96:in >>>>> `run' >>>>> >>>>> 4: from >>>>> /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.9.4/lib/puppetserver/ca/action/generate.rb:144:in >>>>> `run' >>>>> >>>>> 3: from >>>>> /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.9.4/lib/puppetserver/ca/action/generate.rb:163:in >>>>> `generate_authorized_certs' >>>>> >>>>> 2: from >>>>> /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.9.4/lib/puppetserver/ca/action/generate.rb:163:in >>>>> `map' >>>>> >>>>> 1: from >>>>> /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.9.4/lib/puppetserver/ca/action/generate.rb:174:in >>>>> `block in generate_authorized_certs' >>>>> /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-1.9.4/lib/puppetserver/ca/local_certificate_authority.rb:158:in >>>>> `sign_authorized_cert': undefined method `subject' for nil:NilClass >>>>> (NoMethodError) >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Puppet Users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to puppet-users...@googlegroups.com. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/puppet-users/51cce0ff-3615-4ba1-b434-330c808e1f77n%40googlegroups.com >>>>> <https://groups.google.com/d/msgid/puppet-users/51cce0ff-3615-4ba1-b434-330c808e1f77n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Puppet Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to puppet-users...@googlegroups.com. >>> >> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/puppet-users/64fba6fd-90f9-4f12-a0d8-86542c7068b3n%40googlegroups.com >>> <https://groups.google.com/d/msgid/puppet-users/64fba6fd-90f9-4f12-a0d8-86542c7068b3n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/e5af3c32-c806-4bcc-b5a1-b5360ca841bdn%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/e5af3c32-c806-4bcc-b5a1-b5360ca841bdn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAMstjg11kuc6ksezDHA02qjUxg062Ka-_B08QRxgkrcsJrECdg%40mail.gmail.com.
