Bug 1020028

Summary: Node certificates aren't configured in ENC and Puppet report processor
Product: Red Hat Satellite Reporter: Dominic Cleal <dcleal>
Component: InstallationAssignee: Dominic Cleal <dcleal>
Status: CLOSED CURRENTRELEASE QA Contact: Og Maciel <omaciel>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0.2CC: cwelton, jmontleo, omaciel
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: https://github.com/theforeman/puppet-puppet/pull/104
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-04-24 17:07:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dominic Cleal 2013-10-16 20:10:02 UTC 
Description of problem:
The ENC script (/etc/puppet/node.rb) and Puppet report processor (foreman.rb) don't have the correct certificates configured:

/usr/lib/ruby/site_ruby/1.8/puppet/reports/foreman.rb:
$foreman_ssl_ca = "/var/lib/puppet/ssl/certs/ca.pem"
$foreman_ssl_cert = "/var/lib/puppet/ssl/certs/host.rdu.redhat.com.pem"
$foreman_ssl_key = "/var/lib/puppet/ssl/private_keys/host.rdu.redhat.com.pem"

/etc/puppet/node.rb:
  :ssl_ca       => "/var/lib/puppet/ssl/certs/ca.pem",
  :ssl_cert     => "/var/lib/puppet/ssl/certs/host.rdu.redhat.com.pem",
  :ssl_key      => "/var/lib/puppet/ssl/private_keys/host.rdu.redhat.com.pem"

They should point to /etc/puppet/client_*.pem as provided by the node installer cert generator.

Testing the ENC script manually fails with an SSL verification error and this causes a generic ENC failure when running the Puppet agent on a client.

Version-Release number of selected component (if applicable):
node-installer-0.0.15-3.el6sat.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install puppetmaster node
2. Provision VM with Puppet CA and puppetmaster set
3. Run "puppet agent -t" on the VM
4. Run "/etc/puppet/node.rb vmhostname.example.com" on the puppetmaster

Actual results:
From the Puppet run:
info: Retrieving plugin
err: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed when searching for node dcleal.rdu.redhat.com: Failed to find dcleal.rdu.redhat.com via exec: Execution of '/etc/puppet/node.rb dcleal.rdu.redhat.com' returned 1: 
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

From node.rb:
Could not send facts to Foreman: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

Expected results:
No errors from Puppet.

YAML output from node.rb.
Comment 2 Dominic Cleal 2013-10-16 20:35:59 UTC 
https://github.com/theforeman/puppet-puppet/pull/104

Workaround, change the two files above to reference /etc/puppet/client_{ca,cert,key}.pem instead.
Comment 3 Dominic Cleal 2013-10-18 15:23:26 UTC 
https://github.com/Katello/node-installer/pull/6
Comment 6 Og Maciel 2013-10-25 16:47:38 UTC 
# /etc/puppet/node.rb og-rhel-64-32bit-6.example.com
---
classes: {}

parameters:
  kt_cv: PublishedAgent6CVD64
  foreman_env: KT_Katello_Infrastructure_Library_PublishedRHEL6Composite32_19
  organization: KT-[Katello_Infrastructure]
  kt_org: Katello_Infrastructure
  root_pw: $1$ED9JYgTk$23MG0YLvgCSd1JYPOv3dv.
  hostgroup: RHEL6-i386
  kt_env: DEV
  puppet_ca: <SERVER>
  domainname: ""
  kt_activation_keys: ak-rhel-6-32
  puppetmaster: <SERVER>
environment: KT_Katello_Infrastructure_Library_PublishedRHEL6Composite32_19

# puppet agent -t
Info: Retrieving plugin
Info: Caching catalog for og-rhel-64-32bit-6.example.com
Info: Applying configuration version '1382719524'
Notice: Finished catalog run in 0.04 seconds
Comment 7 Og Maciel 2013-10-25 16:49:06 UTC 
Verified:

* apr-util-ldap-1.3.9-3.el6_0.1.x86_64
* candlepin-0.8.25-1.el6sam.noarch
* candlepin-scl-1-5.el6_4.noarch
* candlepin-scl-quartz-2.1.5-5.el6_4.noarch
* candlepin-scl-rhino-1.7R3-1.el6_4.noarch
* candlepin-scl-runtime-1-5.el6_4.noarch
* candlepin-selinux-0.8.25-1.el6sam.noarch
* candlepin-tomcat6-0.8.25-1.el6sam.noarch
* elasticsearch-0.19.9-8.el6sat.noarch
* foreman-1.3.0-20.el6sat.noarch
* foreman-compute-1.3.0-20.el6sat.noarch
* foreman-libvirt-1.3.0-20.el6sat.noarch
* foreman-postgresql-1.3.0-20.el6sat.noarch
* foreman-proxy-1.3.0-3.el6sat.noarch
* katello-1.4.6-47.el6sat.noarch
* katello-all-1.4.6-47.el6sat.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.4.4-1.el6sat.noarch
* katello-cli-1.4.3-27.el6sat.noarch
* katello-cli-common-1.4.3-27.el6sat.noarch
* katello-common-1.4.6-47.el6sat.noarch
* katello-configure-1.4.7-7.el6sat.noarch
* katello-configure-foreman-1.4.7-7.el6sat.noarch
* katello-foreman-all-1.4.6-47.el6sat.noarch
* katello-glue-candlepin-1.4.6-47.el6sat.noarch
* katello-glue-elasticsearch-1.4.6-47.el6sat.noarch
* katello-glue-pulp-1.4.6-47.el6sat.noarch
* katello-qpid-broker-key-pair-1.0-1.noarch
* katello-qpid-client-key-pair-1.0-1.noarch
* katello-selinux-1.4.4-4.el6sat.noarch
* openldap-2.4.23-31.el6.x86_64
* pulp-katello-plugins-0.2-1.el6sat.noarch
* pulp-nodes-common-2.3.0-0.22.beta.el6sat.noarch
* pulp-nodes-parent-2.3.0-0.22.beta.el6sat.noarch
* pulp-puppet-plugins-2.3.0-0.22.beta.el6sat.noarch
* pulp-rpm-plugins-2.3.0-0.22.beta.el6sat.noarch
* pulp-selinux-2.3.0-0.22.beta.el6sat.noarch
* pulp-server-2.3.0-0.22.beta.el6sat.noarch
* python-ldap-2.3.10-1.el6.x86_64
* ruby193-rubygem-ldap_fluff-0.2.2-2.el6sat.noarch
* ruby193-rubygem-net-ldap-0.3.1-3.el6sat.noarch
* ruby193-rubygem-runcible-1.0.7-1.el6sat.noarch
* signo-0.0.23-2.el6sat.noarch
* signo-katello-0.0.23-2.el6sat.noarch
Comment 8 Bryan Kearney 2014-04-24 17:07:49 UTC 
This was verified and delivered with MDP2. Closing it out.