During %post in the provisioning of a RHEL5 based system the puppet agent will fail to start and register correctly, you are left with: # /usr/bin/puppet agent -v --config /etc/puppet/puppet.conf -o --tags no_such_tag --server qeblade35.rhq.lab.eng.bos.redhat.com --no-daemonize Exiting; no certificate found and waitforcert is disabled On the Puppetmaster if you try and sign it manually you get: # puppet cert sign --digest SHA1 qe-rhel-5-x64-capsule-02.idmqe.lab.eng.bos.redhat.com Error: unknown message digest algorithm This appears to be a result of the rhel5 puppet agent using an incompatible digest when signing the request.
Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.
Puppet 2.7 signs certificates requests using MD5: https://github.com/puppetlabs/puppet/blob/2.7.26/lib/puppet/ssl/certificate_request.rb#L71 This is hard coded, and there doesn't seem to be any way to change this on the client (although puppet agent --digest option would lead you to believe otherwise). Puppetmaster on at least el7 won't sign MD5 signed CSR's. We probably need to test el6. We could patch the el5sat to use SHA256 which actually works just fine: Line 71: csr.sign(key, OpenSSL::Digest::SHA256.new) [root@qeblade35 requests]# puppet cert --list "qe-rhel-5-x64-capsule-02.idmqe.lab.eng.bos.redhat.com" (SHA256) 40:48:17:37:9C:16:E1:0B:24:4C:BF:01:3B:40:5D:CD:01:7C:4A:24:83:86:9B:C5:4C:3D:AA:9B:20:06:86:44 [root@qeblade35 requests]# puppet cert --sign qe-rhel-5-x64-capsule-02.idmqe.lab.eng.bos.redhat.com Notice: Signed certificate request for qe-rhel-5-x64-capsule-02.idmqe.lab.eng.bos.redhat.com Notice: Removing file Puppet::SSL::CertificateRequest qe-rhel-5-x64-capsule-02.idmqe.lab.eng.bos.redhat.com at '/var/lib/puppet/ssl/ca/requests/qe-rhel-5-x64-capsule-02.idmqe.lab.eng.bos.redhat.com.pem'
(Or just upgrade to Puppet 3.6 on RHEL 5, like we have on RHEL 6 & 7)
This doesn't occur if the Capsule(Puppetmaster) is running on RHEL6
My understanding is puppet > 2.7 requires ruby 1.8.7 or better. As RHEL 5 ships with 1.8.5 puppet provides a RHEL 5 ruby 1.8.7 build for newer versions of their client to run, but I don't think we can or should do this as part of Satellite. See http://yum.puppetlabs.com/el/5Server/dependencies/x86_64/
I don't know if PL will take it, but I submitted an PR upstream: https://github.com/puppetlabs/puppet/pull/3046 Would prefer not to change the system ruby, I think we all agree on that? Fixing 2.7 is probably our best bet. Talked to Dominic today and he said it was also probably OK to change.
moving to MODIFIED to put into the errata.
VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1280.html
> http://rhn.redhat.com/errata/RHBA-2014-1280.html Correct URL: https://access.redhat.com/errata/RHBA-2014:1280