Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
During %post in the provisioning of a RHEL5 based system the puppet agent will fail to start and register correctly, you are left with:
# /usr/bin/puppet agent -v --config /etc/puppet/puppet.conf -o --tags no_such_tag --server qeblade35.rhq.lab.eng.bos.redhat.com --no-daemonize
Exiting; no certificate found and waitforcert is disabled
On the Puppetmaster if you try and sign it manually you get:
# puppet cert sign --digest SHA1 qe-rhel-5-x64-capsule-02.idmqe.lab.eng.bos.redhat.com
Error: unknown message digest algorithm
This appears to be a result of the rhel5 puppet agent using an incompatible digest when signing the request.
Comment 1RHEL Program Management
2014-09-02 20:02:57 UTC
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Puppet 2.7 signs certificates requests using MD5:
https://github.com/puppetlabs/puppet/blob/2.7.26/lib/puppet/ssl/certificate_request.rb#L71
This is hard coded, and there doesn't seem to be any way to change this on the client (although puppet agent --digest option would lead you to believe otherwise).
Puppetmaster on at least el7 won't sign MD5 signed CSR's. We probably need to test el6.
We could patch the el5sat to use SHA256 which actually works just fine:
Line 71: csr.sign(key, OpenSSL::Digest::SHA256.new)
[root@qeblade35 requests]# puppet cert --list
"qe-rhel-5-x64-capsule-02.idmqe.lab.eng.bos.redhat.com" (SHA256) 40:48:17:37:9C:16:E1:0B:24:4C:BF:01:3B:40:5D:CD:01:7C:4A:24:83:86:9B:C5:4C:3D:AA:9B:20:06:86:44
[root@qeblade35 requests]# puppet cert --sign qe-rhel-5-x64-capsule-02.idmqe.lab.eng.bos.redhat.com
Notice: Signed certificate request for qe-rhel-5-x64-capsule-02.idmqe.lab.eng.bos.redhat.com
Notice: Removing file Puppet::SSL::CertificateRequest qe-rhel-5-x64-capsule-02.idmqe.lab.eng.bos.redhat.com at '/var/lib/puppet/ssl/ca/requests/qe-rhel-5-x64-capsule-02.idmqe.lab.eng.bos.redhat.com.pem'
My understanding is puppet > 2.7 requires ruby 1.8.7 or better. As RHEL 5 ships with 1.8.5 puppet provides a RHEL 5 ruby 1.8.7 build for newer versions of their client to run, but I don't think we can or should do this as part of Satellite.
See http://yum.puppetlabs.com/el/5Server/dependencies/x86_64/
Comment 11Stephen Benjamin
2014-09-03 10:28:27 UTC
I don't know if PL will take it, but I submitted an PR upstream:
https://github.com/puppetlabs/puppet/pull/3046
Would prefer not to change the system ruby, I think we all agree on that?
Fixing 2.7 is probably our best bet. Talked to Dominic today and he said it was also probably OK to change.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
http://rhn.redhat.com/errata/RHBA-2014-1280.html