Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1388136 - --upgrade-puppet does not update puppet SSL ca and cert locations by default
Summary: --upgrade-puppet does not update puppet SSL ca and cert locations by default
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installation
Version: 6.3.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: Unspecified
Assignee: Stephen Benjamin
QA Contact: Lukas Pramuk
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-24 14:47 UTC by Chris Duryee
Modified: 2019-09-26 14:48 UTC (History)
5 users (show)

Fixed In Version: rubygem-katello-3.4.5
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-21 16:51:07 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 17074 0 Normal Closed --upgrade-puppet does not change puppet cert locations 2021-02-18 07:35:10 UTC

Description Chris Duryee 2016-10-24 14:47:28 UTC 
Description of problem:


By using --upgrade-puppet option the locations of puppet ssl ca/cert are not updated to new puppet4 locations in /etc/

Capsule - tab 'Puppet CA':
Failure: ERF50-5345 [Foreman::WrappedException]: Unable to connect ([ProxyAPI::ProxyException]: ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates ([RestClient...)

Capsule - tab 'Logs'
ERROR    Disabling all modules in the group ['puppet_proxy_puppet_api', 'puppet'] due to a failure in one of them: File at '/var/lib/puppet/ssl/certs/ca.pem' defined in 'puppet_ssl_ca' cannot be found.

Workaround is to run installer once again to adjust certs locations:
# satellite-installer \
 --foreman-proxy-puppet-ssl-ca /etc/puppetlabs/puppet/ssl/certs/ca.pem
 --foreman-proxy-puppet-ssl-cert /etc/puppetlabs/puppet/ssl/certs/`hostname`.pem

We need to have installer done it all in once just by --upgrade-puppet
Comment 3 Lukas Pramuk 2016-11-01 12:11:45 UTC 
Workaround in comment#0 is inaccurate, to adjust certs location you have to run:

# satellite-installer \
--foreman-puppet-ssldir /etc/puppetlabs/puppet/ssl \
--foreman-proxy-ssldir /etc/puppetlabs/puppet/ssl \
--foreman-proxy-puppet-ssl-ca /etc/puppetlabs/puppet/ssl/certs/ca.pem \
--foreman-proxy-puppet-ssl-cert /etc/puppetlabs/puppet/ssl/certs/`hostname`.pem \
--foreman-proxy-puppet-ssl-key /etc/puppetlabs/puppet/ssl/private_keys/`hostname`.pem

With this the modules [ puppet_proxy_puppet_api, puppet ] gets enabled again. 

Though this certs adjustment Capsule 'Puppet CA' tab still complains about unavailable PuppetCA certificates: 

Failure: ERF50-5345 [Foreman::WrappedException]: Unable to connect ([ProxyAPI::ProxyException]: ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates ([RestClient...)

Is puppet ssldir harcoded in puppetca module?
Comment 4 Lukas Pramuk 2016-11-02 08:21:48 UTC 
By comparing brand new and upgraded installation I see that more locations still need to be adjusted:

# satellite-installer \
--foreman-puppet-ssldir /etc/puppetlabs/puppet/ssl \
--foreman-proxy-ssldir /etc/puppetlabs/puppet/ssl \
--foreman-proxy-puppet-ssl-ca /etc/puppetlabs/puppet/ssl/certs/ca.pem \
--foreman-proxy-puppet-ssl-cert /etc/puppetlabs/puppet/ssl/certs/`hostname`.pem \
--foreman-proxy-puppet-ssl-key /etc/puppetlabs/puppet/ssl/private_keys/`hostname`.pem \
--foreman-proxy-puppetca-cmd '/opt/puppetlabs/bin/puppet cert' \
--foreman-proxy-puppetdir /etc/puppetlabs/puppet \
--foreman-proxy-puppetrun-cmd '/opt/puppetlabs/bin/puppet kick'

By this command even the puppetca error is mitigated.
Comment 5 Stephen Benjamin 2016-11-02 13:15:47 UTC 
I think you're still missing a bunch, you can see in 31-upgrade-puppet.rb hook what we're resetting.  Like --foreman-puppet-home, and --foreman-puppet-ssldir.
We don't really need a workaround, if you wait for us to merge the upstream PR you can test the actual fix... There was just a bug in how it was resetting them.  

BTW, you can use --reset-XXX instead of giving a value, like --reset-foreman-puppet-ssldir.  It will see puppet 4 is on the box, and use the default value for it instead of 3.
Comment 6 Bryan Kearney 2016-11-07 21:09:22 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/17074 has been resolved.
Comment 7 Lukas Pramuk 2017-08-09 14:08:16 UTC 
FailedQA.

@satellite-6.3.0-16.0.beta.el7sat.noarch
puppet-agent-1.8.2-2.el7sat.x86_64
puppetserver-2.7.2-2.el7sat.noarch
katello-installer-base-3.4.4-1.el7sat.noarch


After upgrade the puppet options are reset now to the new locations.
However, options in the satellite answer files remain the same.

@upgraded p4 install:
# satellite-installer -h | grep -e foreman-proxy-puppet-ssl -e{vardir,ssldir}
    --foreman-proxy-puppet-ssl-ca  SSL CA used to verify connections when accessing the Puppet master API (current: "/var/lib/puppet/ssl/certs/ca.pem")
    --foreman-proxy-puppet-ssl-cert  SSL certificate used when accessing the Puppet master API (current: "/var/lib/puppet/ssl/certs/sat3.example.com.pem")
    --foreman-proxy-puppet-ssl-key  SSL private key used when accessing the Puppet master API (current: "/var/lib/puppet/ssl/private_keys/sat3.example.com.pem")
    --foreman-proxy-ssldir        Puppet CA SSL directory (current: "/var/lib/puppet/ssl")
    --puppet-ssldir               Override where SSL certificates are kept. (current: "/var/lib/puppet/ssl")
    --puppet-vardir               Override the puppet var directory. (current: "/var/lib/puppet")
 
>>> the defaults (in answer files) remain the very same as before upgrade /var/lib/puppet/* 


While with clean p4 install the defaults are the new ones:

@clean p4 install:
# satellite-installer -h | grep -e foreman-proxy-puppet-ssl -e{vardir,ssldir}
    --foreman-proxy-puppet-ssl-ca  SSL CA used to verify connections when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/certs/ca.pem")
    --foreman-proxy-puppet-ssl-cert  SSL certificate used when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/certs/sat4.example.com.pem")
    --foreman-proxy-puppet-ssl-key  SSL private key used when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/private_keys/sat4.example.com.pem")
    --foreman-proxy-ssldir        Puppet CA SSL directory (current: "/etc/puppetlabs/puppet/ssl")
    --puppet-ssldir               Override where SSL certificates are kept. (current: "/etc/puppetlabs/puppet/ssl")
    --puppet-vardir               Override the puppet var directory. (current: "/opt/puppetlabs/puppet/cache")

>>> what's worse is that we are losing idempotency here, i.e. fresh p4 install differs from upgraded p4 install

Failing this BZ can be related to failing BZ 1466912
Comment 8 Lukas Pramuk 2017-09-04 12:35:17 UTC 
VERIFIED.

@satellite-6.3.0-17.0.beta.el7sat.noarch
katello-installer-base-3.4.5-1.el7sat.noarch
puppet-agent-1.8.2-2.el7sat.x86_64
puppetserver-2.7.2-2.el7sat.noarch

using manual reproducer:

1. Enable puppet4 repo (currently internal only repo)

2. Upgrade puppet version

# satellite-installer --upgrade-puppet
Upgrading puppet...
...
Upgrade Step: upgrade_puppet_package...
...
Upgrade Step: stop_services...
...
Upgrade Step: copy_data...
...
Upgrade Step: remove_puppet_port_httpd...
...
Upgrade Step: start_httpd...
...
Puppet 3 to 4 upgrade initialization complete, continuing with installation
Resetting puppet params...
Puppet 3 to 4 upgrade param reset, continuing with installation
Installing             Done                                               [100%] [.....................................]
  Success!
  * Katello is running at https://<SATFQDN>
  * To install an additional Foreman proxy on separate machine continue by running:

      foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY" --certs-tar "/root/$FOREMAN_PROXY-certs.tar"

  The full log is at /var/log/foreman-installer/satellite.log
Upgrade Step: restart_services...
...

3. Check ssl certs locations

# satellite-installer -h | grep -e foreman-proxy-puppet-ssl -e{vardir,ssldir}
    --foreman-proxy-puppet-ssl-ca  SSL CA used to verify connections when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/certs/ca.pem")
    --foreman-proxy-puppet-ssl-cert  SSL certificate used when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/certs/<SATFQDN>.pem")
    --foreman-proxy-puppet-ssl-key  SSL private key used when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/private_keys/<SATFQDN>.pem")
    --foreman-proxy-ssldir        Puppet CA SSL directory (current: "/etc/puppetlabs/puppet/ssl")
    --puppet-ssldir               Override where SSL certificates are kept. (current: "/etc/puppetlabs/puppet/ssl")
    --puppet-vardir               Override the puppet var directory. (current: "/opt/puppetlabs/puppet/cache")

>>> all certs/keys locations are correctly updated (upgraded install now matches fresh p4 install)
Comment 9 Satellite Program 2018-02-21 16:51:07 UTC 
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> 
> For information on the advisory, and where to find the updated files, follow the link below.
> 
> If the solution does not work for you, open a new bug report.
> 
> https://access.redhat.com/errata/RHSA-2018:0336
Note You need to log in before you can comment on or make changes to this bug.