Hide Forgot
Description of problem: By using --upgrade-puppet option the locations of puppet ssl ca/cert are not updated to new puppet4 locations in /etc/ Capsule - tab 'Puppet CA': Failure: ERF50-5345 [Foreman::WrappedException]: Unable to connect ([ProxyAPI::ProxyException]: ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates ([RestClient...) Capsule - tab 'Logs' ERROR Disabling all modules in the group ['puppet_proxy_puppet_api', 'puppet'] due to a failure in one of them: File at '/var/lib/puppet/ssl/certs/ca.pem' defined in 'puppet_ssl_ca' cannot be found. Workaround is to run installer once again to adjust certs locations: # satellite-installer \ --foreman-proxy-puppet-ssl-ca /etc/puppetlabs/puppet/ssl/certs/ca.pem --foreman-proxy-puppet-ssl-cert /etc/puppetlabs/puppet/ssl/certs/`hostname`.pem We need to have installer done it all in once just by --upgrade-puppet
Workaround in comment#0 is inaccurate, to adjust certs location you have to run: # satellite-installer \ --foreman-puppet-ssldir /etc/puppetlabs/puppet/ssl \ --foreman-proxy-ssldir /etc/puppetlabs/puppet/ssl \ --foreman-proxy-puppet-ssl-ca /etc/puppetlabs/puppet/ssl/certs/ca.pem \ --foreman-proxy-puppet-ssl-cert /etc/puppetlabs/puppet/ssl/certs/`hostname`.pem \ --foreman-proxy-puppet-ssl-key /etc/puppetlabs/puppet/ssl/private_keys/`hostname`.pem With this the modules [ puppet_proxy_puppet_api, puppet ] gets enabled again. Though this certs adjustment Capsule 'Puppet CA' tab still complains about unavailable PuppetCA certificates: Failure: ERF50-5345 [Foreman::WrappedException]: Unable to connect ([ProxyAPI::ProxyException]: ERF12-5356 [ProxyAPI::ProxyException]: Unable to get PuppetCA certificates ([RestClient...) Is puppet ssldir harcoded in puppetca module?
By comparing brand new and upgraded installation I see that more locations still need to be adjusted: # satellite-installer \ --foreman-puppet-ssldir /etc/puppetlabs/puppet/ssl \ --foreman-proxy-ssldir /etc/puppetlabs/puppet/ssl \ --foreman-proxy-puppet-ssl-ca /etc/puppetlabs/puppet/ssl/certs/ca.pem \ --foreman-proxy-puppet-ssl-cert /etc/puppetlabs/puppet/ssl/certs/`hostname`.pem \ --foreman-proxy-puppet-ssl-key /etc/puppetlabs/puppet/ssl/private_keys/`hostname`.pem \ --foreman-proxy-puppetca-cmd '/opt/puppetlabs/bin/puppet cert' \ --foreman-proxy-puppetdir /etc/puppetlabs/puppet \ --foreman-proxy-puppetrun-cmd '/opt/puppetlabs/bin/puppet kick' By this command even the puppetca error is mitigated.
I think you're still missing a bunch, you can see in 31-upgrade-puppet.rb hook what we're resetting. Like --foreman-puppet-home, and --foreman-puppet-ssldir. We don't really need a workaround, if you wait for us to merge the upstream PR you can test the actual fix... There was just a bug in how it was resetting them. BTW, you can use --reset-XXX instead of giving a value, like --reset-foreman-puppet-ssldir. It will see puppet 4 is on the box, and use the default value for it instead of 3.
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/17074 has been resolved.
FailedQA. @satellite-6.3.0-16.0.beta.el7sat.noarch puppet-agent-1.8.2-2.el7sat.x86_64 puppetserver-2.7.2-2.el7sat.noarch katello-installer-base-3.4.4-1.el7sat.noarch After upgrade the puppet options are reset now to the new locations. However, options in the satellite answer files remain the same. @upgraded p4 install: # satellite-installer -h | grep -e foreman-proxy-puppet-ssl -e{vardir,ssldir} --foreman-proxy-puppet-ssl-ca SSL CA used to verify connections when accessing the Puppet master API (current: "/var/lib/puppet/ssl/certs/ca.pem") --foreman-proxy-puppet-ssl-cert SSL certificate used when accessing the Puppet master API (current: "/var/lib/puppet/ssl/certs/sat3.example.com.pem") --foreman-proxy-puppet-ssl-key SSL private key used when accessing the Puppet master API (current: "/var/lib/puppet/ssl/private_keys/sat3.example.com.pem") --foreman-proxy-ssldir Puppet CA SSL directory (current: "/var/lib/puppet/ssl") --puppet-ssldir Override where SSL certificates are kept. (current: "/var/lib/puppet/ssl") --puppet-vardir Override the puppet var directory. (current: "/var/lib/puppet") >>> the defaults (in answer files) remain the very same as before upgrade /var/lib/puppet/* While with clean p4 install the defaults are the new ones: @clean p4 install: # satellite-installer -h | grep -e foreman-proxy-puppet-ssl -e{vardir,ssldir} --foreman-proxy-puppet-ssl-ca SSL CA used to verify connections when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/certs/ca.pem") --foreman-proxy-puppet-ssl-cert SSL certificate used when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/certs/sat4.example.com.pem") --foreman-proxy-puppet-ssl-key SSL private key used when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/private_keys/sat4.example.com.pem") --foreman-proxy-ssldir Puppet CA SSL directory (current: "/etc/puppetlabs/puppet/ssl") --puppet-ssldir Override where SSL certificates are kept. (current: "/etc/puppetlabs/puppet/ssl") --puppet-vardir Override the puppet var directory. (current: "/opt/puppetlabs/puppet/cache") >>> what's worse is that we are losing idempotency here, i.e. fresh p4 install differs from upgraded p4 install Failing this BZ can be related to failing BZ 1466912
VERIFIED. @satellite-6.3.0-17.0.beta.el7sat.noarch katello-installer-base-3.4.5-1.el7sat.noarch puppet-agent-1.8.2-2.el7sat.x86_64 puppetserver-2.7.2-2.el7sat.noarch using manual reproducer: 1. Enable puppet4 repo (currently internal only repo) 2. Upgrade puppet version # satellite-installer --upgrade-puppet Upgrading puppet... ... Upgrade Step: upgrade_puppet_package... ... Upgrade Step: stop_services... ... Upgrade Step: copy_data... ... Upgrade Step: remove_puppet_port_httpd... ... Upgrade Step: start_httpd... ... Puppet 3 to 4 upgrade initialization complete, continuing with installation Resetting puppet params... Puppet 3 to 4 upgrade param reset, continuing with installation Installing Done [100%] [.....................................] Success! * Katello is running at https://<SATFQDN> * To install an additional Foreman proxy on separate machine continue by running: foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY" --certs-tar "/root/$FOREMAN_PROXY-certs.tar" The full log is at /var/log/foreman-installer/satellite.log Upgrade Step: restart_services... ... 3. Check ssl certs locations # satellite-installer -h | grep -e foreman-proxy-puppet-ssl -e{vardir,ssldir} --foreman-proxy-puppet-ssl-ca SSL CA used to verify connections when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/certs/ca.pem") --foreman-proxy-puppet-ssl-cert SSL certificate used when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/certs/<SATFQDN>.pem") --foreman-proxy-puppet-ssl-key SSL private key used when accessing the Puppet master API (current: "/etc/puppetlabs/puppet/ssl/private_keys/<SATFQDN>.pem") --foreman-proxy-ssldir Puppet CA SSL directory (current: "/etc/puppetlabs/puppet/ssl") --puppet-ssldir Override where SSL certificates are kept. (current: "/etc/puppetlabs/puppet/ssl") --puppet-vardir Override the puppet var directory. (current: "/opt/puppetlabs/puppet/cache") >>> all certs/keys locations are correctly updated (upgraded install now matches fresh p4 install)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. > > For information on the advisory, and where to find the updated files, follow the link below. > > If the solution does not work for you, open a new bug report. > > https://access.redhat.com/errata/RHSA-2018:0336