Errors when adding CA cert to inventory.txt

asked 2016-09-23 12:49:58 -0600

We use Puppet extensively at Logicworks, and we've run into an issue in the automated build process for our Puppet masters, and I've isolated it to an issue with OpenSSL serials failing to be converted to integers.

We use the official Puppet modules to install our Puppetmasters using puppet apply via the AWS EC2 UserData script. We've deployed hundreds of PMs this way, but have recently started having an issue when boostrapping the PM.

Because puppet apply is also responsible for setting the hostname, and because the $hostname fact doesn't get updated until the next Puppet run, we generate our master cert first before installing the necessary configuration files via the "puppet-puppet" module.

   exec { "puppetmaster-cert":
  command => "/usr/bin/puppet cert --generate --dns_alt_names ${dns_alt_names} ${aws::bootstrap::instance_fqdn}",
  creates => "/var/lib/puppet/ssl/certs/${aws::bootstrap::instance_fqdn}.pem"

class { '::puppet':
  server => true,
  puppetmaster => $aws::bootstrap::puppetmaster_hostname,
  agent_template => "aws/bootstrap/puppet.erb.conf",
  server_certname => $aws::bootstrap::instance_fqdn,
  server_foreman_url => "https://${aws::bootstrap::instance_fqdn}",
  server_foreman_ssl_cert => "/var/lib/puppet/ssl/certs/${aws::bootstrap::instance_fqdn}.pem",
  server_foreman_ssl_key => "/var/lib/puppet/ssl/private_keys/${aws::bootstrap::instance_fqdn}.pem",
  require => Exec['puppetmaster-cert']

However, for some reason Exec["puppetmaster-cert"] is failing with an exit code 23 (and no error at all). After much research, we found that the error is being raised here in puppet/ssl/inventory.rb, line 12:

  # Add a certificate to our inventory.
 def add(cert)
  cert = cert.content if cert.is_a?(Puppet::SSL::Certificate)
  Puppet.settings.setting(:cert_inventory).open("a") do |f|
    f.print format(cert)  # <=========================  Line 12

# Format our certificate for output.
def format(cert)
  iso = '%Y-%m-%dT%H:%M:%S%Z'
  # Exception is raised here ---v
  "0x%04x %s %s %s\n" % [cert.serial,  cert.not_before.strftime(iso), cert.not_after.strftime(iso), cert.subject]

When the ca cert gets added to inventory.txt, cert.serial is interpolated in the string as integer, and we get this error/traceback:

/usr/lib/ruby/vendor_ruby/puppet/ssl/inventory.rb:25:in `to_i'
/usr/lib/ruby/vendor_ruby/puppet/ssl/inventory.rb:25:in `%'
/usr/lib/ruby/vendor_ruby/puppet/ssl/inventory.rb:25:in `format'
/usr/lib/ruby/vendor_ruby/puppet/ssl/inventory.rb:13:in `block in add'
/usr/lib/ruby/vendor_ruby/puppet/file_system/file_impl.rb:26:in `open'
/usr/lib/ruby/vendor_ruby/puppet/file_system/file_impl.rb:26:in `open'
/usr/lib/ruby/vendor_ruby/puppet/file_system.rb:40:in `open'
/usr/lib/ruby/vendor_ruby/puppet/settings/file_setting.rb:197:in `block in open'
/usr/lib/ruby/vendor_ruby/puppet/settings/file_setting.rb:231:in `block (2 levels) in controlled_access'
/usr/lib/ruby/vendor_ruby/puppet/util.rb:57:in `withumask'
/usr/lib/ruby/vendor_ruby/puppet/settings/file_setting.rb:221:in `block in controlled_access'
/usr/lib/ruby/vendor_ruby/puppet/util/suidmanager.rb:72:in `asuser'
/usr/lib/ruby/vendor_ruby/puppet/settings/file_setting.rb:219:in `controlled_access'
/usr/lib/ruby/vendor_ruby/puppet/settings/file_setting.rb:196:in `open'
/usr/lib/ruby/vendor_ruby/puppet/ssl/inventory.rb:12:in `add'
/usr/lib/ruby/vendor_ruby/puppet/ssl/certificate_authority ...
edit retag flag offensive close merge delete


I've also ran into this problem; I'm relieved that I'm not the only one. We're also using 'Puppet Community Edition 3.8.7'. I'm going to try to test earlier version of puppet to see where the problem occurs.

wayn3w gravatar imagewayn3w ( 2016-09-26 21:00:30 -0600 )edit