[Pkg-puppet-devel] autopkgtest issues in Ubuntu

Nish Aravamudan nish.aravamudan at canonical.com
Fri Feb 24 19:54:11 UTC 2017 

On 24.02.2017 [11:48:45 +0200], Apollon Oikonomopoulos wrote:
> Hi Nish,
> 
> On 13:48 Thu 23 Feb     , Nish Aravamudan wrote:
> > Ok, so adding ca-certificates did not seem to make any difference (and
> > in fact, it seems like it is already installed in the Ubuntu autopkgtest
> > environment so that was a red herring anyways). Any ideas why, e.g.:
> 
> Puppet has its own CA system and does not rely on ca-certificates on any 
> way, so having ca-certificates installed or not should not make a 
> difference.

Got it.

> > https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-zesty-nacc-lp1570472/zesty/amd64/p/puppet/20170223_203421_4dd8e@/log.gz
> > 
> > there is no certificate for the hostname by default on Ubuntu but there
> > is on Debian? I don't see anything in the tests that ensure it exists
> > and only puppet-master-passenger generates it in a postinst (hence those
> > tests now pass, but I think it's technically incidental and dependent on
> > the .postinst's behavior, which might be fine).
> 
> The certificate should have been generated by the master process itself 
> if it does not exist, using Puppet's CA. Could you get the list of files 
> under /var/lib/puppet/ssl and /var/cache/puppet/ssl at the end of the 
> test?

So I just did a quick test in a LXD of 17.04 after installing
puppet-master and ruby-serverspec.

# ps aux | grep puppet
puppet    4421  0.0  0.2 216624 45424 ?        Ssl  19:52   0:00 /usr/bin/ruby /usr/bin/puppet master

# find /var/lib/puppet/ssl/
/var/lib/puppet/ssl/
/var/lib/puppet/ssl/certificate_requests
/var/lib/puppet/ssl/public_keys
/var/lib/puppet/ssl/public_keys/oriented-squirrel.lxd.pem
/var/lib/puppet/ssl/certs
/var/lib/puppet/ssl/certs/ca.pem
/var/lib/puppet/ssl/certs/oriented-squirrel.lxd.pem
/var/lib/puppet/ssl/private_keys
/var/lib/puppet/ssl/private_keys/oriented-squirrel.lxd.pem
/var/lib/puppet/ssl/ca
/var/lib/puppet/ssl/ca/ca_key.pem
/var/lib/puppet/ssl/ca/requests
/var/lib/puppet/ssl/ca/ca_crt.pem
/var/lib/puppet/ssl/ca/ca_pub.pem
/var/lib/puppet/ssl/ca/ca_crl.pem
/var/lib/puppet/ssl/ca/signed
/var/lib/puppet/ssl/ca/signed/oriented-squirrel.lxd.pem
/var/lib/puppet/ssl/ca/inventory.txt
/var/lib/puppet/ssl/ca/serial
/var/lib/puppet/ssl/ca/private
/var/lib/puppet/ssl/ca/private/ca.pass
/var/lib/puppet/ssl/crl.pem
/var/lib/puppet/ssl/private

# find /var/cache/puppet/ssl/
find: ‘/var/cache/puppet/ssl/’: No such file or directory

# puppet cert print $(hostname --fqdn)
Error: Could not find certificate for oriented-squirrel

So is the puppet certificate generation supposed to be from the puppet
upstream (master process) or from the debian package installation? As I
mentioned earlier, puppet-master-passenger's postinst seems to ensure
the hostcert exists, but I don't see anything corresponding for
puppet-master.

Thanks,
Nish

-- 
Nishanth Aravamudan
Ubuntu Server
Canonical Ltd

More information about the Pkg-puppet-devel mailing list