We use Puppet extensively at Logicworks, and we've run into an issue in the automated build process for our Puppet masters, and I've isolated it to an issue with OpenSSL serials failing to be converted to integers.
We use the official Puppet modules to install our Puppetmasters using `puppet apply` via the AWS EC2 UserData script. We've deployed hundreds of PMs this way, but have recently started having an issue when boostrapping the PM.
Because puppet apply is also responsible for setting the hostname, and because the $hostname fact doesn't get updated until the next Puppet run, we generate our master cert first before installing the necessary configuration files via the "puppet-puppet" module.
exec { "puppetmaster-cert":
command => "/usr/bin/puppet cert --generate --dns_alt_names ${dns_alt_names} ${aws::bootstrap::instance_fqdn}",
creates => "/var/lib/puppet/ssl/certs/${aws::bootstrap::instance_fqdn}.pem"
}
class { '::puppet':
server => true,
puppetmaster => $aws::bootstrap::puppetmaster_hostname,
agent_template => "aws/bootstrap/puppet.erb.conf",
server_certname => $aws::bootstrap::instance_fqdn,
server_foreman_url => "https://${aws::bootstrap::instance_fqdn}",
server_foreman_ssl_cert => "/var/lib/puppet/ssl/certs/${aws::bootstrap::instance_fqdn}.pem",
server_foreman_ssl_key => "/var/lib/puppet/ssl/private_keys/${aws::bootstrap::instance_fqdn}.pem",
require => Exec['puppetmaster-cert']
}
However, for some reason Exec["puppetmaster-cert"] is failing with an exit code 23 (and no error at all). After much research, we found that the error is being raised here in **puppet/ssl/inventory.rb**, line 12:
# Add a certificate to our inventory.
def add(cert)
cert = cert.content if cert.is_a?(Puppet::SSL::Certificate)
Puppet.settings.setting(:cert_inventory).open("a") do |f|
f.print format(cert) # <========================= Line 12
end
end
# Format our certificate for output.
def format(cert)
iso = '%Y-%m-%dT%H:%M:%S%Z'
# Exception is raised here ---v
"0x%04x %s %s %s\n" % [cert.serial, cert.not_before.strftime(iso), cert.not_after.strftime(iso), cert.subject]
end
When the ca cert gets added to inventory.txt, cert.serial is interpolated in the string as integer, and we get this error/traceback:
/usr/lib/ruby/vendor_ruby/puppet/ssl/inventory.rb:25:in `to_i'
/usr/lib/ruby/vendor_ruby/puppet/ssl/inventory.rb:25:in `%'
/usr/lib/ruby/vendor_ruby/puppet/ssl/inventory.rb:25:in `format'
/usr/lib/ruby/vendor_ruby/puppet/ssl/inventory.rb:13:in `block in add'
/usr/lib/ruby/vendor_ruby/puppet/file_system/file_impl.rb:26:in `open'
/usr/lib/ruby/vendor_ruby/puppet/file_system/file_impl.rb:26:in `open'
/usr/lib/ruby/vendor_ruby/puppet/file_system.rb:40:in `open'
/usr/lib/ruby/vendor_ruby/puppet/settings/file_setting.rb:197:in `block in open'
/usr/lib/ruby/vendor_ruby/puppet/settings/file_setting.rb:231:in `block (2 levels) in controlled_access'
/usr/lib/ruby/vendor_ruby/puppet/util.rb:57:in `withumask'
/usr/lib/ruby/vendor_ruby/puppet/settings/file_setting.rb:221:in `block in controlled_access'
/usr/lib/ruby/vendor_ruby/puppet/util/suidmanager.rb:72:in `asuser'
/usr/lib/ruby/vendor_ruby/puppet/settings/file_setting.rb:219:in `controlled_access'
/usr/lib/ruby/vendor_ruby/puppet/settings/file_setting.rb:196:in `open'
/usr/lib/ruby/vendor_ruby/puppet/ssl/inventory.rb:12:in `add'
/usr/lib/ruby/vendor_ruby/puppet/ssl/certificate_authority.rb:311:in `sign'
/usr/lib/ruby/vendor_ruby/puppet/ssl/certificate_authority.rb:148:in `generate_ca_certificate'
/usr/lib/ruby/vendor_ruby/puppet/ssl/certificate_authority.rb:270:in `setup'
/usr/lib/ruby/vendor_ruby/puppet/ssl/certificate_authority.rb:161:in `initialize'
/usr/lib/ruby/vendor_ruby/puppet/application/cert.rb:248:in `new'
/usr/lib/ruby/vendor_ruby/puppet/application/cert.rb:248:in `setup'
/usr/lib/ruby/vendor_ruby/puppet/application.rb:378:in `block (2 levels) in run'
/usr/lib/ruby/vendor_ruby/puppet/application.rb:507:in `plugin_hook'
/usr/lib/ruby/vendor_ruby/puppet/application.rb:378:in `block in run'
/usr/lib/ruby/vendor_ruby/puppet/util.rb:496:in `exit_on_fail'
/usr/lib/ruby/vendor_ruby/puppet/application.rb:378:in `run'
/usr/lib/ruby/vendor_ruby/puppet/util/command_line.rb:146:in `run'
/usr/lib/ruby/vendor_ruby/puppet/util/command_line.rb:92:in `execute'
/usr/bin/puppet:8:in `'
If I go in with Pry, I can see the following details:
[4] pry(#)> cert.serial.to_i
OpenSSL::BNError:
from (pry):2:in `to_i'
I'm really at a loss as to what to do next. Nothing has changed in our process in weeks, and we verified all the relevant version info.
* Puppet Community Edition 3.8.7
* Foreman 1.8
* Ruby 1.9.3p484 (2013-11-22 revision 43786) [x86_64-linux]
* OpenSSL 1.0.1f 6 Jan 2014
* Ubuntu 14.04
Has anyone ever encountered anything like this?
↧