-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
6.16.5
Description of problem:
After updating our custom SSL certificates across Satellite and Capsules, Puppet agents can apply catalogs successfully, but report uploads fail with certificate verification errors.
Exception
2025-05-13T13:00:25.294-05:00 ERROR [xxxxxxxxxxxxxx-109] [puppetserver] Puppet Report processor failed: Could not send the report to Foreman at https://satellite.example.com/api/config_reports: certificate verify failed
How reproducible:
In customer's env.
Is this issue a regression from an earlier version:
Yes.
Steps to Reproduce:
1. Update custom certs on the satellite
2. The puppet agent running on the client can apply the catalog however fails to upload the reports to the puppet master.
# openssl storeutl -noout -text -certs puppet_client_ca.crt | grep -i subject
Subject: DC=com, DC=xxxok, CN=xxEOK ICxx <------------ our Intermediate cert
Subject Public Key Info:
X509v3 Subject Key Identifier:
Subject: CN=xxEOK Rxx <---------- our ROOT cert
Subject Public Key Info:
X509v3 Subject Key Identifier:
[root@xxxxxxxxx puppet]#
And the cert that puppet is reporting it is unable to verify seems fine.
# openssl s_client -connect satellite.example.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > satellite.pem
# openssl verify -CAfile puppet_client_ca.crt satellite.pem
satellite.pem: OK
# openssl verify -CAfile ../certs/katello-server-ca.crt satellite.pem
satellite.pem: OK
Actual behavior:
Puppet agent running on the client is able to apply the configuration without any issues, The only problem is with the upload of the report.
Expected behavior:
Post applying the Catalog, the client should able to apply the report.
Business Impact / Additional info:
The customer was not happy abt the behavior and tried the solution by
Referencing an old Foreman post - https://community.theforeman.org/t/foreman-cant-connect-to-puppetdb/17979/2
Commented ssl_ca param out and restarted puppetserver service.
[root@satellite puppet]# cat foreman.yaml --- :url: "https://satellite.example.com" #:ssl_ca: "/etc/pki/katello/puppet/puppet_client_ca.crt" <<<<<<< Customer commented out this and everything is back to normal. :ssl_cert: "/etc/pki/katello/puppet/puppet_client.crt" :ssl_key: "/etc/pki/katello/puppet/puppet_client.key" :puppetdir: "/opt/puppetlabs/server/data/puppetserver" :puppetuser: "puppet" :facts: true :fact_extension: "json" :timeout: 60 :report_timeout: 60 :report_retry_limit: 1 :threads: null [root@satelite puppet]# Unbelievably on satellite it was able to send puppet reports back to Satellite again.
=====================
Note: This is a temporary workaround, as satellite-installer execution will revert back to default, customer is requesting for a permanent solution.
