Après avoir mis à jour mon puppetmaster en version 6 et re-créé la CA, c’est devenu le drame sur mes agents, plus moyen d’envoyer leurs facts sur PuppetDB :
puppet agent -t Warning: Unable to fetch my node definition, but the agent run will continue: Warning: Error 500 on SERVER: Server Error: Could not retrieve facts for master.int.morot.fr: Failed to find facts from PuppetDB at puppet:8140: Failed to execute '/pdb/query/v4/nodes/master.int.morot.fr/facts'$
L’erreur se trouve sur le puppetmaster dans /var/log/puppetlabs/puppetserver/puppetserver.log :
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:85:in `process' uri:classloader:/puppetserver-lib/puppet/server/master.rb:47:in `handleRequest' 2019-07-26T17:10:16.788+02:00 ERROR [qtp764528938-37] [c.p.h.c.i.PersistentSyncHttpClient] Error executing http request javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528) at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197) at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165) at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:265) at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:305) at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:509) at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120) at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588) at java.lang.Thread.run(Thread.java:748)
La solution est simple, il faut raccorcher PuppetDB à la CA du Puppetmaster, on teste :
puppetdb ssl-setup PEM files in /etc/puppetlabs/puppetdb/ssl already exists, checking integrity. Warning: /etc/puppetlabs/puppetdb/ssl/ca.pem does not match the file used by Puppet (/etc/puppetlabs/puppet/ssl/certs/ca.pem) Warning: /etc/puppetlabs/puppetdb/ssl/public.pem does not match the file used by Puppet (/etc/puppetlabs/puppet/ssl/certs/master.int.morot.fr.pem) Setting ssl-host in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct. Setting ssl-port in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct. Setting ssl-key in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct. Setting ssl-cert in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct. Setting ssl-ca-cert in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct.
Et on applique :
puppetdb ssl-setup -f PEM files in /etc/puppetlabs/puppetdb/ssl already exists, checking integrity. Warning: /etc/puppetlabs/puppetdb/ssl/ca.pem does not match the file used by Puppet (/etc/puppetlabs/puppet/ssl/certs/ca.pem) Warning: /etc/puppetlabs/puppetdb/ssl/public.pem does not match the file used by Puppet (/etc/puppetlabs/puppet/ssl/certs/master.int.morot.fr.pem) Overwriting existing PEM files due to -f flag Copying files: /etc/puppetlabs/puppet/ssl/certs/ca.pem, /etc/puppetlabs/puppet/ssl/private_keys/master.int.morot.fr.pem and /etc/puppetlabs/puppet/ssl/certs/master.int.morot.fr.pem to /etc/puppetlabs/puppetdb/s$ Setting ssl-host in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct. Setting ssl-port in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct. Setting ssl-key in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct. Setting ssl-cert in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct. Setting ssl-ca-cert in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct.
Il n’y a plus qu’à redémarrer les services pour que tout rentre dans l’ordre :
systemctl restart puppetserver.service systemctl restart puppetdb.service