PuppetDB : General SSLEngine problem

Après avoir mis à jour mon puppetmaster en version 6 et re-créé la CA, c’est devenu le drame sur mes agents, plus moyen d’envoyer leurs facts sur PuppetDB :

puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Error 500 on SERVER: Server Error: Could not retrieve facts for master.int.morot.fr: Failed to find facts from PuppetDB at puppet:8140: Failed to execute '/pdb/query/v4/nodes/master.int.morot.fr/facts'$

L’erreur se trouve sur le puppetmaster dans /var/log/puppetlabs/puppetserver/puppetserver.log :

/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/network/http/handler.rb:85:in `process'
uri:classloader:/puppetserver-lib/puppet/server/master.rb:47:in `handleRequest'
2019-07-26T17:10:16.788+02:00 ERROR [qtp764528938-37] [c.p.h.c.i.PersistentSyncHttpClient] Error executing http request
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
        at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
        at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
        at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
        at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165)
        at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
        at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:265)
        at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:305)
        at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:509)
        at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
        at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
        at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
        at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
        at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
        at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
        at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
        at java.lang.Thread.run(Thread.java:748)

La solution est simple, il faut raccorcher PuppetDB à la CA du Puppetmaster, on teste :

puppetdb ssl-setup
PEM files in /etc/puppetlabs/puppetdb/ssl already exists, checking integrity.
Warning: /etc/puppetlabs/puppetdb/ssl/ca.pem does not match the file used by Puppet (/etc/puppetlabs/puppet/ssl/certs/ca.pem)
Warning: /etc/puppetlabs/puppetdb/ssl/public.pem does not match the file used by Puppet (/etc/puppetlabs/puppet/ssl/certs/master.int.morot.fr.pem)
Setting ssl-host in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct.
Setting ssl-port in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct.
Setting ssl-key in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct.
Setting ssl-cert in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct.
Setting ssl-ca-cert in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct.

Et on applique :

puppetdb ssl-setup -f
PEM files in /etc/puppetlabs/puppetdb/ssl already exists, checking integrity.
Warning: /etc/puppetlabs/puppetdb/ssl/ca.pem does not match the file used by Puppet (/etc/puppetlabs/puppet/ssl/certs/ca.pem)
Warning: /etc/puppetlabs/puppetdb/ssl/public.pem does not match the file used by Puppet (/etc/puppetlabs/puppet/ssl/certs/master.int.morot.fr.pem)
Overwriting existing PEM files due to -f flag
Copying files: /etc/puppetlabs/puppet/ssl/certs/ca.pem, /etc/puppetlabs/puppet/ssl/private_keys/master.int.morot.fr.pem and /etc/puppetlabs/puppet/ssl/certs/master.int.morot.fr.pem to /etc/puppetlabs/puppetdb/s$
Setting ssl-host in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct.
Setting ssl-port in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct.
Setting ssl-key in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct.
Setting ssl-cert in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct.
Setting ssl-ca-cert in /etc/puppetlabs/puppetdb/conf.d/jetty.ini already correct.

Il n’y a plus qu’à redémarrer les services pour que tout rentre dans l’ordre :

systemctl restart puppetserver.service
systemctl restart puppetdb.service

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.