I installed a new Puppet Server (Version 6.11) on CentOS 8 to get rid of our old 3.8 Installation on CentOS 6.
After the migration of all of our modules and testing them on a CentOS 7 and 8 Server, I now wanted to add the Puppet Server itself as a node.
While the CentOS 7 and 8 Testserver are running fine, I am not able to get the puppet Server itself running as also a puppet client.
I added it as a node with just one Module and tried to run puppet agent:
[root#puppetmaster /]# puppet agent --test --server puppetmaster.th
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppetmaster.th
Info: Certificate Request fingerprint (SHA256): E8:F3:69:50:53:43:32:4F:D8:D1:EF:18:17:98:70:15:3C:3B:B6:A1:6B:CA:0F:F0:A4:C3:EF:FE:3B:C5:3C:01
Error: certificate verify failed [unable to get certificate CRL for CN=puppetmaster.th]
Error: Could not run: certificate verify failed [unable to get certificate CRL for CN=puppetmaster.th]
I tried deleting the Certs in /opt/puppetlabs/puppet/ssl/ as well as in /etc/puppetlabs/puppet/ssl and /etc/puppetlabs/puppet/sslmaster/.
I always get the same result. Looking into puppetserver ca list --all I get a 3 existing Server:
Signed Certificates:
centos7.th (SHA256) A8:EF:33:B6:92:F2:B7:42:DA:F8:B3:B5:67:DD:5A:68:6E:C1:40:97:23:B7:35:7C:A4:36:52:EB:3A:0D:C9:7F
centos8.th (SHA256) 35:CE:E7:7D:44:5B:93:C0:80:44:DB:75:BE:9C:CF:04:81:02:00:D7:49:D7:51:52:47:38:CA:E6:77:1D:01:19
puppetmaster.th (SHA256) 7E:F5:A4:24:47:F6:90:2D:54:BB:D0:A9:5E:EF:B8:61:C9:E9:D4:7F:AE:68:82:7A:6A:C3:13:F9:21:72:3F:3F alt names: ["DNS:puppetmaster.th", "DNS:puppetmaster", "DNS:puppetmaster.th"] authorization extensions: [pp_cli_auth: true]
The 2 Testservers are still running fine (besides I had to of course add them again after deleting all certs).
Now I am a little confused how to add the puppet server itself as a working agent (which does work fine in the old setup).
Related
I'm trying to change the MongoDB default port on my AWS Virtual Machine but semanage is not found on the server
semanage port -a -t mongod_port_t -p tcp 27042
-bash: semanage: command not found
Trying to find the package that provides semanage fails.
dnf whatprovides semanage
Errors during downloading metadata for repository 'rhui-client-config-server-8':
Curl error (58): Problem with the local SSL certificate for https://rhui3.eu-west-3.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os [could not load PEM client certificate, OpenSSL error error:0200100D:system library:fopen:Permission denied, (no key found, wrong pass phrase, or wrong file format?)]
Error: Failed to download metadata for repo 'rhui-client-config-server-8': Cannot prepare internal mirrorlist: Curl error (58): Problem with the local SSL certificate for https://rhui3.eu-west-3.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os [could not load PEM client certificate, OpenSSL error error:0200100D:system library:fopen:Permission denied, (no key found, wrong pass phrase, or wrong file format?)]
dnf update works and the system is up-to-date
Last metadata expiration check: 0:42:00 ago on Tue 21 Jul 2020 10:11:35 AM UTC.
Dependencies resolved.
Nothing to do.
Complete!
Additional informations :
cat /etc/redhat-release
Red Hat Enterprise Linux release 8.2 (Ootpa)
dnf repolist
repo id / repo name
mongodb-org-4.2 / MongoDB Repository
rhel-8-appstream-rhui-rpms / Red Hat Enterprise Linux 8 for x86_64 - AppStream from RHUI (RPMs)
rhel-8-baseos-rhui-rpms / Red Hat Enterprise Linux 8 for x86_64 - BaseOS from RHUI (RPMs)
rhui-client-config-server-8 / Red Hat Update Infrastructure 3 Client Configuration Server 8
Could you help me to install semanage please ? Thanks.
1.dnf install policycoreutils-python-utils
2. dnf provides semanage (This displays the same result as above-the path)
3. yum provides /usr/sbin/semanage
4. yum install policycoreutils-python
I fixed my issue using this.
You can also refer this link:
https://www.ostechnix.com/linux-troubleshooting-semanage-command-not-found-in-centos-7rhel-7/
I got into trouble after installing Gitlab on CentOs7. For the first time I was redirected to the admin password creation page and after the password for the admin user, the server sent error.
422
The change you requested was rejected.
I had set the url value based on the site guide.
Set the external_url in /etc/gitlab/gitlab.rb:
external_url "https://example.com/gitlab"
I checked the links below for similar situations. I didn't find the right answer. My server was in the local area and had no internet access.
Error 422 after installing gitlab on Ubuntu 18.04
After Update Error: "422 The change you requested was rejected."
Error 422 after installing Gitlab on Ubuntu 16.04
I made a mistake when installing Gitlab. In the /etc/gitlab/gitlab.rb file I put the local gitlab address with https but due to the local server setup there was no "let's encrypt" service and I did not intend to access the site via ssl. I modified the address in the file and turne "https" to "http". After modifying the following commands, the problem was fixed.
sudo gitlab-ctl reconfigure
sudo gitlab-ctl restart
I'm setting a dotnet core app into kubernetes cluster and i getting error "Unable to start kestrel".
Dockerfile is working ok on local machine.
at Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.UseHttps(ListenOptions listenOptions)
at Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.UseHttps(ListenOptions listenOptions, Action`1 configureOptions)
For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?linkid=848054.
To generate a developer certificate run 'dotnet dev-certs https'. To trust the certificate (Windows and macOS only) run 'dotnet dev-certs https --trust'.
Unhandled Exception: System.InvalidOperationException: Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found.
at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindAsync(IServerAddressesFeature addresses, KestrelServerOptions serverOptions, ILogger logger, Func`2 createBinding)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.AddressesStrategy.BindAsync(AddressBindContext context)
at Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.UseHttps(ListenOptions listenOptions)
at Microsoft.AspNetCore.Hosting.ListenOptionsHttpsExtensions.UseHttps(ListenOptions listenOptions, Action`1 configureOptions)
For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?linkid=848054.
To generate a developer certificate run 'dotnet dev-certs https'. To trust the certificate (Windows and macOS only) run 'dotnet dev-certs https --trust'.
System.InvalidOperationException: Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found.
Unable to start Kestrel.
My dockerfile:
[...build step]
FROM microsoft/dotnet:2.1-aspnetcore-runtime
COPY --from=build-env /app/out ./app
ENV PORT=5000
ENV ASPNETCORE_URLS=http://+:${PORT}
WORKDIR /app
EXPOSE $PORT
ENTRYPOINT [ "dotnet", "Gateway.dll" ]
I expected application started successfully but i getting this error "unable to start kestrel".
[UPDATE]
I've removed https port from app and tried again without https but now application just start and stop without any error or warning. Container log bellow:
Running local using dotnet run or building image and running from container, everything work. Application just shut down into kubernetes.
I am using dotnet core 2.2
[UPDATE]
I've generated a cert, added in project, setup in kestrel and i got same result. Localhost using docker imagem it work, but in kubernetes (google cloud), it just shutdown immediately after it started.
localhost:
$ docker run --rm -it -p 5000:5000/tcp -p 5001:5001/tcp juooo:latest
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[35]
No XML encryptor configured. Key {f7808ac5-0a0d-47d0-86cb-c605c2db84a3} may be persisted to storage in unencrypted form.
warn: Microsoft.AspNetCore.Server.Kestrel[0]
Overriding address(es) 'https://+:5001, http://+:5000'. Binding to endpoints defined in UseKestrel() instead.
Hosting environment: Production
Content root path: /app
Now listening on: https://0.0.0.0:5001
Application started. Press Ctrl+C to shut down.
I found a event log with a kubernetes error saying that kubernetes was unable to hit (:5000/). So i tried create a controller targeting root application (because it's a api, so don't have a root like a web app) and it worked.
The problem seems to be with the SSL certificate not being correctly configured while creating docker image. On dev machine,it will be using the developer certificate however on other machines it should be stored somewhere. Check this
I am pretty sure you need to open up a firewall rule to run on any port other than 80, something like:
gcloud compute firewall-rules create test-node-port --allow tcp:5000
Taken from kubernetes how-to located here: https://cloud.google.com/kubernetes-engine/docs/how-to/exposing-apps
I am trying to integrate ubuntu docker container with FreeIPA and getting below error while installing FreeIPA-client --install
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm BLABS.COM
trying https://vilma.com/ipa/json
Forwarding 'ping' to json server 'https://vilma.com/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://vilma.com/ipa/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to json server 'https://vilma/ipa/json'
SSSD enabled
SSSD service restart was unsuccessful.
Configured /etc/openldap/ldap.conf
Unable to find 'admin' user with 'getent passwd admin#vilma.com'!
Unable to reliably detect configuration. Check NSS setup manually.
NTP enabled
I tried to start sssd manually by typing sssd and getting below message
ldb: unable to open modules directory '/usr/lib/x86_64-linux-gnu/ldb/modules/ldb' - Permission denied
(Sun Oct 14 20:55:17:078716 2018) [sssd] [load_configuration] (0x0010): The confdb initialization failed
(Sun Oct 14 20:55:17:078750 2018) [sssd] [main] (0x0020): SSSD couldn't load the configuration database.
I appreciate your help
In case anyone else runs into this, the problem is that the overlayfs that docker uses causes problems with the ldb database that sssd is using.
So you need to:
move /usr/lib/x86_64-linux-gnu/ldb/modules/ldb to another path (e.g. /usr/lib/x86_64-linux-gnu/ldb/modules/ldb-orig) in your Dockerfile
then, before starting sssd in your container, you have to create an empty volume and mount it into /usr/lib/x86_64-linux-gnu/ldb/modules/ldb
then copy the original contents of /usr/lib/x86_64-linux-gnu/ldb/modules/ldb from /usr/lib/x86_64-linux-gnu/ldb/modules/ldb-orig into the new volume
then start sssd
This seems to be fixed with Linux 5.8. I think it was this fix, but I'm not sure.
I could able to manage workaround by not using sssd (--no-sssd option)
I am using puppet with cobbler and I am having a problem with certificate signing. I have configured so that cobbler will revoke the puppet client certificate when a puppet managed machine is reinstalled. The revoking part runs just fine and puppetmaster listed out a the new client certificate, but puppetmaster failed to sign it, thus puppet client failed to run.
This is the output when I listed all the certificates on puppet master:
# puppet cert list -a
+ "spacewalk" (SHA256) E3:63:F1:9A:10:1E:AD:20:72:DA:17:0E:0F:EB:F5:2B:9E:7E:26:80:8D:58:2E:28:A2:2D:68:01:F7:BD:A8:B3 (alt names: "DNS:puppet", "DNS:puppet.playground.local", "DNS:spacewalk")
- "p1.playground.local" (SHA256) CD:AD:3E:04:04:C0:84:88:A0:67:F7:56:57:F1:67:82:43:31:CE:37:71:10:01:AD:15:DE:5A:0E:2E:7C:63:DE (unable to get local issuer certificate)
This is the error when I ran puppet agent -t on puppet client:
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run
This is the error when I try to get the master to sign the certificate:
# puppet cert sign p1.playground.local
Error: Could not find certificate request for p1.playground.local
This is the error after running puppet agent -t, upon revoking the certificate:
# puppet agent -t
info: Creating a new SSL key for p1.playground.local warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for p1.playground.local
info: Certificate Request fingerprint (md5): 65:F0:6D:8D:66:89:57:13:11:A6:DD:02:DF:DC:C1:7B warning: peer certificate won't be verified in this SSL session
err: Could not request certificate: Could not intern from s: nested asn1 error Exiting; failed to retrieve certificate and waitforcert is disabled
I removed the /var/lib/puppet/ssl directory at the client, rerun puppet agent -t and I got the same error as above.
Finally I tried to remove the /var/lib/puppet/ssl directory on both master and client, regenerate the certificates and all is good. Even though I can just remove the ssl directory everytime before I start with the auto installation, but it would be great if I don't have to do it manually.
Any help is appreciated.
Thanks.