If you host your own code repository and its certificate is self-signed, you must change some settings before Code Manager will let you deploy code from it.
Error messages and logs
In /var/log/puppetlabs/puppetserver/puppetserver.log
, messages such as:
2017-04-06 11:33:17,569 INFO [deploy-pool-1] [p.c.core] Attempting to deploy environment 'test_env'...
2017-04-06 11:33:24,393 ERROR [deploy-pool-1] [p.c.core] Errors while deploying environment 'test_env' (exit code: 1):
ERROR -> The SSL certificate is invalid
Version and installation information
PE version: 2016.1 to 2016.4, 2017.1, 2017.3, 2018.1.7
Installation type: Monolithic or split
Solution:
There are two options that will allow Code Manager to deploy code from your repository. You can:
-
Use a Git source instead of an HTTPS source to refer to your repository in your Puppetfile. This option requires adding SSH keys to your Puppet master and your repository.
-
Add a certificate authority (CA) cert for the repository to the list of trusted CAs in
/opt/puppetlabs/puppet/ssl/cert.pem
.
Changing the reference to your Git repository in your Puppetfile and using SSH keys is secure, but might require some work and time to set up. Adding a CA cert for the repository to the list of trusted CAs in /opt/puppetlabs/puppet/ssl/cert.pem
is less work, but it is less secure than using SSH keys, and you must remember to do it again each time you upgrade PE.
Option one: Use a Git source instead of an HTTPS source
To deploy code from your repository using a Git source, configure a private SSH key on your Puppet master and a public SSH key on your repository:
-
In your Puppetfile, change references to your Git repository from an HTTPS source to a Git source:
For example, change:
mod 'site_date', :git: 'https://example.com/user/site_data.git',
to:
mod 'site_data', :git: 'git@example.com:user/site_data.git',
-
Configure your SSH keys. Configure the private key using our documentation on how to Declare module or data content with SSH private key authentication for PE 2018.1.
Note: Use the version selector to choose the right version of our documentation for your deployment.
The details of configuring your public key depend on how your Git repository is configured. Talk to your Git repository administrator.
Option two: Add a trusted CA cert
If you are unable to specify a Git source, add your repository to the list of CAs trusted by Code Manager by adding a CA cert to the file /opt/puppetlabs/puppet/ssl/cert.pem
.
-
Transfer the cert (
ca.pem
) file to your CA node. -
On the CA node, add the cert to the list of CAs trusted by Code Manager:
cat ca.pem >> /opt/puppetlabs/puppet/ssl/cert.pem
Agent runs won't revert changes made to cert.pem
because the file isn't managed by PE, but upgrades to PE will overwrite the file. After you upgrade PE, you must add the CA cert to cert.pem
again.
How can we improve this article?
3 comments
Thanks Erik. Is there anyway installer can be updated that "if /opt/puppetlabs/puppet/ssl/cert.pem is symlink" to re-add symlink after installer completes?
Hi, Erik's out for a few days, I'm going to ask one of the other engineers to help you out.
The answer that I got: it's not possible to do that with the installer. If you have other questions on the article, I'll be happy to pass them along. (I am the writer in the group, I want to make sure I get you the right info, but also can't always answer directly.)
Please sign in to leave a comment.
Related articles