Code deployment in Continuous Delivery for Puppet Enterprise fails with an “Unable to connect to https://forgeapi.puppetlabs.com” error

You’re using a proxy, and code deployments in Continuous Delivery for Puppet Enterprise fail with “forgeapi.puppetlabs.com” errors.

Error messages and logs

Code deployment fails with the following error:

Unable to connect to https://forgeapi.puppetlabs.com (for request /v3/modules/puppet-archive): SSL peer certificate or SSH remote key was not OK.

During deployments, Code Manager makes requests to forgeapi.puppet.com to determine if Forge modules listed in the Puppetfile need to be updated. The SSL error indicates that a proxy is likely intercepting the connection and presenting an unknown certificate.

Version and installation information

Product: Continuous Delivery for Puppet Enterprise

Version: 4.x

Solution

If you are using modules from the Forge, your network needs to be able to connect to forgeapi.puppetlabs.com. The external web URLs used by PE for configuration and management tasks are listed in our documentation. Make sure they’re reachable from your network.

Forge servers are hosted in AWS, so connections to forgeapi.puppetlabs.com should return with a certificate signed by C=US; O=Amazon; OU=Server CA 1B; CN=Amazon.

If you are using a proxy that intercepts the connection to the Forge, you need to make sure that your configuration allows the proxy to connect to the Forge. If the proxy is using a certificate that isn’t issued by the Puppet certificate authority (CA), you can configure the Code Manager service to trust intercepting proxies by adding CA certs to the puppet-agent SSL bundle.