During installation of some older versions of Puppet Enterprise on Debian, Ubuntu, and SLES 15 nodes, a failure might occur when PE packages are being added to the system. The GPG key bundled with PE versions prior to 2019.8.4 expired on 17 August 2021. The expired key causes PE installation to fail on Debian, Ubuntu, and SLES 15 nodes.
Note: While PE 2019.8 is still supported, we recommend updating to the latest patch release to resolve this issue. Versions older than PE 2019.8 are end of life and are no longer eligible for security updates and bug fixes. If you are using an end-of-life version, we encourage you to plan an upgrade to a mainstream supported version.
Error messages and logs
When installing, the error and warning messages are logged to one of two locations:
| Node type | Method of installation | Logged to |
|---|---|---|
| Primary server | puppet-enterprise-installer script |
/var/log/puppetlabs/installer |
| Agent | install.bash script or apt-get |
stdout |
Debian and Ubuntu error message:
W: GPG error: ./ Release: The following signatures were invalid: KEYEXPIRED 1629234366 ... WARNING: The following packages cannot be authenticated! <LIST OF PACKAGES> E: There are problems and -y was used without --force-yes
SLES 15 error message:
Warning: The gpg key signing file 'repomd.xml' has expired. Repository: puppet-enterprise Key Name: Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com> Key Fingerprint: 6F6B1550 9CF8E59E 6E469F32 7F438280 EF8D349F Key Created: Thu 18 Aug 2016 10:06:06 PM BST Key Expires: Tue 17 Aug 2021 10:06:06 PM BST (EXPIRED) Rpm Name: gpg-pubkey-ef8d349f-57b6233e Signature verification failed for file 'repomd.xml' from repository 'puppet-enterprise'.
Version and installation information
PE version: 2016.4.0 to 2019.8.4
OS: Debian, Ubuntu, SLES 15
Solution
To resolve the error, update the key. After completing these steps, If you upgrade to any version of PE prior to 2019.8.4, you must complete the steps in this article again to resolve the issue.
When installing Ubuntu infrastructure nodes
Import the updated GPG key and then run the puppet-enterprise-installer.
-
Download the
GPG-KEY-puppetfile attached at the bottom of this article. -
On PE infrastructure nodes, import it to your apt keyring.
apt-key add GPG-KEY-puppet -
Continue with PE installation by running
puppet-enterprise-installer.
When installing Debian, Ubuntu, or SLES 15 agent nodes
If you’re using the pe_repo module to install agents, you can use these steps to update the GPG key used by the install.bash script.
-
Download the
GPG-KEY-puppetfile attached at the bottom of this article. Copy it to the primary server. -
Copy the key to the
pe_repomodule.cp GPG-KEY-puppet \ /opt/puppetlabs/puppet/modules/pe_repo/files/GPG-KEY-puppet cp GPG-KEY-puppet \ /opt/puppetlabs/server/data/environments/enterprise/modules/pe_repo/files/GPG-KEY-puppet -
On each PE infrastructure node, update the
install.bashscript by runningpuppet agent -t.
If you have a replica, complete these steps on the replica to ensure that install.bash is not reverted during replica failover or promotion.
Note: If you’re using a package manager or your own script to install agents, you must distribute the key to each agent via other means.
How can we improve this article?
3 comments
Hello,
The article above says only about new installations.How do I update the expired keys for existing nodes?
Thanks in advance!
Hi, it's possible that this might help you: https://support.puppet.com/hc/en-us/articles/236358027 . If it does let me know and I'll go ahead and add the link at the top to help people find it.
I've asked the person who wrote the article to come take a look as well, so we can get you some help on this.
Hi Abhinav,
Access to an unexpired GPG key is only required when installing or upgrading the puppet-agent package on a Debian or Ubuntu node. For the case of an upgrade, I would recommend upgrading to at least the latest LTS release (2016.4.3 as of this posting) which is unaffected by the expired GPG key.
If the question is about an expired _agent certificate_ and not the package GPG key, then the article Suzie linked should provide a good starting point for getting a new agent certificate set up.
Hope this helps!
Please sign in to leave a comment.
Related articles