Installing or upgrading Puppet Enterprise 2019.8.10 agent packages on a Solaris 11 node fails with a certificate not present in the trust-anchor-directory error.
Error messages and logs
When installing the Puppet agent package:
pkg install puppet-agent@6.26.0
Creating Plan (Finding local manifests): /
pkg install: The signing certificate chain is rooted in a certificate not present in the trust-anchor-directory.
See the image properties section of pkg(1).
Certificate Subject:C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA
The package involved is pkg://puppetlabs.com/puppet-agent@6.26.0,5.11-1:20220119T003732Z
On the command line or In the agent log (by default /var/log/messages on Linux, /var/log/system.log on macOS, and /var/adm/messages on Solaris) you see errors similar to:
2022-03-06T08:35:03.000000+11:00 hostx001 puppet-agent[24173]: [ID 702911Version and installation information
PE version: 2019.8.10
This issue was resolved in PE 2019.8.11.
OS: Solaris
Solution
In the SRU 39 update to Solaris 11 (October 2021), the primary root certificate for the thawte Primary Root CA was removed from the trusted set.
A workaround is available from Oracle in the README for SRU 39, you need Oracle Support credentials to access it.
After you complete the bugfix, you should be able to install or upgrade Puppet Enterprise 2019.8.10.
How can we improve this article?
0 comments
Please sign in to leave a comment.
Related articles