You get an error message when running a job such as a pipeline deployment in Continuous Delivery for Puppet Enterprise.
Your job’s logs show this error message in Continuous Delivery for PE. This means you have an expired CA certificate in your application settings.
2022-02-22 22:22:22 UTC: Downloading job scripts and control repo from CD4PE. 2022-02-22 22:22:22 UTC: cd4pe_client: requesting get https://cd4pe.example.com/cd4pe/Automation/getJobScriptAndControlRepo?jobInstanceId=1234 with read timeout: 1740 seconds 2022-02-22 22:22:22 UTC: Failed to get https://cd4pe.example.com/cd4pe/Automation/getJobScriptAndControlRepo?jobInstanceId=1234. SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired). 2022-02-22 22:22:22 UTC: Total request time: 0.012345678 seconds
Version and installation information
CD4PE version: 4.x
Replace your expired CA certificate with a new one and redeploy the application in Continuous Delivery for PE.
To check if you have an expired CA certificate, follow these steps:
Log in to the Puppet Application Manager UI at port 8800. Select the Config tab. Under Optional configuration, select View options for certificates. If the Provide my own certs is selected, you have an expired CA certificate in your organization’s certification chain, and it needs to get replaced.
To replace an expired CA certificate, follow these steps:
Under Optional configuration, if Use generated certs is selected:
SSH into the Continuous Delivery for PE/Puppet Application Manager server.
Download the specification files:
/usr/local/bin/kubectl-kots --kubeconfig /etc/kubernetes/admin.conf download -n default --slug cd4pe
issuer_certsparameter value from
./cd4pe/upstream/userdata/config.yaml. It should look like this:
-----END CERTIFICATE----- issuer_certs: value: issuer_key: default: | -----BEGIN RSA PRIVATE KEY-----
Upload the new application
/usr/local/bin/kubectl-kots --kubeconfig /etc/kubernetes/admin.conf upload -n default --slug cd4pe ./cd4pe --deploy
In the Puppet Application Manager UI, go to the Version history tab. Check to make sure the new version is deployed.
If you continue to have issues, please open a Support ticket.
How can we improve this article?
I had this issue and followed the instructions, which are fine as such but doing this also upgrades the CD4PE to the latest version (from 4.19.0 to 4.20.0 in my case). I feel that should not be done this way, i.e. a forced update, when fixing the SSL issue.
Looks like you're working with the team already, they'll let me know if we need to make any fixes here based on your experience. Thanks for the feedback, and sorry for the frustration.
Please sign in to leave a comment.