Skip to main content

Resolve a “certificate verify failed (certificate has expired)” error in Continuous Delivery for Puppet Enterprise

Miranda Streeter
  • Updated

You get an error message when running a job such as a pipeline deployment in Continuous Delivery for Puppet Enterprise.

Error messages

Your job’s logs show this error message in Continuous Delivery for PE. This means you have an expired CA certificate in your application settings.

2022-02-22 22:22:22 UTC: Downloading job scripts and control repo from CD4PE.
2022-02-22 22:22:22 UTC: cd4pe_client: requesting get https://cd4pe.example.com/cd4pe/Automation/getJobScriptAndControlRepo?jobInstanceId=1234 with read timeout: 1740 seconds
2022-02-22 22:22:22 UTC: Failed to get https://cd4pe.example.com/cd4pe/Automation/getJobScriptAndControlRepo?jobInstanceId=1234. SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired).
2022-02-22 22:22:22 UTC: Total request time: 0.012345678 seconds

Version and installation information

CD4PE version: 4.x

Solution

Replace your expired CA certificate with a new one and redeploy the application in Continuous Delivery for PE.

To check if you have an expired CA certificate, follow these steps:

Log in to the Puppet Application Manager UI at port 8800. Select the Config tab. Under Optional configuration, select View options for certificates. If the Provide my own certs is selected, you have an expired CA certificate in your organization’s certification chain, and it needs to get replaced.

To replace an expired CA certificate, follow these steps:

  1. Under Optional configuration, if Use generated certs is selected:

    1. SSH into the Continuous Delivery for PE/Puppet Application Manager server.

    2. Download the specification files:

    /usr/local/bin/kubectl-kots --kubeconfig /etc/kubernetes/admin.conf download -n default --slug cd4pe

  2. Remove the issuer_certs parameter value from ./cd4pe/upstream/userdata/config.yaml. It should look like this:

            -----END CERTIFICATE-----
    issuer_certs:
      value: 
    issuer_key:
      default: |
        -----BEGIN RSA PRIVATE KEY-----

  3. Upload the new application config:

    /usr/local/bin/kubectl-kots --kubeconfig /etc/kubernetes/admin.conf upload -n default --slug cd4pe ./cd4pe --deploy

  4. In the Puppet Application Manager UI, go to the Version history tab. Check to make sure the new version is deployed.

If you continue to have issues, please open a Support ticket.

Did this solve your problem?
0 out of 0 found this helpful

How can we improve this article?

2 comments

Date Votes
  • Florus Both
    • Edited

    I had this issue and followed the instructions, which are fine as such but doing this also upgrades the CD4PE to the latest version (from 4.19.0 to 4.20.0 in my case). I feel that should not be done this way, i.e. a forced update, when fixing the SSL issue.

    0
  • Suzie Baunsgard

    Hi Florus,

    Looks like you're working with the team already, they'll let me know if we need to make any fixes here based on your experience. Thanks for the feedback, and sorry for the frustration. 

    0

Please sign in to leave a comment.

Related articles