Support #10143
closed
newly generated certificate will be deleted by provisioning process
Description
I try to add a vmware compute instance. OS provisioning will be image based. All works well except puppet certificate generation.
- Remove puppet certificate for foo
- Adding autosign entry for foo
- Revoked old certificates and enabled autosign
But than the following steps run:
- Found foo
- Remove puppet certificate for foo
- Adding autosign entry for foo
- Delete the autosign entry for foo
After that i get a host but no puppet association is given. In puppetca exist an revoked certificate for the host.
My Environment is:
Distributor ID: Ubuntu
Description: Ubuntu 14.04.2 LTS
Release: 14.04
Codename: trusty
foreman 1.7.3-1
foreman-compute 1.7.3-1
foreman-proxy 1.7.3-1
foreman-sqlite3 1.7.3-1
foreman-vmware 1.7.3-1
foremancli 1.0-2
puppet 3.7.5-1puppetlabs1
puppet-common 3.7.5-1puppetlabs1
puppetlabs-release 1.0-11
puppetmaster-common 3.7.5-1puppetlabs1
puppetmaster-passenger 3.7.5-1puppetlabs1
Cheers
Christian
Files
Updated by Anonymous about 9 years ago
Unfortunantely the logs does not tell much here and I have never used images based provisioning, but anyway... The autosign entry will also get removed when the host is set to "built", regardless of the certificate state, so I suspect there's something not working when the puppet agent is triggered to do the certificate request in the finish script (or it's not triggered). Maybe the whole output of the finish script can be redirected to some file on the new node so you can fetch that after it got provisioned?
Updated by Christian Meißner about 9 years ago
- File finish Template.txt finish Template.txt added
Hi Michael,
attached you can find the review of the finish template. I added line 53 because puppet never run after provisioning. Strange is that puppet will update the config withou murmur and that with a revoked certificate. I have no idea why this work this way and this is not good to see.
Updated by Anonymous about 9 years ago
The finish template itself is no help without seeing what's the actual output to get a clue what's happening and where it's going wrong. BTW, I didn't see any call to /unattended/built in production.log. As I get from the original issue there's also no certificate sign request submitted to the puppet master?
Updated by Christian Meißner about 9 years ago
Ok, what i should do to provide you nessecary input?
Which reason are possible for:
- no call to /unattended/build
- no signing request
Maybe it is an configuration problem. I'm completly new to foreman in combination with puppet.
Updated by Lionel Beard over 8 years ago
For information, I get the same issue with VMware template provisionning, and it was solved by modifying last line in finish template:
/usr/bin/wget --no-proxy --quiet --output-document=/dev/null --no-check-certificate <%= foreman_url >
to
/usr/bin/wget --no-proxy --quiet --output-document=/dev/null --no-check-certificate <= foreman_url('built') %>
Updated by Anonymous almost 8 years ago
- Status changed from New to Resolved
The change referenced was made to all the Foreman templates where needed in the meanwhile, ACAICT.