SSL Certificate mismatch when installing with the installer
|Assigned To:||Dominic Cleal|
|Found in release:||1.12.0||Pull request:||https://github.com/theforeman/puppet-puppet/pull/444|
|Velocity based estimate||-|
I consistently get the following error in the foreman-ssl_error_ssl.log
[Thu Jun 30 11:41:00.650431 2016] [ssl:emerg] [pid 6384] AH02238: Unable to configure RSA server private key
[Thu Jun 30 11:41:00.650484 2016] [ssl:emerg] [pid 6384] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
A modulus check of the certificates shows them to be good, and deleting and recreating the certs using the puppet tools give the same results.
Im attempting the install on a vanilla Centos7 box. Specifically the above error was generated on a vagrant box using the puppet labs nocm centos7 box, but i get it on Backspace and AWS VM's also.
To recreate spin up a box and follow the installation quick start guide. No additional options were setup for the installer.
Dominic Cleal wrote:
The file should be generated by the Puppet CA generation, along with /etc/puppetlabs/puppet/ssl/ca/. If the CA isn't generated at all then the agent probably already has a certificate of its own (from another CA?) and so the installation step may be skipped.
I am also hitting this problem on a fresh CentOS 7 install. HTTPD fails to start after having run foreman-installer:
"AH02238: Unable to configure RSA server private key
SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch"
It's not clear what's the workaround here. Please advise.
#4 Updated by Daniel Augustin 8 months ago
I can also confirm the above behavior with a fresh centos 7 installation on VirtualBox.
Here is the history, should be reproducible:
yum -y update yum -y localinstall https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm yum -y localinstall https://yum.theforeman.org/releases/1.12/el7/x86_64/foreman-release.rpm yum -y install epel-release virt-who yum -y install foreman-installer foreman-installer \ --enable-foreman-plugin-ansible \ --enable-foreman-plugin-bootdisk \ --enable-foreman-plugin-dhcp-browser \ --enable-foreman-plugin-docker \ --enable-foreman-plugin-puppetdb \ --enable-foreman-compute-libvirt \ --enable-foreman-compute-openstack \ --enable-foreman-compute-ovirt \ --enable-foreman-proxy-plugin-pulp \ --enable-foreman-proxy-plugin-remote-execution-ssh
# tail -2 /var/log/httpd/foreman-ssl_error_ssl.log [Wed Jul 27 20:05:36.959424 2016] [ssl:emerg] [pid 16115] AH02238: Unable to configure RSA server private key [Wed Jul 27 20:05:36.959441 2016] [ssl:emerg] [pid 16115] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
#5 Updated by Daniel Lobato Garcia 8 months ago
I tried to debug this a bit with rfkrocktk on IRC - https://gist.github.com/dLobatog/a573481138ced85cefd96ff0508e98c9 seemed to workaround the issue (the 2nd time foreman-installer finished successfully)
#7 Updated by bryan cochrane 7 months ago
I ran through the gist and foreman-installer still gives some errors.
/opt/puppetlabs/bin/puppet cert --generate ee-puppet returned 24 instead of one of 
/Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: change from notrun to 0 failed: /opt/puppetlabs/bin/puppet cert --generate ee-puppet returned 24 instead of one of 
Something went wrong! Check the log for ERROR-level output
#10 Updated by Dominic Cleal 5 months ago
- Status changed from New to Ready For Testing
- Assigned To set to Dominic Cleal
- Pull request https://github.com/theforeman/puppet-puppet/pull/444 added
I think this can occur due to a race generating the private key between the Puppet agent starting, and the "puppet cert generate $fqdn" command run by the installer.
The agent will create a private key, but nothing else as it's not got a master or CA, while the generate command will create a private key for the host and then sign it with a new CA cert. If the agent process is still generating the key while the generate command has already written its key, the key will then be overwritten with the agent's key, which differs from the key used for the generated cert.
This can be seen if you slow down the key generation in the agent by editing ssl/key.rb in the Puppet installation, adding
sleep 5 if ARGV == ['agent'] into the
#generate method, deleting the SSL dir, then running
service puppet start and
puppet cert generate $fqdn in parallel. The key/cert will not match as the key is overwritten by the slower agent.