Bug #1883
closed
Bare metal install fails to pull kickstart file
Description
Anaconda is unable to load kickstart files when kicking new host. WEBrick gives following error:
Started GET "/unattended/provision" for 10.21.96.90 at Wed Oct 03 14:21:08 -0700 2012 Processing by UnattendedController#provision as HTML Found lxtest2.local.com Remove puppet certificate for lxtest2.local.com Failed to remove lxtest2.local.com's puppet certificate: 406 Not Acceptable Rendered text template (0.0ms) Completed 500 Internal Server Error in 970ms (Views: 0.9ms | ActiveRecord: 2.6ms)
So its failing to remove it's old puppet certificate. Which there souldn't be one, its baremetal/brand new box. Following on this, here's the log from /var/log/foreman-proxy/proxy.log:
D, [2012-10-03T14:21:08.107492 #1616] DEBUG -- : Found puppetca at /usr/sbin/puppetca D, [2012-10-03T14:21:08.107688 #1616] DEBUG -- : Found sudo at /usr/bin/sudo D, [2012-10-03T14:21:08.107756 #1616] DEBUG -- : Executing /usr/bin/sudo -S /usr/sbin/puppetca --clean lxtest2.local.com W, [2012-10-03T14:21:09.051218 #1616] WARN -- : Failed to run puppetca: ^[[1;35merr: Could not call revoke: Could not find a serial number for lxtest2.local.com^[[0m Could not find a serial number for lxtest2.local.com E, [2012-10-03T14:21:09.051639 #1616] ERROR -- : Failed to remove certificate(s) for lxtest2.local.com: Execution of puppetca failed, check log files
Obviously running from command line gives same result as smart-proxy had.
[root@lxforeman1 ~]# /usr/sbin/puppetca --clean lxtest1.local.com err: Could not call revoke: Could not find a serial number for lxtest1.local.com Could not find a serial number for lxtest1.local.com
It looks like the error in WEBrick comes from foreman/app/models/orchestration/puppetca.rb where it tries to delete the cert. As a work around I'm creating the certs by hand with 'puppetca generate lxtest2.local.com'. I found this in [[http://theforeman.org/issues/1529]]
Either creating a new host in the web interface needs to create the initial puppet cert or calling the kickstart file shouldn't fail if the cert doesn't exist. Not sure which is best solution.
Updated by Benjamin Papillon over 12 years ago
I think a better approach is to test the cert existence before trying to delete it.
puppetca has a "--list" option that we can use for this purpose.
Updated by Ohad Levy over 12 years ago
are you sure this is not related to puppet 2.7.19 and recent fixes in the proxy?
Updated by Robert Birnie over 12 years ago
It is possible that Puppet 2.7 handles the --clean command differently, causing the bug.
[root@lxforeman1 ~]# puppetca list --all + "lxforeman1.local.com" (3C:44:27:65:E0:F3:93:79:53:0A:0F:8E:EE:65:13:22) (alt names: "DNS:localhost", "DNS:localhost.local.com", "DNS:lxforeman1", "DNS:lxforeman1.local.com") + "lxkstest1.local.com" (F8:46:50:3D:2E:C7:AA:4D:D3:5C:53:CB:AE:2A:1B:0E) [root@lxforeman1 ~]# puppetca --clean testserver1.local.com err: Could not call revoke: Could not find a serial number for testserver1.local.com Could not find a serial number for testserver1.local.com [root@lxforeman1 ~]# echo $? 24 [root@lxforeman1 ~]# puppet --version 2.7.19
I'll downgrade to 2.6 and see if the exit code is different.
Updated by Robert Birnie over 12 years ago
Possibly someone else with a 2.6 server can verify. But this looks to be the problem.
[root@lxforeman1m0 ~]# puppetca --clean testserver1m0.etrade.com notice: Revoked certificate with serial # Inventory of signed certificates # SERIAL NOT_BEFORE NOT_AFTER SUBJECT 0x0001 2012-10-03T16:22:06GMT 2017-10-03T16:22:06GMT /CN=Puppet CA: lxforeman1m0.etrade.com 0x0002 2012-10-03T16:22:06GMT 2017-10-03T16:22:06GMT /CN=lxforeman1m0.etrade.com err: Could not call revoke: Cannot convert into OpenSSL::BN [root@lxforeman1m0 ~]# echo $? 0
Updated by Greg Sutcliffe over 12 years ago
2.7.19 changed it's exit status (you now get exit 24, as you've seen). You'll probably find that an earlier 2.7.x release works fine.
As Ohad mentions, this s fixed in the latest proxy code. If it's suitable for your environment, can you try with the nightly proxy build?
Updated by Robert Birnie over 12 years ago
Yeah, the nightly build fixed the problem. I see the commit where it got fixed too.