Issue #21869 has been updated by Charlie Sharpsteen.
Status changed from Investigating to Accepted
Priority changed from Normal to High
Target version set to 3.2.4
Affected Puppet version changed from 3.2.3 to 3.0.0
Ok. What is happening here is that the puppet agent is getting stuck in a
recursive loop while trying to validate the keys it was provided with.
First off, the agent loads up the generated keys:
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:194:in `certificate'
However, it needs to validate those keys, so it requests the CA certificate:
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:197:in `find'
While communicating with the master, it checks for certificates that are near
expiration:
/usr/lib/ruby/site_ruby/1.8/puppet/network/authentication.rb:17:in
`warn_if_near_expiration'
Which [includes checking the agent
cert](https://github.com/puppetlabs/puppet/blob/3.2.3/lib/puppet/network/authentication.rb#L17).
This last step triggers another attempt to validate the agent cert, which hits
the master for the CA certificate and starts the loop all over again. For now,
a workaround is to copy the CA public key to the agent certs folder along with
the generated keys.
This recursion was introduced by commit
[12d81c7](https://github.com/puppetlabs/puppet/commit/12d81c7ef97167f1831143ff0037ae9a3970960d).
Thanks for reporting this!
----------------------------------------
Bug #21869: another "Error: Could not request certificate: stack level too deep"
https://projects.puppetlabs.com/issues/21869#change-95294
* Author: Ilkka Tengvall
* Status: Accepted
* Priority: High
* Assignee: Charlie Sharpsteen
* Category:
* Target version: 3.2.4
* Affected Puppet version: 3.0.0
* Keywords:
* Branch:
----------------------------------------
There seems to others like this bug, but they are closed already and this still
happens for me. In short:
<pre>puppet agent -v -t -d|tee /home/ec2-user/perror.log
<bunch of debug log attached separately>
Error: Could not request certificate: stack level too deep
Exiting; failed to retrieve certificate and waitforcert is disabled
</pre>
puppet is from puppetlabs repos yesterday:
<pre>[root@puppet-client puppet]# rpm -q puppet
puppet-3.2.3-1.el6.noarch
[root@puppetmaster puppet-etc]# rpm -q puppet-server
puppet-server-3.2.3-1.el6.noarch
</pre>
I am trying to create a generic machine cert for virtual machines built by
Jenkins job. I want the machines with the given cert to be able to register to
puppet-master automatically, and assing a profile for themselves. I was
following this guide: https://gist.github.com/ahpook/1182243.
The OS underneath the both puppet agent and master is RHEL 6.4. I attach the
long debug log coming from the command above. I have both the master and the
client in the cloud.
! 1. I setup the master with certname with public ip name separate to it's
cloud private hostname.
<pre>[master]
node_name = facter
certname = ospp-float2.hard.ware.fi
</pre>
! 2. and create the keys for the client
<pre>
puppet cert --generate hattara.taivaalla.pilvi
</pre>
! 3. copy them into place
<pre>
# private
master:$ssldir/private_keys/hattara.taivaalla.pilvi.pem ->
client:$ssldir/private_keys/hattara.taivaalla.pilvi.pem
# public
master:$ssldir/ca/signed/hattara.taivaalla.pilvi.pem ->
client:$ssldir/certs/hattara.taivaalla.pilvi.pem
</pre>
! 4. set the generic cert name for the client
<pre>
[agent]
# let's get assign the node name from facter
# and let the fact be fqdn atm, later PaaS profile
# from /etc/cybercom-release.yaml
certname = hattara.taivaalla.pilvi
node_name = facter
node_name_fact = fqdn
server = ospp-float2.hard.ware.fi
</pre>
! 5. start puppet master
<pre>service puppetmaster restart</pre>
! 6. try the first command. The debug output is attached.
<pre>puppet agent -v -t -d|tee /home/ec2-user/perror.log
<bunch of debug log attached separately>
Error: Could not request certificate: stack level too deep
Exiting; failed to retrieve certificate and waitforcert is disabled
</pre>
And I see from master http log that the client tries to retrieve the cert.
If I retry the command, it behaves differently, some locking problem
<pre>
Error: Could not request certificate: Thread(#<Thread:0x7f91023bc370 run>) not
locked.
Exiting; failed to retrieve certificate and waitforcert is disabled
</pre>
I can retrieve the cert manually by using curl just fine.
<pre>
curl --insecure -H 'Accept: s'
https://ospp-float2.hard.ware.fi:8140/production/certificate/ca
</pre>
That's about it. Tried all different things for hours today. I suppose it's a
bug.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/groups/opt_out.
