Satellite 6 Capsule installation fails when already registered to the puppet master with the error: "Failed to call refresh: /usr/bin/puppet cert --generate capsule.example.com returned 23 instead of one of [0]"

Solution In Progress - Updated -

Environment

  • Red Hat Satellite
    • 6.0
    • 6.1
    • 6.2
    • 6.3

Issue

  • When installing a capsule already registered to the Puppet master, it produces the error:
 /usr/bin/puppet cert --generate capsulexx.example.com returned 23 instead of one of [0]
 /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]/returns: change from notrun to 0 failed: 
/usr/bin/puppet cert --generate capsulexx.example.com returned 23 instead of one of [0]
 /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]: 
Failed to call refresh: /usr/bin/puppet cert --generate capsulexx.example.com returned 23 instead of one of [0]
 /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-generate_ca_cert]: 
/usr/bin/puppet cert --generate capsulexx.example.com returned 23 instead of one of [0]
Installing                                  
Done   [100%] [.................................................................................................]
  Something went wrong! Check the log for ERROR-level output
  The full log is at /var/log/katello-installer/capsule-installer.log

Resolution

  • To workaround this issue execute the steps below:

On the Satellite server

    # puppet cert clean capsulexx.example.com

On Capsule 6.0, 6.1, 6.2, 6.3 (Not on Capsule 6.4.)

    # find /var/lib/puppet/ssl/ -type f -exec rm -f {} \;
    # find /etc/puppet/ -iname "*pem"  -type f -exec rm -f {} \;
  • Then re-run the capsule-installer :

DO NOT USE this text directly as this is an example, oauth is random for each run.

  [root@capsulexx ~]#   capsule-installer --parent-fqdn          "dhcp12345.example.com"    \
              --register-in-foreman  "true"             \
              --foreman-oauth-key    "2WfTrt2eC6VPsHKraRwapKr3Z2nNSfbj"       \
             --foreman-oauth-secret "PqQ9W5WwhCgDg4cRfw5V2mmFJ382LJFJ"           \
            --pulp-oauth-secret    "QnRMy4ejFCUAjuLHxZp6sM9bQgPHsfeU"          \
            --certs-tar            "/root/capsulexx.example.com.tar"              \
           --puppet               "true"               \
          --puppetca             "true"              \
            --pulp                 "true"

  [...SNIP...]

system identity: 54367bd8-61b7-4d90-9d80-653c3d83b8ae
Installing             Done                                              
 [100%] [.................................................................................................]
  Success!
  * Capsule is running at https://capsulexx.example.com:9090
  The full log is at /var/log/katello-installer/capsule-installer.log

On Capsule 6.4

# To Be Determined
    # find /etc/puppetlabs/ -iname "*pem"  -type f -exec rm -f {} \;
  • Then re-run the capsule-installer :

DO NOT USE this text directly as this is an example, oauth is random for each run.

  [root@capsulexx ~]#   capsule-installer --parent-fqdn          "dhcp12345.example.com"    \
              --register-in-foreman  "true"             \
              --foreman-oauth-key    "2WfTrt2eC6VPsHKraRwapKr3Z2nNSfbj"       \
             --foreman-oauth-secret "PqQ9W5WwhCgDg4cRfw5V2mmFJ382LJFJ"           \
            --pulp-oauth-secret    "QnRMy4ejFCUAjuLHxZp6sM9bQgPHsfeU"          \
            --certs-tar            "/root/capsulexx.example.com.tar"              \
           --puppet               "true"               \
          --puppetca             "true"              \
            --pulp                 "true"

  [...SNIP...]

system identity: 54367bd8-61b7-4d90-9d80-653c3d83b8ae
Installing             Done                                              
 [100%] [.................................................................................................]
  Success!
  * Capsule is running at https://capsulexx.example.com:9090
  The full log is at /var/log/katello-installer/capsule-installer.log

Note you may want to add the folowing to disable puppet and rerun the installer

--foreman-proxy-puppet=false --no-enable-puppet --verbose

Root Cause

  • This happens because the directory /var/lib/puppet/ssl or puppet version 5+ /etc/puppetlabs/ already has the SSL certificate created.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments