I am creating a autorization token in puppet to setup code manager config in puppet master. On executing command and on putting login user and password
"puppet-access login --service-url https://10.20.1.4:4433/rbac-api --lifetime 365"
I got the error below
"Unable to reach the RBAC server at https://10.20.1.4:4433/rbac-api/v1/auth/token due to the following error: SSL peer certificate or SSH remote key was not OK."
could any one please help on it.
Thanks
I was connecting puppet with the wrong URL. the certificate was on hostname, rather then on the IP. I changed the url to https://MYHOSTNAME:4433/rbac-api and it worked.
Thanks
Related
I'am trying to register my runner but I cannot understand exactly how to do. I have already read all post about this issue but I cannot find my response.
On gitlab master
gitlab.rb
letsencrypt['enable'] = true
I have uncommented ligne in gitlab.rb to use let's encrypt cert generated by gitlab when I do gitlab-ctl reconfigure.
EDIT:
Using reconfigure I have this error but https is working fine.
There was an error running gitlab-ctl reconfigure:
letsencrypt_certificate[gitlab-ci] (letsencrypt::http_authorization line 5) had an error: Acme::Client::Error::RejectedIdentifier: acme_certificate[staging] (/opt/gitlab/embedded/cookbooks/cache/cookbooks/letsencrypt/resources/certificate.rb line 25) had an error: Acme::Client::Error::RejectedIdentifier: Error creating new order :: Cannot issue for "gitlab-ci": Domain name needs at least one dot
In /etc/gitlab/ssl/ I have 3 news file.
192.168.1.60.crt
192.168.1.60.key
192.168.1.60.key-staging
To register runner must I copy content of .crt in a file and specify the path with argument tls-ca-file ?
On runner
gitlab-runner register tls-ca-file /etc/gitlab-runner/ssl/192.168.1.60.crt
ERROR: Registering runner... failed runner=cMCbAs1i status=couldn't execute POST against https://192.168.1.60/api/v4/runners: Post https://192.168.1.60/api/v4/runners: x509: cannot validate certificate for 192.168.1.60 because it doesn't contain any IP SANs
PANIC: Failed to register the runner. You may be having network problems.
Someone please can help?
Thx
I have found the solution.
Important: Certificat created with let's encrypt by gitlab reconfigure, the issuer is gitlab, so it's not recognized like CA authority
Solution is working with certs created by gitlab or your own certs.
I have used certificat from my compagny.
Copy certificat in the master into the runner.
I created folder certs in /etc/gitlab-runner/ and copied it into
mymastergit.mycompagny.com or mycompagny.com
When doing the register the certificat must have the exact name of the master fqdn.
ex:
gitlab-runner register tls-ca-file=/etc/ssl/certs/mymastergit.mycompagny.com.crt
I Upload GitLab on my server, Now I want to add GitLab Runner But when I try to add there is error
ERROR: Registering runner... failed runner=zcy-FDTo status=couldn't execute POST against https://gitlab.mysite.com/api/v4/runners: Post https://gitlab.mysite.com/api/v4/runners: x509: certificate signed by unknown authority
PANIC: Failed to register the runner. You may be having network problems.
What is problem ? i try
sudo gitlab-runner register --url https://gitlab.mysite.com/ --registration-token -AMfssacrqy_UeFM4i9pb--
I just started learning about Gitlab Runner and stumbled upon your question.
I would suggest to check your hosts network connectivity and certificate setup as your error (x509: certificate signed by unknown authority) indicates, according to Gitab Runner troubleshooting guide.
I have a on-prem gitlab where I am trying to run some builds/pipeline but getting the below error -
fatal: unable to access 'https://gitlab-ci-token:[MASKED]#gitlab.systems/testing/test-project-poc.git/': Peer's certificate issuer has been marked as not trusted by the user.
I have already looked into this - Gitlab:Peer's Certificate issuer is not recognized and followed the steps of obtaining the .pem file by merging the server certificate, intermediate certificate and root certificate but I am still getting the below error and really struggling to find the root cause.
/etc/gitlab/gitlab.rb config
##! enable/disable 2-way SSL client authentication
#nginx['ssl_verify_client'] = "off"
##! if ssl_verify_client on, verification depth in the client certificates chain
#nginx['ssl_verify_depth'] = "1"
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.systems.pem"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.systems.key"
Is there any other configuration which i need to update/modify? Any guidance is really appreciated.
I am guessing you are using a self signed certificate. If that is the case you have two options to rectify this issue:
Recommended option: Here again I assume that you have already solved the issue between the gitlab-runner and gitlab itseld, hence you registered the runner successfully. So you have already the certificate file in a /etc/gitlab-runner/certs. So on the server hosting the gitlab-runner, run the below command:
git config --system http.sslCAInfo /etc/gitlab-runner/certs/CERITIFICATE_NAME.crt
This is unsafe: Here you just disable the git https certificate verification:
git config --system http.sslverify false
I get this error on a fresh install of gitlab. The message looks like:
fatal: unable to access 'https://gitlab-ci-
token:xxxxxxxxxxxxxxxxxxxx#gitlab.example.com/something.git/': Peer's
Certificate issuer is not recognized.ERROR: Job
failed: exit status 1
Any suggestions on how to fix it?
Had faced the same problem after enabling verbose mode by following command
export GIT_CURL_VERBOSE=1 and found the following issue:
NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
Found this following site helpful,But its good when you have entire control for
the proxy server as well to enter the certificates.
http://dropbit.com/?p=168
I instead ran following command to bypass ssl verification by porxy server and it worked
git config --global http.sslVerify "false"
You need to configure /etc/gitlab/gitlab.rb.
Change this line
nginx['ssl_certificate'] = "/etc/gitlab/<your-local-path>/cert.pem"
to
nginx['ssl_certificate'] = "/etc/gitlab/<your-local-path>/fullchain.pem"
(Assuming, you already have nginx enabled and you have correctly issued certificates, e.g. from LetsEncrypt.)
then restart gitlab and you're done:
$ gitlab-ctl reconfigure
Why - cert.pem does not contain full certificate chain, thus ca chain cannot be verified. Replacing with fullchain.pem solves it.
I am trying to get my hands with puppet. I boot up 2 VM both running on linuxmint 17. I intended one as puppetmaster and one as puppetclient. I am follow this guide https://help.ubuntu.com/12.04/serverguide/puppet.html
in /etc/hostname
in /etc/hosts
master:
127.0.0.1 localhost /// no chance
127.0.1.1 puppetmaster //
192.168.75.141 puppetclient //this client's ip address after nm-tool search.
client:
127.0.0.1 localhost
127.0.1.1 puppetclient
192.168.75.142 puppetmaster // this is the master's ip address
In both client and master I created a file in etc/puppet/manifests/site.pp
package {
'apache2':
ensure => installed
}
service {
'apache2':
ensure => true,
enable => true,
require => Package['apache2']
}
In master I created a file in /etc/puppet/manifests/nodes.pp
node 'meercat02.example.com' {
include apache2
}
In client I create a file /etc/default/puppet and put START=yes.
Here's what I think there's a problem. In the guide, the file should already exist but in my case I have to create it.
So then I followed everything in the guide to sign the client certificate. I typed in sudo puppetca --sign puppetclient in puppetmaster's terminal . That didn't work and I found the solution in another post. https://serverfault.com/questions/457349/installed-puppetmaster-but-why-do-i-get-puppetca-command-not-found. So after reading the post I typed sudo puppet cert list --sign 'puppetclient'. Then it gives me this
Notice: Signed certificate request for ca
Error: Could not find certificates request for list
After the first five pages of google search I end up here asking for help. =) Anyone can help me resolve this issue? Thanks.
You cannot sign a certificate before there is a certificate request.
You have to establish the agent/master communication first.
Find out the certificate name of your master
puppet master --configprint certname
On the agent node, make sure that name resolves to the master's IP address (you currently used puppetmaster for this, which might suffice).
Send the initial request to the master
Do this on the agent node.
puppet agent --test --master=<name you just registered>
The agent generates a CSR, and prints a message that it could not receive a certificate.
Sign the certificate
On the master:
puppet cert list
Locate the CSR of your agent, then
puppet cert sign <agent>
The next puppet agent --test call will receive the certificate.
Try this
puppet agent --test master="name you just register"
its work for me.