Skip to content
This repository was archived by the owner on Feb 14, 2025. It is now read-only.

Certificate allow list error #95

Closed
ksenia-vazhdaeva opened this issue Jan 20, 2025 · 4 comments · Fixed by #96 or #98
Closed

Certificate allow list error #95

ksenia-vazhdaeva opened this issue Jan 20, 2025 · 4 comments · Fixed by #96 or #98

Comments

@ksenia-vazhdaeva
Copy link

PUPPETDB_CERTIFICATE_ALLOWLIST is an empty string

Docker image

[
    {
        "Id": "sha256:70d3dc8fde2f00d51461ce15df7d7c7022d0bd9877d2ef30cda970d48f53ebaa",
        "RepoTags": [
            "voxpupuli/puppetdb:8.8.1-latest"
        ],
        "RepoDigests": [
            "voxpupuli/puppetdb@sha256:ae9e33e3ae5d1482417a3806e79739f557aeda0d7d50448fe0074867c46496b7"
        ],
        "Parent": "",
        "Comment": "buildkit.dockerfile.v0",
        "Created": "2025-01-16T16:01:09.195980427Z",
        "DockerVersion": "",
        "Author": "",
        "Config": {
            "Hostname": "",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "ExposedPorts": {
                "8080/tcp": {},
                "8081/tcp": {}
            },
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "LOGDIR=/opt/puppetlabs/server/data/puppetdb/logs",
                "PUPPET_RELEASE=8",
                "PUPPETDB_VERSION=8.8.1",
                "SSLDIR=/opt/puppetlabs/server/data/puppetdb/certs",
                "PUPPETDB_POSTGRES_HOSTNAME=postgres",
                "PUPPETDB_POSTGRES_PORT=5432",
                "PUPPETDB_POSTGRES_DATABASE=puppetdb",
                "CERTNAME=puppetdb",
                "DNS_ALT_NAMES=",
                "WAITFORCERT=",
                "PUPPETDB_USER=puppetdb",
                "PUPPETDB_PASSWORD=puppetdb",
                "PUPPETDB_NODE_TTL=7d",
                "PUPPETDB_NODE_PURGE_TTL=14d",
                "PUPPETDB_REPORT_TTL=14d",
                "PUPPETDB_CERTIFICATE_ALLOWLIST=",
                "USE_PUPPETSERVER=true",
                "PUPPETDB_JAVA_ARGS=-Djava.net.preferIPv4Stack=true -Xms256m -Xmx256m -XX:+UseParallelGC -Xlog:gc*:file=/opt/puppetlabs/server/data/puppetdb/logs/puppetdb_gc.log -Djdk.tls.ephemeralDHKeySize=2048",
                "PUPPET_DEB=puppet8-release-jammy.deb",
                "DEBIAN_FRONTEND=noninteractive"
            ],
            "Cmd": [
                "foreground"
            ],
            "Healthcheck": {
                "Test": [
                    "CMD",
                    "/healthcheck.sh"
                ],
                "Interval": 10000000000,
                "Timeout": 10000000000,
                "StartPeriod": 300000000000,
                "Retries": 6
            },
            "ArgsEscaped": true,
            "Image": "",
            "Volumes": {
                "/opt/puppetlabs/server/data/puppetdb": {}
            },
            "WorkingDir": "",
            "Entrypoint": [
                "dumb-init",
                "/docker-entrypoint.sh"
            ],
            "OnBuild": null,
            "Labels": {
                "org.label-schema.build-date": "",
                "org.label-schema.dockerfile": "/Dockerfile",
                "org.label-schema.license": "Apache-2.0",
                "org.label-schema.maintainer": "Voxpupuli Release Team <voxpupuli@groups.io>",
                "org.label-schema.name": "PuppetDB ()",
                "org.label-schema.schema-version": "1.0",
                "org.label-schema.url": "https://github.com/voxpupuli/container-puppetdb",
                "org.label-schema.vcs-ref": "",
                "org.label-schema.vcs-url": "https://github.com/voxpupuli/container-puppetdb",
                "org.label-schema.vendor": "Vox Pupuli",
                "org.opencontainers.image.ref.name": "ubuntu",
                "org.opencontainers.image.version": "22.04"
            }
        },
        "Architecture": "amd64",
        "Os": "linux",
        "Size": 529943765,
        "GraphDriver": {
            "Data": {
                "LowerDir": "/var/lib/docker/overlay2/1837d7973452781714a061ec3ffb79e010cdcb1f48574f87d4b589f6e3669fa2/diff:/var/lib/docker/overlay2/8b7ef5025e5a096c4985d33db42bdb1ffb65c7a4054c029f3cac0ef453f2b7d7/diff:/var/lib/docker/overlay2/28d7fdb82f4421b254f61a9dc3cf77d6335e347347b118d4080af634f4a8dd87/diff:/var/lib/docker/overlay2/5610331d0d4bbe1fd69f60032aece18eac2d83dd7737edccce3f18f29169dfdc/diff:/var/lib/docker/overlay2/924b7643a4ff8dd4d65012da7d447f48eca27d35b115522603921f52047115a2/diff:/var/lib/docker/overlay2/f658f349707c90494df429fa60ca3cfaa1a5951188f29909a13425522f260601/diff:/var/lib/docker/overlay2/685922dde29b043852072bbe3bb800da42e28d081e6f11adc414a4c7d1c43841/diff:/var/lib/docker/overlay2/8712c2186df13c8b9a8baa726b43d909e825f058e0970215bcd7135cd1b5792f/diff",
                "MergedDir": "/var/lib/docker/overlay2/413905ad375d257fa7d47592313e0fb5f5d0f85260ea706734d4ce41b695df9c/merged",
                "UpperDir": "/var/lib/docker/overlay2/413905ad375d257fa7d47592313e0fb5f5d0f85260ea706734d4ce41b695df9c/diff",
                "WorkDir": "/var/lib/docker/overlay2/413905ad375d257fa7d47592313e0fb5f5d0f85260ea706734d4ce41b695df9c/work"
            },
            "Name": "overlay2"
        },
        "RootFS": {
            "Type": "layers",
            "Layers": [
                "sha256:2573e0d8158209ed54ab25c87bcdcb00bd3d2539246960a3d592a1c599d70465",
                "sha256:e47233fa498227cfd57f770e8f25cf65317a37b284c749129e9ea76d8b15cd3b",
                "sha256:67eb5af260e2625ecaee936d19d392f16707e26f2d570b6ca80ed2e9959fbd1b",
                "sha256:efa5e0dade1c11a5c0c284365bd9ee259fc177edea564f0442624df2c48d74eb",
                "sha256:624fbc3d9451b8b8c8604380740bd9a5e3daa5397c16bc04944027be0d2e7d68",
                "sha256:78b867698998dbf7f3ac19da79da1895299d47e47a030061b6bbaf413eca3ffd",
                "sha256:ef4f87f326c7dfa65c83b87e063f61aaf9a3f28de5ec167757eb9f5e7405106b",
                "sha256:5b8beb406419cbb26cae81f8d8d682957776a377702d2b9ca1a0f1f1daa70a62",
                "sha256:20d4c21c7f3fe147cb095d63e615a8a9cf2fcd61ad0d50c7995563f4b02d558d"
            ]
        },
        "Metadata": {
            "LastTagTime": "0001-01-01T00:00:00Z"
        }
    }
]

Error

2025-01-20 08:35:14,952 INFO  [p.p.pdb-routing] Starting PuppetDB, entering maintenance mode
2025-01-20 08:35:15,021 ERROR [p.t.internal] Error during service init!!!
java.io.FileNotFoundException: /opt/puppetlabs/server/apps/puppetdb/'/etc/puppetlabs/puppetdb/conf.d/certificate-allowlist' (No such file or directory)
	at java.base/java.io.FileInputStream.open0(Native Method)
	at java.base/java.io.FileInputStream.open(FileInputStream.java:216)
	at java.base/java.io.FileInputStream.<init>(FileInputStream.java:157)
	at clojure.java.io$fn__11617.invokeStatic(io.clj:229)
	at clojure.java.io$fn__11617.invoke(io.clj:229)
	at clojure.java.io$fn__11569$G__11523__11576.invoke(io.clj:69)
	at clojure.java.io$fn__11591.invokeStatic(io.clj:165)
	at clojure.java.io$fn__11591.invoke(io.clj:165)
	at clojure.java.io$fn__11530$G__11519__11537.invoke(io.clj:69)
	at clojure.java.io$reader.invokeStatic(io.clj:102)
	at clojure.java.io$reader.doInvoke(io.clj:86)
	at clojure.lang.RestFn.invoke(RestFn.java:410)
	at puppetlabs.kitchensink.core$lines.invokeStatic(core.clj:161)
	at puppetlabs.kitchensink.core$lines.invoke(core.clj:158)
	at puppetlabs.kitchensink.core$cn_whitelist__GT_authorizer.invokeStatic(core.clj:972)
	at puppetlabs.kitchensink.core$cn_whitelist__GT_authorizer.invoke(core.clj:959)
	at puppetlabs.puppetdb.middleware$build_allowlist_authorizer.invokeStatic(middleware.clj:52)
	at puppetlabs.puppetdb.middleware$build_allowlist_authorizer.invoke(middleware.clj:44)
	at puppetlabs.puppetdb.middleware$wrap_cert_authn.invokeStatic(middleware.clj:62)
	at puppetlabs.puppetdb.middleware$wrap_cert_authn.invoke(middleware.clj:60)
	at puppetlabs.puppetdb.pdb_routing$init_pdb_routing.invokeStatic(pdb_routing.clj:120)
	at puppetlabs.puppetdb.pdb_routing$init_pdb_routing.invoke(pdb_routing.clj:98)
	at puppetlabs.puppetdb.pdb_routing$reify__51180$service_fnk__20465__auto___positional$reify__51199$fn__51200.invoke(pdb_routing.clj:151)
	at puppetlabs.puppetdb.utils$call_unless_shutting_down.invokeStatic(utils.clj:378)
	at puppetlabs.puppetdb.utils$call_unless_shutting_down.invoke(utils.clj:375)
	at puppetlabs.puppetdb.pdb_routing$reify__51180$service_fnk__20465__auto___positional$reify__51199.init(pdb_routing.clj:149)
	at puppetlabs.trapperkeeper.services$fn__20289$G__20281__20292.invoke(services.clj:7)
	at puppetlabs.trapperkeeper.services$fn__20289$G__20280__20296.invoke(services.clj:7)
	at puppetlabs.trapperkeeper.internal$fn__20803$run_lifecycle_fn_BANG___20810$fn__20811.invoke(internal.clj:196)
	at puppetlabs.trapperkeeper.internal$fn__20803$run_lifecycle_fn_BANG___20810.invoke(internal.clj:179)
	at puppetlabs.trapperkeeper.internal$fn__20832$run_lifecycle_fns__20837$fn__20838.invoke(internal.clj:229)
	at puppetlabs.trapperkeeper.internal$fn__20832$run_lifecycle_fns__20837.invoke(internal.clj:206)
	at puppetlabs.trapperkeeper.internal$fn__21462$build_app_STAR___21471$fn$reify__21483.init(internal.clj:614)
	at puppetlabs.trapperkeeper.internal$fn__21512$boot_services_for_app_STAR__STAR___21519$fn__21520$fn__21522.invoke(internal.clj:648)
	at puppetlabs.trapperkeeper.internal$fn__21512$boot_services_for_app_STAR__STAR___21519$fn__21520.invoke(internal.clj:647)
	at puppetlabs.trapperkeeper.internal$fn__21512$boot_services_for_app_STAR__STAR___21519.invoke(internal.clj:641)
	at clojure.core$partial$fn__5910.invoke(core.clj:2647)
	at puppetlabs.trapperkeeper.internal$fn__20877$initialize_lifecycle_worker__20888$fn__20889$fn__21052$state_machine__12285__auto____21077$fn__21080.invoke(internal.clj:249)
	at puppetlabs.trapperkeeper.internal$fn__20877$initialize_lifecycle_worker__20888$fn__20889$fn__21052$state_machine__12285__auto____21077.invoke(internal.clj:249)
	at clojure.core.async.impl.ioc_macros$run_state_machine.invokeStatic(ioc_macros.clj:978)
	at clojure.core.async.impl.ioc_macros$run_state_machine.invoke(ioc_macros.clj:977)
	at clojure.core.async.impl.ioc_macros$run_state_machine_wrapped.invokeStatic(ioc_macros.clj:982)
	at clojure.core.async.impl.ioc_macros$run_state_machine_wrapped.invoke(ioc_macros.clj:980)
	at clojure.core.async$ioc_alts_BANG_$fn__12514.invoke(async.clj:421)
	at clojure.core.async$do_alts$fn__12453$fn__12456.invoke(async.clj:288)
	at clojure.core.async.impl.channels.ManyToManyChannel$fn__7126$fn__7127.invoke(channels.clj:99)
	at clojure.lang.AFn.run(AFn.java:22)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at clojure.core.async.impl.concurrent$counted_thread_factory$reify__7029$fn__7030.invoke(concurrent.clj:29)
	at clojure.lang.AFn.run(AFn.java:22)
	at java.base/java.lang.Thread.run(Thread.java:840)
2025-01-20 08:35:15,411 INFO  [p.t.internal] Beginning shutdown sequence
2025-01-20 08:35:15,425 INFO  [p.p.command] Periodic activities halted
2025-01-20 08:35:15,433 INFO  [p.p.c.services] Shutdown request received; puppetdb exiting.
2025-01-20 08:35:15,444 INFO  [p.t.s.w.jetty10-service] Shutting down web server(s).
2025-01-20 08:35:15,457 INFO  [p.t.s.s.scheduler-service] Shutting down Scheduler Service
2025-01-20 08:35:15,462 INFO  [o.q.c.QuartzScheduler] Scheduler 78af5eb4-f4ac-4538-a684-b13b204504e1_$_NON_CLUSTERED shutting down.
2025-01-20 08:35:15,464 INFO  [o.q.c.QuartzScheduler] Scheduler 78af5eb4-f4ac-4538-a684-b13b204504e1_$_NON_CLUSTERED paused.
2025-01-20 08:35:15,741 INFO  [o.q.c.QuartzScheduler] Scheduler 78af5eb4-f4ac-4538-a684-b13b204504e1_$_NON_CLUSTERED shutdown complete.
2025-01-20 08:35:15,742 INFO  [p.t.s.s.scheduler-service] Scheduler Service shutdown complete.
2025-01-20 08:35:15,751 INFO  [p.t.internal] Finished shutdown sequence
Execution error (FileNotFoundException) at java.io.FileInputStream/open0 (FileInputStream.java:-2).
/opt/puppetlabs/server/apps/puppetdb/'/etc/puppetlabs/puppetdb/conf.d/certificate-allowlist' (No such file or directory)

Looks like #94 has errors
@ksenia-vazhdaeva
Copy link
Author

Relates to #88

@tuxmea tuxmea mentioned this issue Jan 21, 2025
Merged
@l4rsV
Copy link

l4rsV commented Jan 22, 2025

Fix available in Conainer Version 7.20.0-latest / 7.20.0-main?

@horfic horfic mentioned this issue Jan 22, 2025
Closed
@l4rsV
Copy link

l4rsV commented Jan 22, 2025
edited
Loading

Still got Error:

entrypoint: /bin/bash -c "cat /docker-entrypoint.d/30-certificate-allowlist.sh"

#!/bin/bash

if [ "$PUPPETDB_CERTIFICATE_ALLOWLIST" != "" ]; then
  IFS=','
  for cert in $PUPPETDB_CERTIFICATE_ALLOWLIST; do
    echo $cert >> /etc/puppetlabs/puppetdb/conf.d/certificate-allowlist
  done
else
  touch /etc/puppetlabs/puppetdb/conf.d/certificate-allowlist
fi

Setting ownership for /opt/puppetlabs/server/data/puppetdb/certs to puppetdb:puppetdb
Running /docker-entrypoint.d/30-certificate-allowlist.sh
2025-01-22 19:50:09,609 INFO  [o.e.j.u.log] Logging initialized @7520ms to org.eclipse.jetty.util.log.Slf4jLog
2025-01-22 19:50:09,692 INFO  [p.t.s.w.jetty9-core] Removing buggy security provider SunPKCS11 version 17
WARNING: abs already refers to: #'clojure.core/abs in namespace: medley.core, being replaced by: #'medley.core/abs
2025-01-22 19:50:11,197 INFO  [p.t.s.s.scheduler-service] Initializing Scheduler Service
2025-01-22 19:50:11,235 INFO  [o.q.i.StdSchedulerFactory] Using default implementation for ThreadExecutor
2025-01-22 19:50:11,256 INFO  [o.q.c.SchedulerSignalerImpl] Initialized Scheduler Signaller of type: class org.quartz.core.SchedulerSignalerImpl
2025-01-22 19:50:11,257 INFO  [o.q.c.QuartzScheduler] Quartz Scheduler v.2.3.2 created.
2025-01-22 19:50:11,257 INFO  [o.q.s.RAMJobStore] RAMJobStore initialized.
2025-01-22 19:50:11,258 INFO  [o.q.c.QuartzScheduler] Scheduler meta-data: Quartz Scheduler (v2.3.2) '85b531f2-242f-4f5f-a90e-5bb95f27058b' with instanceId 'NON_CLUSTERED'
  Scheduler class: 'org.quartz.core.QuartzScheduler' - running locally.
  NOT STARTED.
  Currently in standby mode.
  Number of jobs executed: 0
  Using thread pool 'org.quartz.simpl.SimpleThreadPool' - with 10 threads.
  Using job-store 'org.quartz.simpl.RAMJobStore' - which does not support persistence. and is not clustered.

2025-01-22 19:50:11,258 INFO  [o.q.i.StdSchedulerFactory] Quartz scheduler '85b531f2-242f-4f5f-a90e-5bb95f27058b' initialized from an externally provided properties instance.
2025-01-22 19:50:11,258 INFO  [o.q.i.StdSchedulerFactory] Quartz scheduler version: 2.3.2
2025-01-22 19:50:11,258 INFO  [o.q.c.QuartzScheduler] Scheduler 85b531f2-242f-4f5f-a90e-5bb95f27058b_$_NON_CLUSTERED started.
2025-01-22 19:50:11,259 INFO  [p.t.s.w.jetty9-service] Initializing web server(s).
2025-01-22 19:50:11,332 INFO  [p.p.pdb-routing] Starting PuppetDB, entering maintenance mode
2025-01-22 19:50:11,364 ERROR [p.t.internal] Error during service init!!!
java.io.FileNotFoundException: /opt/puppetlabs/server/apps/puppetdb/'/etc/puppetlabs/puppetdb/conf.d/certificate-allowlist' (No such file or directory)
	at java.base/java.io.FileInputStream.open0(Native Method)
	at java.base/java.io.FileInputStream.open(FileInputStream.java:216)

@tuxmea
Copy link
Member

tuxmea commented Jan 23, 2025

Still an issue.

@tuxmea tuxmea reopened this Jan 23, 2025
@tuxmea tuxmea mentioned this issue Jan 23, 2025
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
Crafty Overview
Status: Done
Milestone
No milestone
3 participants
@tuxmea @ksenia-vazhdaeva @l4rsV