Ensure proxy register runs before puppetserver service

[bastelfreak]

In case there runs puppetserver on the same node and foreman is used as an ENC, the registration needs to happen before the smart proxy is configured, otherwise the ENC script cannot authenticate itself to foreman.

[ekohl]

CI fails on AL 8 and Ubuntu 20.04 since we dropped those from nightly. I saw the same thing in puppet-foreman and we'll need to drop them. In the mean time I'll merge this manually.

[evgeni]

Yeah, no :)

This breaks when you try to re-generate all certs, as it tries to register the proxy before puppetserver has created a CA:

2024-12-12T23:21:17  [E] Disabling all modules in the group ['puppetca_http_api', 'puppetca_hostname_whitelisting', 'puppetca'] due to a failure in one of them: File at '/etc/puppetlabs/puppet/ssl/certs/ca.pem' defined in 'puppet_ssl_ca' parameter doesn't exist or is unreadable
2024-12-12T23:21:17  [W] Error details for Disabling all modules in the group ['puppetca_http_api', 'puppetca_hostname_whitelisting', 'puppetca'] due to a failure in one of them: File at '/etc/puppetlabs/puppet/ssl/certs/ca.pem' defined in 'puppet_ssl_ca' parameter doesn't exist or is unreadable: <Proxy::Error::ConfigurationError>: File at '/etc/puppetlabs/puppet/ssl/certs/ca.pem' defined in 'puppet_ssl_ca' parameter doesn't exist or is unreadable

[bastelfreak]

Where are you seeing this problem? Do you have a bit more context? Maybe we can add a conditional to the resource collector.

[evgeni]

The problem is when we run katello-change-hostname, which wipes all existing certificates and relies on the fact that they will be regenerated on start of the service (the tl;dr is: it wipes certs and then calls the installer/puppet).

I guess calling puppetserver ca setup as part of k-c-h would help here

[evgeni]

No, that's not it. As the CA is still fine:

# puppetserver ca setup
Error:
Existing file at '/etc/puppetlabs/puppetserver/ca/ca_crt.pem'
Existing file at '/etc/puppetlabs/puppetserver/ca/ca_crl.pem'
Existing file at '/etc/puppetlabs/puppetserver/ca/infra_crl.pem'
Existing file at '/etc/puppetlabs/puppetserver/ca/ca_pub.pem'
Existing file at '/etc/puppetlabs/puppetserver/ca/inventory.txt'
Existing file at '/etc/puppetlabs/puppetserver/ca/infra_inventory.txt'
Existing file at '/etc/puppetlabs/puppetserver/ca/infra_serials'
Existing file at '/etc/puppetlabs/puppetserver/ca/serial'
Existing file at '/etc/puppetlabs/puppetserver/ca/root_key.pem'
Existing file at '/etc/puppetlabs/puppetserver/ca/ca_key.pem'
If you would really like to replace your CA, please delete the existing files first.
Note that any certificates that were issued by this CA will become invalid if you
replace it!

But what puts the copy into /etc/puppetlabs/puppet/ssl/certs/ and generates the client stuff? 🤔

[evgeni]

theforeman/foreman-packaging#11598