Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug with v6.0.0 and nginx 1.18.x #1605

Open
rwaffen opened this issue Jun 27, 2024 · 2 comments
Open

Bug with v6.0.0 and nginx 1.18.x #1605

rwaffen opened this issue Jun 27, 2024 · 2 comments

Comments

@rwaffen
Copy link
Member

rwaffen commented Jun 27, 2024

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 7.30.0
  • Ruby:
  • Distribution: Ubuntu 22.04.4 LTS
  • Module version: v6.0.0

How to reproduce (e.g Puppet code you use)

  • deploy nginx with < v6.0.0
  • update Puppefile
  • run puppt on nginx host with v6.0.0

What are you seeing

puppet facts nginx_version
{
  "nginx_version": "1.18.0"
}
# MANAGED BY PUPPET
server {
  listen       *:443 ssl;
  http2        on;
  ... and others ...
}

What behaviour did you expect instead

# MANAGED BY PUPPET
server {
  listen       *:443 ssl http2;
  ... and others ...
}

Output log

Jun 20 16:03:46 nginx.example.com nginx[378584]: nginx: [emerg] unknown directive "http2" in /etc/nginx/sites-enabled/nginx.example.com.conf:8
@TheMeier TheMeier self-assigned this Jun 27, 2024
@TheMeier
Copy link
Contributor

TheMeier commented Aug 1, 2024

I am trying to understand what is going on exactly as I think this is not new in version 6.0.0.

Plain 1st ever run of this test

class { 'nginx':
  http2 => 'on',
}

nginx::resource::server { 'www.puppetlabs.com':
  www_root => '/var/www/www.puppetlabs.com',
  http2 => 'on',
  ssl   => true,
  ssl_cert => false,
  ssl_key => false,
}

Results in:

root@8b66d320db32:/# /opt/puppetlabs/puppet/bin/puppet apply test.pp
Notice: Compiled catalog for 8b66d320db32.united.domain in environment production in 0.57 seconds
Notice: /Stage[main]/Apt/File[preferences]/ensure: created
Notice: /Stage[main]/Apt/Package[gnupg]/ensure: created
Notice: /Stage[main]/Apt/Apt::Setting[conf-update-stamp]/File[/etc/apt/apt.conf.d/15update-stamp]/ensure: defined content as '{sha256}2e6eb1f5f20262bfc6b7dfb26a302f00b4ab5fee803abd9e07ad8378cce067d5'
Notice: /Stage[main]/Nginx::Package::Debian/Apt::Source[nginx]/Apt::Key[Add key: 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 from Apt::Source nginx]/Apt_key[Add key: 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 from Apt::Source nginx]/ensure: created
Notice: /Stage[main]/Nginx::Package::Debian/Apt::Source[nginx]/Apt::Setting[list-nginx]/File[/etc/apt/sources.list.d/nginx.list]/ensure: defined content as '{sha256}aa1f70545aed9acd5a853d1aa88b12c697325d251eda46f827cc91ba0c092dea'
Notice: /Stage[main]/Apt::Update/Exec[apt_update]: Triggered 'refresh' from 1 event
Notice: /Stage[main]/Nginx::Package::Debian/Package[nginx]/ensure: created
Notice: /Stage[main]/Nginx::Config/File[/etc/nginx/conf.stream.d]/ensure: created
Notice: /Stage[main]/Nginx::Config/File[/etc/nginx/conf.mail.d]/ensure: created
Notice: /Stage[main]/Nginx::Config/File[/etc/nginx/snippets]/ensure: created
Notice: /Stage[main]/Nginx::Config/File[/var/log/nginx]/group: group changed 'root' to 'adm'
Notice: /Stage[main]/Nginx::Config/File[/etc/nginx/sites-available]/ensure: created
Notice: /Stage[main]/Nginx::Config/File[/etc/nginx/sites-enabled]/ensure: created
Notice: /Stage[main]/Nginx::Config/File[/etc/nginx/streams-enabled]/ensure: created
Notice: /Stage[main]/Nginx::Config/File[/etc/nginx/streams-available]/ensure: created
Notice: /Stage[main]/Nginx::Config/File[/etc/nginx/nginx.conf]/content: content changed '{sha256}078266b9ee3e3c9c8ff30a342e089d7015c3e148bb9d1d41493d38615ae8adec' to '{sha256}964d3f5624ec777e375729a51bd31470f699c266e4f2b6e4c618f8204c091d0f'
Notice: /Stage[main]/Nginx::Config/File[/etc/nginx/mime.types]/content: content changed '{sha256}6f95d1d7d75e3c072907d845622a69d23110d1266c16ff122b3109b8b21f3ae9' to '{sha256}e8197a00fba8b28be9e21be01e576c5a1205ca6f078099a6aebf9cccfb082256'
Notice: /Stage[main]/Main/Nginx::Resource::Server[www.puppetlabs.com]/Concat[/etc/nginx/sites-available/www.puppetlabs.com.conf]/File[/etc/nginx/sites-available/www.puppetlabs.com.conf]/ensure: defined content as '{sha256}770c3991fabf89780db2fca2ae375ac93fe95c07efe3f0d210feb3e0ebc58f90'
Notice: /Stage[main]/Main/Nginx::Resource::Server[www.puppetlabs.com]/File[www.puppetlabs.com.conf symlink]/ensure: created
Error: Could not start Service[nginx]: Execution of '/etc/init.d/nginx start' returned 1: nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/www.puppetlabs.com.conf:20
nginx: [emerg] unknown directive "ssl" in /etc/nginx/sites-enabled/www.puppetlabs.com.conf:25
Error: /Stage[main]/Nginx::Service/Service[nginx]/ensure: change from 'stopped' to 'running' failed: Could not start Service[nginx]: Execution of '/etc/init.d/nginx start' returned 1: nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/www.puppetlabs.com.conf:20
nginx: [emerg] unknown directive "ssl" in /etc/nginx/sites-enabled/www.puppetlabs.com.conf:25
Notice: /Stage[main]/Nginx::Service/Service[nginx]: Triggered 'refresh' from 1 event
Notice: Applied catalog in 22.22 seconds

And this config:

# MANAGED BY PUPPET
server {
  listen *:80;


  server_name           www.puppetlabs.com;

  
  index  index.html index.htm index.php;
  access_log            /var/log/nginx/www.puppetlabs.com.access.log;
  error_log             /var/log/nginx/www.puppetlabs.com.error.log;

  location / {
    root      /var/www/www.puppetlabs.com;
    index     index.html index.htm index.php;
  }
}
# MANAGED BY PUPPET
server {
  listen       *:443 ssl http2;


  server_name  www.puppetlabs.com;

  ssl on;

  index  index.html index.htm index.php;
  access_log            /var/log/nginx/ssl-www.puppetlabs.com.access.log;
  error_log             /var/log/nginx/ssl-www.puppetlabs.com.error.log;
  

  location / {
    root      /var/www/www.puppetlabs.com;
    index     index.html index.htm index.php;
  }
}

The second run results in:


Notice: Compiled catalog for 8b66d320db32.united.domain in environment production in 0.56 seconds
Notice: /Stage[main]/Main/Nginx::Resource::Server[www.puppetlabs.com]/Concat[/etc/nginx/sites-available/www.puppetlabs.com.conf]/File[/etc/nginx/sites-available/www.puppetlabs.com.conf]/content: content changed '{sha256}770c3991fabf89780db2fca2ae375ac93fe95c07efe3f0d210feb3e0ebc58f90' to '{sha256}87685a2b154a18f5fc2a900272985a26ff858199c2732d7e357fb68080463ebd'
Error: Could not start Service[nginx]: Execution of '/etc/init.d/nginx start' returned 1: nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/www.puppetlabs.com.conf:20
nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/www.puppetlabs.com.conf:19
Error: /Stage[main]/Nginx::Service/Service[nginx]/ensure: change from 'stopped' to 'running' failed: Could not start Service[nginx]: Execution of '/etc/init.d/nginx start' returned 1: nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/www.puppetlabs.com.conf:20
nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/www.puppetlabs.com.conf:19
Notice: /Stage[main]/Nginx::Service/Service[nginx]: Triggered 'refresh' from 1 event
Notice: Applied catalog in 2.16 seconds

and this config:

# MANAGED BY PUPPET
server {
  listen *:80;


  server_name           www.puppetlabs.com;

  
  index  index.html index.htm index.php;
  access_log            /var/log/nginx/www.puppetlabs.com.access.log;
  error_log             /var/log/nginx/www.puppetlabs.com.error.log;

  location / {
    root      /var/www/www.puppetlabs.com;
    index     index.html index.htm index.php;
  }
}
# MANAGED BY PUPPET
server {
  listen       *:443 ssl http2;


  server_name  www.puppetlabs.com;


  index  index.html index.htm index.php;
  access_log            /var/log/nginx/ssl-www.puppetlabs.com.access.log;
  error_log             /var/log/nginx/ssl-www.puppetlabs.com.error.log;
  

  location / {
    root      /var/www/www.puppetlabs.com;
    index     index.html index.htm index.php;
  }
}

Diff being the line ssl on; is removed.
This again is an indicator that this default: https://github.com/voxpupuli/puppet-nginx/blob/master/manifests/init.pp#L243 is very probematic.

This is with version 5 of the module.

IMHO the actual code that is important is https://github.com/voxpupuli/puppet-nginx/blob/master/templates/server/server_ssl_header.erb#L5-L10 and wasn't changed.

I will add a second comment with the same test for version 6

@TheMeier
Copy link
Contributor

TheMeier commented Aug 1, 2024

1st run:

Notice: Preparing to upgrade 'puppet-nginx' ...
Notice: Found 'puppet-nginx' (v5.0.0) in /etc/puppetlabs/code/environments/production/modules ...
Notice: Downloading from https://forgeapi.puppet.com ...
Notice: Upgrading -- do not interrupt ...
/etc/puppetlabs/code/environments/production/modules
└── puppet-nginx (v5.0.0 -> v6.0.0)
root@8b66d320db32:/# /opt/puppetlabs/puppet/bin/puppet apply test.pp
Notice: Compiled catalog for 8b66d320db32.united.domain in environment production in 0.56 seconds
Notice: /Stage[main]/Nginx::Package::Debian/Package[nginx]/ensure: created
Notice: /Stage[main]/Nginx::Config/File[/etc/nginx/conf.stream.d]/ensure: created
Notice: /Stage[main]/Nginx::Config/File[/etc/nginx/conf.mail.d]/ensure: created
Notice: /Stage[main]/Nginx::Config/File[/etc/nginx/snippets]/ensure: created
Notice: /Stage[main]/Nginx::Config/File[/var/log/nginx]/group: group changed 'root' to 'adm'
Notice: /Stage[main]/Nginx::Config/File[/etc/nginx/sites-available]/ensure: created
Notice: /Stage[main]/Nginx::Config/File[/etc/nginx/sites-enabled]/ensure: created
Notice: /Stage[main]/Nginx::Config/File[/etc/nginx/streams-enabled]/ensure: created
Notice: /Stage[main]/Nginx::Config/File[/etc/nginx/streams-available]/ensure: created
Notice: /Stage[main]/Nginx::Config/File[/etc/nginx/nginx.conf]/content: content changed '{sha256}078266b9ee3e3c9c8ff30a342e089d7015c3e148bb9d1d41493d38615ae8adec' to '{sha256}964d3f5624ec777e375729a51bd31470f699c266e4f2b6e4c618f8204c091d0f'
Notice: /Stage[main]/Nginx::Config/File[/etc/nginx/mime.types]/content: content changed '{sha256}6f95d1d7d75e3c072907d845622a69d23110d1266c16ff122b3109b8b21f3ae9' to '{sha256}e8197a00fba8b28be9e21be01e576c5a1205ca6f078099a6aebf9cccfb082256'
Notice: /Stage[main]/Main/Nginx::Resource::Server[www.puppetlabs.com]/Concat[/etc/nginx/sites-available/www.puppetlabs.com.conf]/File[/etc/nginx/sites-available/www.puppetlabs.com.conf]/ensure: defined content as '{sha256}87685a2b154a18f5fc2a900272985a26ff858199c2732d7e357fb68080463ebd'
Notice: /Stage[main]/Main/Nginx::Resource::Server[www.puppetlabs.com]/File[www.puppetlabs.com.conf symlink]/ensure: created
Error: Could not start Service[nginx]: Execution of '/etc/init.d/nginx start' returned 1: nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/www.puppetlabs.com.conf:20
nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/www.puppetlabs.com.conf:19
Error: /Stage[main]/Nginx::Service/Service[nginx]/ensure: change from 'stopped' to 'running' failed: Could not start Service[nginx]: Execution of '/etc/init.d/nginx start' returned 1: nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/www.puppetlabs.com.conf:20
nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/www.puppetlabs.com.conf:19
Notice: /Stage[main]/Nginx::Service/Service[nginx]: Triggered 'refresh' from 1 event
Notice: Applied catalog in 5.55 seconds

config:

# MANAGED BY PUPPET
server {
  listen *:80;


  server_name           www.puppetlabs.com;

  
  index  index.html index.htm index.php;
  access_log            /var/log/nginx/www.puppetlabs.com.access.log;
  error_log             /var/log/nginx/www.puppetlabs.com.error.log;

  location / {
    root      /var/www/www.puppetlabs.com;
    index     index.html index.htm index.php;
  }
}
# MANAGED BY PUPPET
server {
  listen       *:443 ssl http2;


  server_name  www.puppetlabs.com;


  index  index.html index.htm index.php;
  access_log            /var/log/nginx/ssl-www.puppetlabs.com.access.log;
  error_log             /var/log/nginx/ssl-www.puppetlabs.com.error.log;
  

  location / {
    root      /var/www/www.puppetlabs.com;
    index     index.html index.htm index.php;
  }
}

2nd run:

Notice: Compiled catalog for 8b66d320db32.united.domain in environment production in 0.58 seconds
Notice: /Stage[main]/Main/Nginx::Resource::Server[www.puppetlabs.com]/Concat[/etc/nginx/sites-available/www.puppetlabs.com.conf]/File[/etc/nginx/sites-available/www.puppetlabs.com.conf]/content: content changed '{sha256}87685a2b154a18f5fc2a900272985a26ff858199c2732d7e357fb68080463ebd' to '{sha256}9ba748a3ca51ea8b8ed8bdf07f6e5db04865ce42ebd4219acc9bde5dd25837fe'
Error: Could not start Service[nginx]: Execution of '/etc/init.d/nginx start' returned 1: nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/www.puppetlabs.com.conf:19
Error: /Stage[main]/Nginx::Service/Service[nginx]/ensure: change from 'stopped' to 'running' failed: Could not start Service[nginx]: Execution of '/etc/init.d/nginx start' returned 1: nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/www.puppetlabs.com.conf:19
Notice: /Stage[main]/Nginx::Service/Service[nginx]: Triggered 'refresh' from 1 event
Notice: Applied catalog in 2.03 seconds

config:

# MANAGED BY PUPPET
server {
  listen *:80;


  server_name           www.puppetlabs.com;

  
  index  index.html index.htm index.php;
  access_log            /var/log/nginx/www.puppetlabs.com.access.log;
  error_log             /var/log/nginx/www.puppetlabs.com.error.log;

  location / {
    root      /var/www/www.puppetlabs.com;
    index     index.html index.htm index.php;
  }
}
# MANAGED BY PUPPET
server {
  listen       *:443 ssl;


  server_name  www.puppetlabs.com;

  http2 on;

  index  index.html index.htm index.php;
  access_log            /var/log/nginx/ssl-www.puppetlabs.com.access.log;
  error_log             /var/log/nginx/ssl-www.puppetlabs.com.error.log;
  

  location / {
    root      /var/www/www.puppetlabs.com;
    index     index.html index.htm index.php;
  }
}

diff:

@@ -17,11 +17,12 @@
 }
 # MANAGED BY PUPPET
 server {
-  listen       *:443 ssl http2;
+  listen       *:443 ssl;
 
 
   server_name  www.puppetlabs.com;
 
+  http2 on;
 
   index  index.html index.htm index.php;
   access_log            /var/log/nginx/ssl-www.puppetlabs.com.access.log;

@TheMeier TheMeier removed their assignment Aug 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants