Puppet Enterprise outdated version install "apt gpg expired"

Puppet Enterprise在安装的时候提示未验证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
2025-04-21T09:06:35.553+00:00 - [Error]: Could not update: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install pe-java11' returned 100: Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
  pe-puppet-enterprise-release
The following NEW packages will be installed:
  pe-java11 pe-puppet-enterprise-release
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/56.9 MB of archives.
After this operation, 169 MB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  pe-puppet-enterprise-release pe-java11
E: There were unauthenticated packages and -y was used without --allow-unauthenticated
2025-04-21T09:06:35.554+00:00 - [Error]: /Stage[main]/Puppet_enterprise::Packages/Package[pe-java11]/ensure: change from 'purged' to 'latest' failed: Could not update: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install pe-java11' returned 100: Reading package lists...

这种情况是因为证书已经过期了,我安装的是Puppet Enterprise 7.8.0版本,由于该版本早就不被支持了,导致它的GPG密钥是过期的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
root@kirisamekano:/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/provider/package# apt-key list
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2016-08-18 [SC] [expired: 2021-08-17]
      6F6B 1550 9CF8 E59E 6E46  9F32 7F43 8280 EF8D 349F
uid           [ expired] Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>

pub   rsa4096 2019-04-08 [SC] [expired: 2025-04-06]
      D681 1ED3 ADEE B844 1AF5  AA8F 4528 B6CD 9E61 EF26
uid           [ expired] Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
------------------------------------------------------
pub   rsa4096 2012-05-11 [SC]
      790B C727 7767 219C 42C8  6F93 3B4F E6AC C0B2 1F32
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub   rsa4096 2012-05-11 [SC]
      8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub   rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>

也正是因为如此,所以才会报错需要添加”–allow-unauthencated”,这个时候需要安装的话,报错中可以看出是调用这个apt-get的时候出的问题,而且这个apt-get是由: 

1
/opt/puppetlabs/puppet/bin/puppet infrastructure configure  --detailed-exitcodes --environmentpath /opt/puppetlabs/server/data/environments --environment enterprise --no-noop --libdir /dev/null --factpath /dev/null --install=2021.7.8 --disable_warnings deprecations --install-method='repair'

这一条指令触发的,因此我们要到这个路径去看看它的模块是怎么写的,看看能不能强制加上:

1
/opt/puppetlabs/server/data/environments

搜索了一圈发现没有和这个指令相关的模块,此时可以考虑更加底层的方法调用,也就是ruby方法:

1
2
root@kirisamekano:/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/provider/package# grep -r '/usr/bin/apt-get' .
./apt.rb:  commands :aptget => "/usr/bin/apt-get"

先是发现这个”/usr/bin/apt-get”是被别名为了”aptget”,这个文件的命名看起来就很像是一个方法文件,进去看看发现就是这里:

1
2
3
4
5
6
7
Before:
    checkforcdrom
    cmd = %w{-q -y}

After:
    checkforcdrom
    cmd = %w{-q -y --allow-unauthenticated}

再次跑安装脚本,完成安装,其实也可以自己跑到报错里面一个一个包复制出来,然后手动安装。

Puppet Enterprise outdated version install "apt gpg expired"
https://www.kirisamekano.com/2025/04/23/pe-install/
作者
Karol
发布于
2025年4月23日
许可协议