Puppet users - Nov 2008 - CA_Server woes

I''m having difficulty getting my head around some CA issues
My client has:
[puppetd]
ca_server=puppetca.mydomain.com

and puppet resolves to a different machine.
 when puppet connects, it requests a signature from
puppetca.mydomain.combut then on the next pass fails with the
following:

err: Could not retrieve catalog: Certificates were not trusted: SSL_connect
returned=1 errno=0 state=SSLv3 read finished A: tlsv1 alert unknown ca

Is there something I have to do on the puppetmaster to tell it about the
other CA?
--e

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On 10 November 2008 14:04, Eugene Ventimiglia <eventi@gmail.com> wrote:
> I''m having difficulty getting my head around some CA issues
> My client has:
> [puppetd]
> ca_server=puppetca.mydomain.com
>
> and puppet resolves to a different machine.
>  when puppet connects, it requests a signature from
puppetca.mydomain.combut then on the next pass fails with the following:
>
> err: Could not retrieve catalog: Certificates were not trusted: SSL_connect
> returned=1 errno=0 state=SSLv3 read finished A: tlsv1 alert unknown ca
>
> Is there something I have to do on the puppetmaster to tell it about the
> other CA?
> --e
>
>
Hrm, not sure I have enough information to help you out here.  I''m
going to
make the following assumptions, please correct me if I''m wrong.

puppetca: creates puppet client certs
puppetmaster:  another puppet master cert
puppet client:  created from the puppetca

When the puppet client gets the cert from the puppetca, then tries to talk
to the puppetmaster, it fails because the puppetmaster doesn''t trust
the
client, and the client doesn''t trust the puppetmaster.  What you need
to do
is make sure the puppetmaster cert is signed by the puppetca (that will get
the client trusting the master) and make sure the public cert of the
puppetca is in the CA file on the puppetmaster (so it will trust the
client).


.r''

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Thanks - Your assumptions are correct.

I have the following setup:

Server A is the Puppetmaster for Server B
Server B is the Puppetmaster for Server C

Server C has ca_server pointing to Server A

I believe that Server B''s cert is signed by Server A, since Server B is
able
to get it''s configs from Server A...

How do I get Server A''s public cert into the CA file of Server B?

On Mon, Nov 10, 2008 at 5:27 PM, RijilV <rijilv@riji.lv> wrote:
> On 10 November 2008 14:04, Eugene Ventimiglia <eventi@gmail.com>
wrote:
>
>> I''m having difficulty getting my head around some CA issues
>> My client has:
>> [puppetd]
>> ca_server=puppetca.mydomain.com
>>
>> and puppet resolves to a different machine.
>>  when puppet connects, it requests a signature from
puppetca.mydomain.combut then on the next pass fails with the following:
>>
>> err: Could not retrieve catalog: Certificates were not trusted:
>> SSL_connect returned=1 errno=0 state=SSLv3 read finished A: tlsv1 alert
>> unknown ca
>>
>> Is there something I have to do on the puppetmaster to tell it about
the
>> other CA?
>> --e
>>
>>
> Hrm, not sure I have enough information to help you out here.  I''m
going to
> make the following assumptions, please correct me if I''m wrong.
>
> puppetca: creates puppet client certs
> puppetmaster:  another puppet master cert
> puppet client:  created from the puppetca
>
> When the puppet client gets the cert from the puppetca, then tries to talk
> to the puppetmaster, it fails because the puppetmaster doesn''t
trust the
> client, and the client doesn''t trust the puppetmaster.  What you
need to do
> is make sure the puppetmaster cert is signed by the puppetca (that will get
> the client trusting the master) and make sure the public cert of the
> puppetca is in the CA file on the puppetmaster (so it will trust the
> client).
>
>
> .r''
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

I''m not sure you need that, if your certificate are not chained...
Server B should point to the same ca_server as server C.

Hope it helps,
Ohad

On Tue, Nov 11, 2008 at 8:00 AM, Eugene Ventimiglia
<eventi@gmail.com>wrote:
> Thanks - Your assumptions are correct.
>
> I have the following setup:
>
> Server A is the Puppetmaster for Server B
> Server B is the Puppetmaster for Server C
>
> Server C has ca_server pointing to Server A
>
> I believe that Server B''s cert is signed by Server A, since Server
B is
> able to get it''s configs from Server A...
>
> How do I get Server A''s public cert into the CA file of Server B?
>
>
> On Mon, Nov 10, 2008 at 5:27 PM, RijilV <rijilv@riji.lv> wrote:
>
>> On 10 November 2008 14:04, Eugene Ventimiglia <eventi@gmail.com>
wrote:
>>
>>> I''m having difficulty getting my head around some CA
issues
>>> My client has:
>>> [puppetd]
>>> ca_server=puppetca.mydomain.com
>>>
>>> and puppet resolves to a different machine.
>>>  when puppet connects, it requests a signature from
>>> puppetca.mydomain.com but then on the next pass fails with the
>>> following:
>>>
>>> err: Could not retrieve catalog: Certificates were not trusted:
>>> SSL_connect returned=1 errno=0 state=SSLv3 read finished A: tlsv1
alert
>>> unknown ca
>>>
>>> Is there something I have to do on the puppetmaster to tell it
about the
>>> other CA?
>>> --e
>>>
>>>
>> Hrm, not sure I have enough information to help you out here. 
I''m going
>> to make the following assumptions, please correct me if I''m
wrong.
>>
>> puppetca: creates puppet client certs
>> puppetmaster:  another puppet master cert
>> puppet client:  created from the puppetca
>>
>> When the puppet client gets the cert from the puppetca, then tries to
talk
>> to the puppetmaster, it fails because the puppetmaster doesn''t
trust the
>> client, and the client doesn''t trust the puppetmaster.  What
you need to do
>> is make sure the puppetmaster cert is signed by the puppetca (that will
get
>> the client trusting the master) and make sure the public cert of the
>> puppetca is in the CA file on the puppetmaster (so it will trust the
>> client).
>>
>>
>> .r''
>>
>>
>>
>>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Well I know I have to do something besides setting ca_server on Server 3
because it''s not working

On Mon, Nov 10, 2008 at 9:54 PM, Ohad Levy <ohadlevy@gmail.com> wrote:
> I''m not sure you need that, if your certificate are not chained...
> Server B should point to the same ca_server as server C.
>
> Hope it helps,
> Ohad
>
>
> On Tue, Nov 11, 2008 at 8:00 AM, Eugene Ventimiglia
<eventi@gmail.com>wrote:
>
>> Thanks - Your assumptions are correct.
>>
>> I have the following setup:
>>
>> Server A is the Puppetmaster for Server B
>> Server B is the Puppetmaster for Server C
>>
>> Server C has ca_server pointing to Server A
>>
>> I believe that Server B''s cert is signed by Server A, since
Server B is
>> able to get it''s configs from Server A...
>>
>> How do I get Server A''s public cert into the CA file of Server
B?
>>
>>
>> On Mon, Nov 10, 2008 at 5:27 PM, RijilV <rijilv@riji.lv> wrote:
>>
>>> On 10 November 2008 14:04, Eugene Ventimiglia
<eventi@gmail.com> wrote:
>>>
>>>> I''m having difficulty getting my head around some CA
issues
>>>> My client has:
>>>> [puppetd]
>>>> ca_server=puppetca.mydomain.com
>>>>
>>>> and puppet resolves to a different machine.
>>>>  when puppet connects, it requests a signature from
>>>> puppetca.mydomain.com but then on the next pass fails with the
>>>> following:
>>>>
>>>> err: Could not retrieve catalog: Certificates were not trusted:
>>>> SSL_connect returned=1 errno=0 state=SSLv3 read finished A:
tlsv1 alert
>>>> unknown ca
>>>>
>>>> Is there something I have to do on the puppetmaster to tell it
about the
>>>> other CA?
>>>> --e
>>>>
>>>>
>>> Hrm, not sure I have enough information to help you out here. 
I''m going
>>> to make the following assumptions, please correct me if
I''m wrong.
>>>
>>> puppetca: creates puppet client certs
>>> puppetmaster:  another puppet master cert
>>> puppet client:  created from the puppetca
>>>
>>> When the puppet client gets the cert from the puppetca, then tries
to
>>> talk to the puppetmaster, it fails because the puppetmaster
doesn''t trust
>>> the client, and the client doesn''t trust the puppetmaster.
What you need to
>>> do is make sure the puppetmaster cert is signed by the puppetca
(that will
>>> get the client trusting the master) and make sure the public cert
of the
>>> puppetca is in the CA file on the puppetmaster (so it will trust
the
>>> client).
>>>
>>>
>>> .r''
>>>
>>>
>>>
>>>
>>
>>
>>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

2008/11/10 Eugene Ventimiglia <eventi@gmail.com>
> Well I know I have to do something besides setting ca_server on Server 3
> because it''s not working
>
>
> On Mon, Nov 10, 2008 at 9:54 PM, Ohad Levy <ohadlevy@gmail.com>
wrote:
>
>> I''m not sure you need that, if your certificate are not
chained...
>> Server B should point to the same ca_server as server C.
>>
>> Hope it helps,
>> Ohad
>>
>>
If server B has a cert generated from the common puppet_ca, server C should
be able to talk to server B, though I haven''t tested that out.  You
might
make sure that the cert that the puppet master is using is infact generated
from your puppet_ca.

If that doesn''t work for you, there are some pages on the wiki
regarding
setting up chained certs, though none of them are complete - rewriting them
has been sitting on my todo list for awhile now.  Ohad and I have also had
some good conversations on this list about it, might try looking through the
archives.

.r''

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Tue, Nov 11, 2008 at 11:50 AM, RijilV <rijilv@riji.lv> wrote:
> 2008/11/10 Eugene Ventimiglia <eventi@gmail.com>
> If that doesn''t work for you, there are some pages on the wiki
regarding
> setting up chained certs, though none of them are complete - rewriting them
> has been sitting on my todo list for awhile now.  Ohad and I have also had
> some good conversations on this list about it, might try looking through
the
> archives.
What do you miss in the documentation? I did a copy - paste from the scripts
who generate the whole thing, so I was hoping I didn''t miss anything...

Cheers,
Ohad

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Here''s the current state of affairs:

Server A is the Puppetmaster for Server B

I bring up Server B, run puppetd --test and sign Server B''s cert on
Server A
I bring up Server C, set ca_server=servera, run puppetd --test and
sign Server C''s cert on Server A

When I run puppetd --test on Server C (which has a cert signed by
Server A) it connects to Server B

I get the following:

warning: peer certificate won''t be verified in this SSL session
notice: Got signed certificate
info: Retrieving plugins
err: /File[/var/lib/puppet/lib]: Failed to generate additional
resources during transaction: Certificates were not trusted:
SSL_connect returned=1 errno=0 state=SSLv3 read finished A: tlsv1
alert unknown ca
err: /File[/var/lib/puppet/lib]/source: Could not describe /plugins:
Certificates were not trusted: SSL_connect returned=1 errno=0
state=SSLv3 read finished A: tlsv1 alert unknown ca
warning: /File[/var/lib/puppet/lib]/ensure: No specified sources exist
warning: /File[/var/lib/puppet/lib]/ensure: No specified sources exist
warning: /File[/var/lib/puppet/lib]/source: No specified sources exist
err: Could not retrieve catalog: Certificates were not trusted:
SSL_connect returned=1 errno=0 state=SSLv3 read finished A: tlsv1
alert unknown ca
warning: Not using cache on failed catalog
root@domU-12-31-38-00-79-27:~#

It still seems like Server B does not trust the cert signed by Server
A

On Nov 10, 10:50 pm, RijilV <rij...@riji.lv>
wrote:
> 2008/11/10 Eugene Ventimiglia <eve...@gmail.com>
>
> > Well I know I have to do something besides setting ca_server on Server
3
> > because it''s not working
>
> > On Mon, Nov 10, 2008 at 9:54 PM, Ohad Levy <ohadl...@gmail.com>
wrote:
>
> >> I''m not sure you need that, if your certificate are not
chained...
> >> Server B should point to the same ca_server as server C.
>
> >> Hope it helps,
> >> Ohad
>
> If server B has a cert generated from the common puppet_ca, server C should
> be able to talk to server B, though I haven''t tested that out.
 You might
> make sure that the cert that the puppet master is using is infact generated
> from your puppet_ca.
>
> If that doesn''t work for you, there are some pages on the wiki
regarding
> setting up chained certs, though none of them are complete - rewriting them
> has been sitting on my todo list for awhile now.  Ohad and I have also had
> some good conversations on this list about it, might try looking through
the
> archives.
>
> .r''
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

What documentation are you referring to? I couldn''t find any

On Nov 11, 12:11 am, "Ohad Levy" <ohadl...@gmail.com>
wrote:
> On Tue, Nov 11, 2008 at 11:50 AM, RijilV <rij...@riji.lv> wrote:
> > 2008/11/10 Eugene Ventimiglia <eve...@gmail.com>
> > If that doesn''t work for you, there are some pages on the
wiki regarding
> > setting up chained certs, though none of them are complete - rewriting
them
> > has been sitting on my todo list for awhile now.  Ohad and I have also
had
> > some good conversations on this list about it, might try looking
through the
> > archives.
>
> What do you miss in the documentation? I did a copy - paste from the
scripts
> who generate the whole thing, so I was hoping I didn''t miss
anything...
>
> Cheers,
> Ohad
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

I don''t understand that last bit: "make sure the public cert of
the puppetca
is in the CA file on the puppetmaster (so it will trust the client)."
How do I put the public cert of the puppetca into the puppetmaster?


On Mon, Nov 10, 2008 at 5:27 PM, RijilV <rijilv@riji.lv> wrote:
> On 10 November 2008 14:04, Eugene Ventimiglia <eventi@gmail.com>
wrote:
>
>> I''m having difficulty getting my head around some CA issues
>> My client has:
>> [puppetd]
>> ca_server=puppetca.mydomain.com
>>
>> and puppet resolves to a different machine.
>>  when puppet connects, it requests a signature from
puppetca.mydomain.combut then on the next pass fails with the following:
>>
>> err: Could not retrieve catalog: Certificates were not trusted:
>> SSL_connect returned=1 errno=0 state=SSLv3 read finished A: tlsv1 alert
>> unknown ca
>>
>> Is there something I have to do on the puppetmaster to tell it about
the
>> other CA?
>> --e
>>
>>
> Hrm, not sure I have enough information to help you out here.  I''m
going to
> make the following assumptions, please correct me if I''m wrong.
>
> puppetca: creates puppet client certs
> puppetmaster:  another puppet master cert
> puppet client:  created from the puppetca
>
> When the puppet client gets the cert from the puppetca, then tries to talk
> to the puppetmaster, it fails because the puppetmaster doesn''t
trust the
> client, and the client doesn''t trust the puppetmaster.  What you
need to do
> is make sure the puppetmaster cert is signed by the puppetca (that will get
> the client trusting the master) and make sure the public cert of the
> puppetca is in the CA file on the puppetmaster (so it will trust the
> client).
>
>
> .r''
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On 11 November 2008 12:43, Eugene Ventimiglia <eventi@gmail.com> wrote:
> I don''t understand that last bit: "make sure the public cert
of the
> puppetca is in the CA file on the puppetmaster (so it will trust the
> client)."
> How do I put the public cert of the puppetca into the puppetmaster?
>
>
>
ah, try shoving the puppetca''s ''CA file'' (
$PUPPETLIB/ssl/certs/ca.pem ) to
the puppetmaster...

though, if the puppetmaster can already grab a manifest and such for the
puppetca, those files should already be the same.


Can the puppetmaster talk to itself?

.r''

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

>
> On 11 November 2008 12:43, Eugene Ventimiglia <eventi@gmail.com>
wrote:
>
>> I don''t understand that last bit: "make sure the public
cert of the
>> puppetca is in the CA file on the puppetmaster (so it will trust the
>> client)."
>> How do I put the public cert of the puppetca into the puppetmaster?
>>
>>
>>
> ah, try shoving the puppetca''s ''CA file'' (
$PUPPETLIB/ssl/certs/ca.pem ) to
> the puppetmaster...
>
> though, if the puppetmaster can already grab a manifest and such for the
> puppetca, those files should already be the same.
>
They were not the same, but putting the puppetca''s ca.pem in place of
the
puppetmaster''s did not
>
> Can the puppetmaster talk to itself?

It can''t, but it''s not supposed to. It''s supposed to
be getting its configs
from Server A (the puppetca)

>
> .r''
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

http://reductivelabs.com/trac/puppet/wiki/PuppetScalability

see the second part about Centralized Puppet Infrastructure

Ohad
On Tue, Nov 11, 2008 at 9:35 PM, eventi <eventi@gmail.com> wrote:
>
> What documentation are you referring to? I couldn''t find any
>
> On Nov 11, 12:11 am, "Ohad Levy" <ohadl...@gmail.com>
wrote:
> > On Tue, Nov 11, 2008 at 11:50 AM, RijilV <rij...@riji.lv> wrote:
> > > 2008/11/10 Eugene Ventimiglia <eve...@gmail.com>
> > > If that doesn''t work for you, there are some pages on
the wiki
> regarding
> > > setting up chained certs, though none of them are complete -
rewriting
> them
> > > has been sitting on my todo list for awhile now.  Ohad and I have
also
> had
> > > some good conversations on this list about it, might try looking
> through the
> > > archives.
> >
> > What do you miss in the documentation? I did a copy - paste from the
> scripts
> > who generate the whole thing, so I was hoping I didn''t miss
anything...
> >
> > Cheers,
> > Ohad
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---