Puppet users - May 2010 - External CA management

Hello,

I''m tryning to have puppet working whitout handling any part of a pki.
On one side I''ve got a puppet installation working, on the other side
a PKI.(dogtag)

I try to tell puppetmasterd to use my CA.crt and an already
functionning cert, but at launch time it still generates his own
certificate request. So I tried to sign his request, but he still
ignore the certificate.


here''s a excerpt from the puppet.conf

[puppetmasterd]
    ca = false
    hostcert =    /tmp/cert/server/puppet.crt
    cacert =      /tmp/cert/server/ca.crt
    hostpubkey =  /tmp/cert/server/puppet.pub.key
    hostprivkey = /tmp/cert/server/puppet.key

# here''s the log when I launch
# puppetmasterd --no-daemonize
Could not run: Could not retrieve certificate for
ipa2.gamma.agorabox.org and not running on a valid certificate
authority

# Just to be sure I''ve verified "hostcert" against the ca.
# openssl verify -CAfile ca.crt puppet.crt
puppet.crt: OK

# Here is the information in the contained in the "hostcert"
        Subject: DC=org, DC=agorabox, OU=gamma,
CN=ipa2.gamma.agorabox.org
....
        X509v3 extensions:
....
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment,
Data Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
....

Thanks

Piir

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

2010/5/6 piir D.K <piir.dk@gmail.com>
> Hello,
>
> I''m tryning to have puppet working whitout handling any part of a
pki.
> On one side I''ve got a puppet installation working, on the other
side
> a PKI.(dogtag)
>
> I try to tell puppetmasterd to use my CA.crt and an already
> functionning cert, but at launch time it still generates his own
> certificate request. So I tried to sign his request, but he still
> ignore the certificate.
>
>
Hello,

I''am answering my own post,  I did manage to launch both the client and
the
server with my own certificate. The problem was that puppet didn''t
seems to
care about value in puppet.conf

In $ssldir I replace those file with mine, certs/ca.pem, certs/<fqdn>.pem
private_keys/<fqdn>.pem, public_keys/<fqdn>.pem.


But I''m getting this error on the client : (puppetd --no-daemonize -v
-d )
err: Could not retrieve catalog from remote server: certificate verify
failed

On the server in masterhttp.log I can read this:

[2010-06-03 15:40:18] DEBUG accept: XXX.XXX.0.3:49420
[2010-06-03 15:40:18] ERROR OpenSSL::SSL::SSLError: tlsv1 alert unknown ca
    /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:45:in
`accept''
    /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:45:in
`listen''
    /usr/lib/ruby/1.8/webrick/server.rb:173:in `call''
    /usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread''
    /usr/lib/ruby/1.8/webrick/server.rb:162:in `start''
    /usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread''
    /usr/lib/ruby/1.8/webrick/server.rb:95:in `start''
    /usr/lib/ruby/1.8/webrick/server.rb:92:in `each''
    /usr/lib/ruby/1.8/webrick/server.rb:92:in `start''
    /usr/lib/ruby/1.8/webrick/server.rb:23:in `start''
    /usr/lib/ruby/1.8/webrick/server.rb:82:in `start''
    /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:43:in
`listen''
    /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:42:in
`initialize''
    /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:42:in
`new''
    /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:42:in
`listen''
    /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:39:in
`synchronize''
    /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:39:in
`listen''
    /usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:131:in
`listen''
    /usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:146:in `start''
    /usr/lib/ruby/site_ruby/1.8/puppet/daemon.rb:128:in `start''
    /usr/lib/ruby/site_ruby/1.8/puppet/application/puppetmasterd.rb:122:in
`main''
    /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `send''
    /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in
`run_command''
    /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run''
    /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in
`exit_on_fail''
    /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run''
    /usr/sbin/puppetmasterd:66
[2010-06-03 15:40:18] DEBUG close: XXX.XXX.0.3:49420
[2010-06-03 15:49:06] DEBUG close TCPSocket(0.0.0.0, 8140)


I have tested all the certficates with openssl (s_server|s_client) -CAfile
certs/ca.pem -cert certs/<fqdn>.pem -key private_keys/<fqdn>.pem ,
trying to
connect from the client to the server. It works fine, and i got no errors.


Any help/tracks would be greatly appreciated.

piir

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

which version of puppet are you using? there were issues with CRL in 0.25.x
(partly fixed in 0.25.5).
its probably best if you can join the irc channel, would be easier to debug
the problem :)

Ohad

On Thu, Jun 3, 2010 at 9:58 PM, piir <piir.dk@gmail.com> wrote:
>
> 2010/5/6 piir D.K <piir.dk@gmail.com>
>
> Hello,
>>
>> I''m tryning to have puppet working whitout handling any part
of a pki.
>> On one side I''ve got a puppet installation working, on the
other side
>> a PKI.(dogtag)
>>
>> I try to tell puppetmasterd to use my CA.crt and an already
>> functionning cert, but at launch time it still generates his own
>> certificate request. So I tried to sign his request, but he still
>> ignore the certificate.
>>
>>
> Hello,
>
> I''am answering my own post,  I did manage to launch both the
client and the
> server with my own certificate. The problem was that puppet didn''t
seems to
> care about value in puppet.conf
>
> In $ssldir I replace those file with mine, certs/ca.pem,
certs/<fqdn>.pem
> private_keys/<fqdn>.pem, public_keys/<fqdn>.pem.
>
>
> But I''m getting this error on the client : (puppetd --no-daemonize
-v -d )
> err: Could not retrieve catalog from remote server: certificate verify
> failed
>
> On the server in masterhttp.log I can read this:
>
> [2010-06-03 15:40:18] DEBUG accept: XXX.XXX.0.3:49420
> [2010-06-03 15:40:18] ERROR OpenSSL::SSL::SSLError: tlsv1 alert unknown ca
>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:45:in
> `accept''
>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:45:in
> `listen''
>     /usr/lib/ruby/1.8/webrick/server.rb:173:in `call''
>     /usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread''
>     /usr/lib/ruby/1.8/webrick/server.rb:162:in `start''
>     /usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread''
>     /usr/lib/ruby/1.8/webrick/server.rb:95:in `start''
>     /usr/lib/ruby/1.8/webrick/server.rb:92:in `each''
>     /usr/lib/ruby/1.8/webrick/server.rb:92:in `start''
>     /usr/lib/ruby/1.8/webrick/server.rb:23:in `start''
>     /usr/lib/ruby/1.8/webrick/server.rb:82:in `start''
>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:43:in
> `listen''
>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:42:in
> `initialize''
>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:42:in
`new''
>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:42:in
> `listen''
>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:39:in
> `synchronize''
>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:39:in
> `listen''
>     /usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:131:in
`listen''
>     /usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:146:in
`start''
>     /usr/lib/ruby/site_ruby/1.8/puppet/daemon.rb:128:in `start''
>     /usr/lib/ruby/site_ruby/1.8/puppet/application/puppetmasterd.rb:122:in
> `main''
>     /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in
`send''
>     /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in
`run_command''
>     /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run''
>     /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in
`exit_on_fail''
>     /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run''
>     /usr/sbin/puppetmasterd:66
> [2010-06-03 15:40:18] DEBUG close: XXX.XXX.0.3:49420
> [2010-06-03 15:49:06] DEBUG close TCPSocket(0.0.0.0, 8140)
>
>
> I have tested all the certficates with openssl (s_server|s_client) -CAfile
> certs/ca.pem -cert certs/<fqdn>.pem -key
private_keys/<fqdn>.pem , trying to
> connect from the client to the server. It works fine, and i got no errors.
>
>
> Any help/tracks would be greatly appreciated.
>
>
> piir
>
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thu, Jun 3, 2010 at 6:58 AM, piir <piir.dk@gmail.com> wrote:
>
> 2010/5/6 piir D.K <piir.dk@gmail.com>
>
> Hello,
>>
>> I''m tryning to have puppet working whitout handling any part
of a pki.
>> On one side I''ve got a puppet installation working, on the
other side
>> a PKI.(dogtag)
>>
>> I try to tell puppetmasterd to use my CA.crt and an already
>> functionning cert, but at launch time it still generates his own
>> certificate request. So I tried to sign his request, but he still
>> ignore the certificate.
>>
>>
> Hello,
>
> I''am answering my own post,  I did manage to launch both the
client and the
> server with my own certificate. The problem was that puppet didn''t
seems to
> care about value in puppet.conf
>
> In $ssldir I replace those file with mine, certs/ca.pem,
certs/<fqdn>.pem
> private_keys/<fqdn>.pem, public_keys/<fqdn>.pem.
>
>
> But I''m getting this error on the client : (puppetd --no-daemonize
-v -d )
> err: Could not retrieve catalog from remote server: certificate verify
> failed
>
> On the server in masterhttp.log I can read this:
>
> [2010-06-03 15:40:18] DEBUG accept: XXX.XXX.0.3:49420
> [2010-06-03 15:40:18] ERROR OpenSSL::SSL::SSLError: tlsv1 alert unknown ca
>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:45:in
> `accept''
>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:45:in
> `listen''
>     /usr/lib/ruby/1.8/webrick/server.rb:173:in `call''
>     /usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread''
>     /usr/lib/ruby/1.8/webrick/server.rb:162:in `start''
>     /usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread''
>     /usr/lib/ruby/1.8/webrick/server.rb:95:in `start''
>     /usr/lib/ruby/1.8/webrick/server.rb:92:in `each''
>     /usr/lib/ruby/1.8/webrick/server.rb:92:in `start''
>     /usr/lib/ruby/1.8/webrick/server.rb:23:in `start''
>     /usr/lib/ruby/1.8/webrick/server.rb:82:in `start''
>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:43:in
> `listen''
>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:42:in
> `initialize''
>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:42:in
`new''
>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:42:in
> `listen''
>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:39:in
> `synchronize''
>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:39:in
> `listen''
>     /usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:131:in
`listen''
>     /usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:146:in
`start''
>     /usr/lib/ruby/site_ruby/1.8/puppet/daemon.rb:128:in `start''
>     /usr/lib/ruby/site_ruby/1.8/puppet/application/puppetmasterd.rb:122:in
> `main''
>     /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in
`send''
>     /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in
`run_command''
>     /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run''
>     /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in
`exit_on_fail''
>     /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run''
>     /usr/sbin/puppetmasterd:66
> [2010-06-03 15:40:18] DEBUG close: XXX.XXX.0.3:49420
> [2010-06-03 15:49:06] DEBUG close TCPSocket(0.0.0.0, 8140)
>
>
> I have tested all the certficates with openssl (s_server|s_client) -CAfile
> certs/ca.pem -cert certs/<fqdn>.pem -key
private_keys/<fqdn>.pem , trying to
> connect from the client to the server. It works fine, and i got no errors.
>
>
> Any help/tracks would be greatly appreciated.

From looking at my similar setup, I have these two file locations with the
same contents:

$ssldir/certs/ca.pem
$ssldir/ca/ca_crt.pem

Are you perhaps missing the latter one?

>
>
> piir
>
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>


-- 
nigel

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

2010/6/3 Nigel Kersten <nigelk@google.com>
>
>
> On Thu, Jun 3, 2010 at 6:58 AM, piir <piir.dk@gmail.com> wrote:
>
>>
>> 2010/5/6 piir D.K <piir.dk@gmail.com>
>>
>> Hello,
>>>
>>> I''m tryning to have puppet working whitout handling any
part of a pki.
>>> On one side I''ve got a puppet installation working, on the
other side
>>> a PKI.(dogtag)
>>>
>>> I try to tell puppetmasterd to use my CA.crt and an already
>>> functionning cert, but at launch time it still generates his own
>>> certificate request. So I tried to sign his request, but he still
>>> ignore the certificate.
>>>
>>>
>> Hello,
>>
>> I''am answering my own post,  I did manage to launch both the
client and
>> the server with my own certificate. The problem was that puppet
didn''t seems
>> to care about value in puppet.conf
>>
>> In $ssldir I replace those file with mine, certs/ca.pem,
certs/<fqdn>.pem
>> private_keys/<fqdn>.pem, public_keys/<fqdn>.pem.
>>
>>
>> But I''m getting this error on the client : (puppetd
--no-daemonize -v -d )
>> err: Could not retrieve catalog from remote server: certificate verify
>> failed
>>
>> On the server in masterhttp.log I can read this:
>>
>> [2010-06-03 15:40:18] DEBUG accept: XXX.XXX.0.3:49420
>> [2010-06-03 15:40:18] ERROR OpenSSL::SSL::SSLError: tlsv1 alert unknown
ca
>>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:45:in
>> `accept''
>>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:45:in
>> `listen''
>>     /usr/lib/ruby/1.8/webrick/server.rb:173:in `call''
>>     /usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread''
>>     /usr/lib/ruby/1.8/webrick/server.rb:162:in `start''
>>     /usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread''
>>     /usr/lib/ruby/1.8/webrick/server.rb:95:in `start''
>>     /usr/lib/ruby/1.8/webrick/server.rb:92:in `each''
>>     /usr/lib/ruby/1.8/webrick/server.rb:92:in `start''
>>     /usr/lib/ruby/1.8/webrick/server.rb:23:in `start''
>>     /usr/lib/ruby/1.8/webrick/server.rb:82:in `start''
>>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:43:in
>> `listen''
>>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:42:in
>> `initialize''
>>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:42:in
`new''
>>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:42:in
>> `listen''
>>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:39:in
>> `synchronize''
>>     /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:39:in
>> `listen''
>>     /usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:131:in
`listen''
>>     /usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:146:in
`start''
>>     /usr/lib/ruby/site_ruby/1.8/puppet/daemon.rb:128:in
`start''
>>    
/usr/lib/ruby/site_ruby/1.8/puppet/application/puppetmasterd.rb:122:in
>> `main''
>>     /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in
`send''
>>     /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in
`run_command''
>>     /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in
`run''
>>     /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in
>> `exit_on_fail''
>>     /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in
`run''
>>     /usr/sbin/puppetmasterd:66
>> [2010-06-03 15:40:18] DEBUG close: XXX.XXX.0.3:49420
>> [2010-06-03 15:49:06] DEBUG close TCPSocket(0.0.0.0, 8140)
>>
>>
>> I have tested all the certficates with openssl (s_server|s_client)
-CAfile
>> certs/ca.pem -cert certs/<fqdn>.pem -key
private_keys/<fqdn>.pem , trying to
>> connect from the client to the server. It works fine, and i got no
errors.
>>
>>
>> Any help/tracks would be greatly appreciated.
>
>
> From looking at my similar setup, I have these two file locations with the
> same contents:
>
> $ssldir/certs/ca.pem
> $ssldir/ca/ca_crt.pem
>
> Are you perhaps missing the latter one?
>
>
>>
>>
>> piir
>>
>>
>>
>>
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
>> .
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
>
>
> --
> nigel
>
>
Nigel,

The file wasn''t missing, I''ve seen with ohad on IRC, and the
error was that
I had a invalid CRL. Now on version 0.25.5 we can disable the CRL check by
adding to the conf:

certificate_revocation = false

2 questions remains
 1. Is puppet handles correctly the v3 extensions. Does he forbid a client
connecting with a cert that does not have the TLS Web Client authentication,
 2. Will/Does Puppet handles CRL through OCSP, if not, how heavy can the
work be, where to start ?

thanks for all

Piir

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.