Puppet users - Mar 2011 - Puppet + Nginx + Passenger: Certificate Request Problem

Hi,

I did a Puppetmaster installation using Nginx + Puppet and almost everything
is working. Almost :(

When a new client is going to connect to the puppet server, it generates its
certificate and do a request on the web server (PUT). But it appears that
the certificate is being stored on the wrong directory.

In WEBrick, the certificate requests are stored on
/var/lib/puppet/ssl/ca/requests, which "puppetca -l" lists nicely and
I can
sign it. But with Passenger, the certificate is being stored on
/var/lib/puppet/ssl/certificate_requests, which I know is used to store the
local host certificate request, not the remote ones.

I did manage to get around this specifying the option
requestdir=/var/lib/puppet/ssl/ca/requests (defaults
to /var/lib/puppet/ssl/certificate_requests) on config.ru or
/etc/puppet/puppet.conf but I think this is a strange behavior. Also, with
this problem, auto-sign don''t work (not critical for me).

Some information on my environment:

CentOS 5.5
puppet-0.25.5
facter-1.5.8
ruby-enterprise-1.8.7
ruby-enterprise-rubygem-passenger-3.0.0
ruby-enterprise-rubygem-rack-1.2.1

I traced both requests in WEBrick and Passenger and the client always
requests the same paths:

---8<---
"GET /production/certificate/qamericana1.ir7.com.br HTTP/1.1" 404 49
"-" "-"
"-"
"GET /production/certificate_request/qamericana1.ir7.com.br HTTP/1.1"
404 57
"-" "-" "-"
"PUT /production/certificate_request/qamericana1.ir7.com.br HTTP/1.1"
200 4
"-" "-" "-"
"GET /production/certificate/qamericana1.ir7.com.br HTTP/1.1" 404 49
"-" "-"
"-"
---8<---

And config.ru:

---8<---
# a config.ru, for use with every rack-compatible webserver.
# SSL needs to be handled outside this, though.

# if puppet is not in your RUBYLIB:
$:.unshift(''/usr/lib/ruby/site_ruby/1.8/'')

$0 = "master"

# if you want debugging:
#ARGV << "--debug"
ARGV << "--confdir=/etc/puppet"
ARGV << "--requestdir=/var/lib/puppet/ssl/ca/requests"
ARGV << "--rack"

require ''puppet/application/puppetmasterd''
# we''re usually running inside a Rack::Builder.new {} block,
# therefore we need to call run *here*.
run Puppet::Application[:puppetmasterd].run
---8<---

Thanks,

-- 
[]''s
Hugo
www.devin.com.br

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tue, Mar 29, 2011 at 5:11 PM, Hugo Cisneiros (Eitch) <
hugo.cisneiros@gmail.com> wrote:
> Hi,
>
> I did a Puppetmaster installation using Nginx + Puppet and almost
> everything is working. Almost :(
>
> When a new client is going to connect to the puppet server, it generates
> its certificate and do a request on the web server (PUT). But it appears
> that the certificate is being stored on the wrong directory.
>
> In WEBrick, the certificate requests are stored on
> /var/lib/puppet/ssl/ca/requests, which "puppetca -l" lists nicely
and I can
> sign it. But with Passenger, the certificate is being stored on
> /var/lib/puppet/ssl/certificate_requests, which I know is used to store the
> local host certificate request, not the remote ones.
>
> I did manage to get around this specifying the option
> requestdir=/var/lib/puppet/ssl/ca/requests (defaults
> to /var/lib/puppet/ssl/certificate_requests) on config.ru or
> /etc/puppet/puppet.conf but I think this is a strange behavior. Also, with
> this problem, auto-sign don''t work (not critical for me).
>
Actually I was wrong... This "workaround" didn''t work as
expected. Even
signing with puppetca -s, the signed certificate goes to the right place but
the client doesn''t know that it is signed and never begin its
operation...
Nginx  log shows three 404''s on /production/certificate/machine on each
client run.

Any ideas?

-- 
[]''s
Hugo
www.devin.com.br

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

My working setup:

puppet.conf [master] section has the following:
>     # Passenger SSL envvars
>     ssl_client_header = SSL_CLIENT_S_DN
>     ssl_client_verify_header = SSL_CLIENT_VERIFY

applicable parts of nginx.conf:
> env PATH
> 
[...]
> http {
> 
[...]
> 
> passenger_root /usr/lib/ruby/gems/1.8/gems/passenger-3.0.2;
> passenger_ruby /usr/bin/ruby;
> 
> server {
>     listen 8140;
>     server_name _;
> 
>     access_log  /var/log/nginx/puppetmaster.log;
>     error_log  /var/log/nginx/puppetmaster_error.log;
> 
>     ssl  on;
>     ssl_certificate  /var/lib/puppet/ssl/certs/[PUPPETMASTERFQDN].pem;
>     ssl_certificate_key 
/var/lib/puppet/ssl/private_keys/[PUPPETMASTERFQDN].pem;
>     ssl_client_certificate  /var/lib/puppet/ssl/ca/ca_crt.pem;
>     ssl_crl  /var/lib/puppet/ssl/ca/ca_crl.pem;
>     ssl_protocols  SSLv3 TLSv1;
>     ssl_ciphers  ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP;
>     ssl_verify_client optional;
> 
>     root  /etc/puppet/rack/public;
>     passenger_enabled  on;
>     passenger_min_instances  2;
> 
>     passenger_set_cgi_param     SSL_CLIENT_S_DN     $ssl_client_s_dn;
>     passenger_set_cgi_param     SSL_CLIENT_VERIFY   $ssl_client_verify;
> }
No custom config.ru stuff here, just ARGV << "--rack".

Eric

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thu, Mar 31, 2011 at 3:06 AM, Eric Searcy <emsearcy@gmail.com> wrote:
> My working setup:
>
[...]

Thanks for sharing, I''m using the same configuration as you, including
the
ssl env vars. Without them, I would always get a Forbidden Request for
everything. Sadly, puppetmaster is still storing the request on
/var/lib/puppet/ssl/certificate_requests instead of the right way -
/var/lib/puppet/ssl/ca/requests. Everything past the certificate
request/sign problem is working perfect.

On config.ru, I had to use --confdir on ARGV to force not reading the
$HOME/.puppet when not using root. So it reads the /etc/puppet/* files
instead. (it is a known bug in 0.25.x, as I saw on the bug track.)

I''m running out of ideas. For now, i''m using a puppetmasterd
standalone
daemon on port 8141 and running first-time puppet with --master-port=8141.
It accepts the certificate, sign and after that it begins using only the
nginx+passenger setup.

Any more ideas? When I have some more time, I''ll begin to test with
other
versions of puppet and passenger, or maybe an apache setup...

-- 
[]''s
Hugo
www.devin.com.br

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mar 31, 2011, at 11:23 AM, Hugo Cisneiros (Eitch) wrote:
> Any more ideas? When I have some more time, I''ll begin to test
with other versions of puppet and passenger, or maybe an apache setup...
Other stabs: I guess since you''re on 0.25.x you have the puppet.conf
SSL settings in [puppetd], as opposed to [master] as I had (unless they added
forward compatibility for 0.25.x for that)? Is config.ru owned by the puppet
user (I''m assuming so since you say "when not using root").

I''d suggest "other versions of puppet" over Apache, not
because there''s anything wrong with Apache but since it seems the issue
you''re having is at puppet daemon level.  By the way, I''m on
Puppet 2.6.4 with Ruby 1.8.5 (old EL5...) and Passenger 3.0.2.

Eric

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.