Can someone, anyone, help me understand what it takes -- if indeed it''s even possible -- to use a custom CA with puppetmasterd. Such that, for every client it signs, the cert for that client actually says something meaningful about my organization, and was ultimately signed by our own root CA. I made a valid sub-CA for my puppet server, signed by my organization''s root CA. I placed those files carefully into /var/lib/ puppet/ssl/ca and put the necessary path declarations into puppet.conf. Nevertheless, puppetmasted stubborn refuses to accept this certificate. [root@nagios puppet]# /usr/sbin/puppetmasterd --debug --verbose --no- daemonize debug: Failed to load library ''rubygems'' for feature ''rubygems'' debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/ dscl does not exist debug: Puppet::Type::User::ProviderUser_role_add: file rolemod does not exist debug: Puppet::Type::User::ProviderPw: file pw does not exist debug: Failed to load library ''ldap'' for feature ''ldap'' debug: Puppet::Type::User::ProviderLdap: feature ldap is missing debug: Puppet::Type::File::ProviderMicrosoft_windows: feature microsoft_windows is missing debug: /File[/var/lib/puppet/server_data]: Autorequiring File[/var/lib/ puppet] debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/ lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/run/puppet/master.pid]: Autorequiring File[/var/run/ puppet] debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/ puppet/ssl] debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] debug: /File[/etc/puppet/manifests]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/ puppet] debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/ var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/public_keys/puppet.renci.org.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys] debug: /File[/var/lib/puppet/yaml]: Autorequiring File[/var/lib/ puppet] debug: /File[/etc/puppet/fileserver.conf]: Autorequiring File[/etc/ puppet] debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/ puppet/ssl] debug: /File[/etc/puppet/auth.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppet/reports]: Autorequiring File[/var/lib/ puppet] debug: /File[/var/lib/puppet/bucket]: Autorequiring File[/var/lib/ puppet] debug: /File[/var/lib/puppet/ssl/private_keys/puppet.renci.org.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys] debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet] debug: /File[/var/log/puppet/masterhttp.log]: Autorequiring File[/var/ log/puppet] debug: /File[/var/lib/puppet/ssl/private_keys/puppet.renci.org.pem]/ mode: mode changed ''640'' to ''600'' debug: /File[/var/lib/puppet/ssl/public_keys/puppet.renci.org.pem]/ mode: mode changed ''640'' to ''644'' debug: Finishing transaction 23846103120600 notice: Starting Puppet master version 2.6.6 Could not run: Could not retrieve certificate for puppet.renci.org and not running on a valid certificate authority -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, Mar 31, 2011 at 08:57:06AM -0700, jonmills wrote:> Can someone, anyone, help me understand what it takes -- if indeed > it''s even possible -- to use a custom CA with puppetmasterd.It is possible, and (albeit sparsely) documented at https://projects.puppetlabs.com/projects/1/wiki/Certificates_And_Security#Manual-CA-Configuration-optional Does that help at all? -- Ben Hughes || http://www.puppetlabs.com/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
What it tells me is that it won''t work. That wiki page basically says you can let puppet sign things (using it''s self-generated cert), or you can use your own cert and manually sign things yourself. It does not say you can use puppetmasterd/puppetca with your own custom CA cert. So in a way, yes, it does help. It''s not the answer I want to hear, but at least I can stop worrying about it and just move on. On Fri, 2011-04-01 at 11:24 +1100, Ben Hughes wrote:> On Thu, Mar 31, 2011 at 08:57:06AM -0700, jonmills wrote: > > > Can someone, anyone, help me understand what it takes -- if indeed > > it''s even possible -- to use a custom CA with puppetmasterd. > > It is possible, and (albeit sparsely) documented at > https://projects.puppetlabs.com/projects/1/wiki/Certificates_And_Security#Manual-CA-Configuration-optional > > Does that help at all? > > -- > Ben Hughes || http://www.puppetlabs.com/ >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Seemingly Similar Threads
- Error 400 on SERVER: Could not write /var/lib/puppet/ssl/ca/requests/agent1.pem to csrdir: undefined method `exists?' for nil:NilClass
- Could not retrieve catalog from remote server: certificate verify failed
- External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority
- Unable to launch puppetmasterd after installing mongrel
- puppetrun fails: "Certificates were not trusted"