Stuart Sears
2012-May-22 09:15 UTC
[Puppet Users] Puppet Enterprise replacing puppet node private keys?
Hi all, I am seeing some very curious behaviour with puppet enterprise (on a trial license to evaluate, before I get redirected there :) ) I have client systems (RHEL) being kickstarted and installing pe-puppet and a couple of other basic packages, before using puppet agent -t --environment bootstrap --server PUPPETSERVER To ensure the rest of the bootstrapping takes place properly. Only puppet configuration takes place in the ''bootstrap'' environment. This part works fine - I have autosigning configured on my puppetmaster for these hosts. I really do not want to have to muck about NFS mounting/copying the entire PE installation directory on all the boxes here, should we decide to deploy it. That''s really not scalable at all. It looks like the preliminary puppet run is receiving a cert and then using that to connect to the puppet master, which works just fine, but then once the node has rebooted, a completely new key pair appears to have been generated on the client system, which no longer matches that on the master. for more information (and info to backup my point): http://fpaste.org/WGuW/ I can''t quite figure out when this new cert is being created, unless this is buried somewhere in the PE initial run, which appears to configure mcollective among many other things, although thus far I cannot find where this configuration is assigned to nodes, so I''m not 100% clear which classes are applied. With full debugging enabled,I see the first cert being signed in the puppetmaster logs, as I''d expect. Anyone have any ideas or pointers as to where I should start? I''m at a bit of a loss here. Stuart -- Stuart Sears RHCA etc. "It''s today!" said Piglet. "My favourite day," said Pooh. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jo Rhett
2012-May-22 10:09 UTC
Re: [Puppet Users] Puppet Enterprise replacing puppet node private keys?
On May 22, 2012, at 2:15 AM, Stuart Sears wrote:> It looks like the preliminary puppet run is receiving a cert and then using that to connect to the puppet master, which works just fine, but then once the node has rebooted, a completely new key pair appears to have been generated on the client system, which no longer matches that on the master.Seems likely that your host name is changing, thus it is generating a new certificate for the new hostname. I''ll bet that if you can make the hostname/domain match between the two boots it will work fine. I have also heard of people using a single common cert for bootstrapping which is pre-signed in advance, and then the host gets their real cert after rebooting. YMMV. -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Stuart Sears
2012-May-22 10:13 UTC
Re: [Puppet Users] [SOLVED] Puppet Enterprise replacing puppet node private keys?
Unsurprisingly, all my fault, details below. On 22/05/12 10:15, Stuart Sears wrote:> Hi all, > > I am seeing some very curious behaviour with puppet enterprise (on a > trial license to evaluate, before I get redirected there :) ) > > I have client systems (RHEL) being kickstarted and installing pe-puppet > and a couple of other basic packages, before using > puppet agent -t --environment bootstrap --server PUPPETSERVER > > To ensure the rest of the bootstrapping takes place properly. > Only puppet configuration takes place in the ''bootstrap'' environment. > > This part works fine - I have autosigning configured on my puppetmaster > for these hosts. > > I really do not want to have to muck about NFS mounting/copying the > entire PE installation directory on all the boxes here, should we decide > to deploy it. That''s really not scalable at all. > > It looks like the preliminary puppet run is receiving a cert and then > using that to connect to the puppet master, which works just fine, but > then once the node has rebooted, a completely new key pair appears to > have been generated on the client system, which no longer matches that > on the master. > > for more information (and info to backup my point): > http://fpaste.org/WGuW/ > > I can''t quite figure out when this new cert is being created, unless > this is buried somewhere in the PE initial run, which appears to > configure mcollective among many other things, although thus far I > cannot find where this configuration is assigned to nodes, so I''m not > 100% clear which classes are applied.[ After a helpful comment from Vulcane in IRC. Thanks! ] My understanding of what went wrong, in case it helps others. okay, there is another private key in /var/opt/lib/pe-puppet/ssl that was used for the very first cert request. After the preliminary configuration run, puppet switches to using /etc/puppetlabs/puppet/ssl, where there is no private key yet. On the next run, there being no private key, one is generated. This no longer matches the certificate received from the master. Now running the original bootstrap puppet with --ssldir /etc/puppetlabs/puppet/ssl and all appears well. -- Stuart Sears RHCA etc. "It''s today!" said Piglet. "My favourite day," said Pooh. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.