Hello, I have a standard Puppet 2.7 configuration installed from Gem on Ubuntu 12.04, running behind Apache. I''m testing the reprovisioning of the puppet master from scratch in Vagrant and ran into a little snug - apache configuration points to a puppet ca_crl.pem file which doesn''t exist, so apache refuses to start. The puppet master documentation says that it''ll automatically generate this file if it isn''t present, but I need a way to get it generated automatically before apache tries to start. All this is done using a master-less puppet configuration used to bootstrap the Vagrant box. Is there a way for me to trigger automatic generation of the ca_crl.pem file before starting Apache? I tried using generic "openssl ca -gencrl" but failed to find a way to point it to puppet master''s "ca/serial" file from the command line. Thanks, --Amos -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Amos Shapira
2013-Jul-05 03:44 UTC
[Puppet Users] Re: How to force generation of ca_crl.pem?
BTW - Looking at the source code for Puppet 2.7.22, I see that the method which does all this magic is "setup_ssl" in class Puppet::Applcation::Master. Now if any ruby guru could help me execute this method from the command line I might be set, so far I failed to make this happen. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Ken Barber
2013-Jul-05 12:00 UTC
Re: [Puppet Users] How to force generation of ca_crl.pem?
> I have a standard Puppet 2.7 configuration installed from Gem on Ubuntu > 12.04, running behind Apache. > > I''m testing the reprovisioning of the puppet master from scratch in Vagrant > and ran into a little snug - apache configuration points to a puppet > ca_crl.pem file which doesn''t exist, so apache refuses to start.Have you tried just using ''puppet cert generate <mymaster_name>'' to populate the initial certificates? I don''t have a 2.7.x around, but for 3.x it repopulates all the missing certificates it seems including ca_crl.pem.> The puppet master documentation says that it''ll automatically generate this > file if it isn''t present, but I need a way to get it generated automatically > before apache tries to start.Yes, and it does - when you start it standalone using webrick (ie. puppet master --no-daemonize --debug --log console ... or something will probably do the trick). But the SSL offloading to Apache kind of breaks this as you''ve mentioned. ken. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Ken Barber
2013-Jul-05 12:08 UTC
Re: [Puppet Users] How to force generation of ca_crl.pem?
If it helps I did a bit of a Gist walkthrough of the full cert recreation etc. using puppet cert generate here: https://gist.github.com/kbarber/5934100 ... On Fri, Jul 5, 2013 at 1:00 PM, Ken Barber <ken@puppetlabs.com> wrote:>> I have a standard Puppet 2.7 configuration installed from Gem on Ubuntu >> 12.04, running behind Apache. >> >> I''m testing the reprovisioning of the puppet master from scratch in Vagrant >> and ran into a little snug - apache configuration points to a puppet >> ca_crl.pem file which doesn''t exist, so apache refuses to start. > > Have you tried just using ''puppet cert generate <mymaster_name>'' to > populate the initial certificates? I don''t have a 2.7.x around, but > for 3.x it repopulates all the missing certificates it seems including > ca_crl.pem. > >> The puppet master documentation says that it''ll automatically generate this >> file if it isn''t present, but I need a way to get it generated automatically >> before apache tries to start. > > Yes, and it does - when you start it standalone using webrick (ie. > puppet master --no-daemonize --debug --log console ... or something > will probably do the trick). But the SSL offloading to Apache kind of > breaks this as you''ve mentioned. > > ken.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Amos Shapira
2013-Jul-06 03:03 UTC
Re: [Puppet Users] How to force generation of ca_crl.pem?
Thanks very much Ken, I''m away from the comp for the weekend, I''ll try these and get back to you as soon as I can. On Friday, 5 July 2013 22:08:37 UTC+10, Ken Barber wrote:> > If it helps I did a bit of a Gist walkthrough of the full cert > recreation etc. using puppet cert generate here: > https://gist.github.com/kbarber/5934100 ... > > On Fri, Jul 5, 2013 at 1:00 PM, Ken Barber <k...@puppetlabs.com<javascript:>> > wrote: > >> I have a standard Puppet 2.7 configuration installed from Gem on Ubuntu > >> 12.04, running behind Apache. > >> > >> I''m testing the reprovisioning of the puppet master from scratch in > Vagrant > >> and ran into a little snug - apache configuration points to a puppet > >> ca_crl.pem file which doesn''t exist, so apache refuses to start. > > > > Have you tried just using ''puppet cert generate <mymaster_name>'' to > > populate the initial certificates? I don''t have a 2.7.x around, but > > for 3.x it repopulates all the missing certificates it seems including > > ca_crl.pem. > > > >> The puppet master documentation says that it''ll automatically generate > this > >> file if it isn''t present, but I need a way to get it generated > automatically > >> before apache tries to start. > > > > Yes, and it does - when you start it standalone using webrick (ie. > > puppet master --no-daemonize --debug --log console ... or something > > will probably do the trick). But the SSL offloading to Apache kind of > > breaks this as you''ve mentioned. > > > > ken. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Amos Shapira
2013-Jul-09 02:03 UTC
Re: [Puppet Users] How to force generation of ca_crl.pem?
I''ve verified that the "puppet cert generate.." command generates the files which are required to get the Apache daemon up and running. Thanks Ken. On Saturday, 6 July 2013 13:03:12 UTC+10, Amos Shapira wrote:> > Thanks very much Ken, > > I''m away from the comp for the weekend, I''ll try these and get back to you > as soon as I can. > > On Friday, 5 July 2013 22:08:37 UTC+10, Ken Barber wrote: >> >> If it helps I did a bit of a Gist walkthrough of the full cert >> recreation etc. using puppet cert generate here: >> https://gist.github.com/kbarber/5934100 ... >> >> On Fri, Jul 5, 2013 at 1:00 PM, Ken Barber <k...@puppetlabs.com> wrote: >> >> I have a standard Puppet 2.7 configuration installed from Gem on >> Ubuntu >> >> 12.04, running behind Apache. >> >> >> >> I''m testing the reprovisioning of the puppet master from scratch in >> Vagrant >> >> and ran into a little snug - apache configuration points to a puppet >> >> ca_crl.pem file which doesn''t exist, so apache refuses to start. >> > >> > Have you tried just using ''puppet cert generate <mymaster_name>'' to >> > populate the initial certificates? I don''t have a 2.7.x around, but >> > for 3.x it repopulates all the missing certificates it seems including >> > ca_crl.pem. >> > >> >> The puppet master documentation says that it''ll automatically generate >> this >> >> file if it isn''t present, but I need a way to get it generated >> automatically >> >> before apache tries to start. >> > >> > Yes, and it does - when you start it standalone using webrick (ie. >> > puppet master --no-daemonize --debug --log console ... or something >> > will probably do the trick). But the SSL offloading to Apache kind of >> > breaks this as you''ve mentioned. >> > >> > ken. >> >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.