I testing Puppet 0.19.3. If we decide to use it, we''d deploy it across several thousand hosts. The method described for creating client certificates described in the documentation - running "puppetd --server <server> --waitforcert 60 --test" and "puppetca --sign <client>" - is not practical for our installation. I''ve tried creating certificates from the server with "puppetca -g <client>", but on the client ''puppetd'' complains about the certificate on start-up, and actually fails to run. What''s the proper way to pre-generate client certificates from the server? Thanks for any help. DGS
David Simas wrote:> I testing Puppet 0.19.3. If we decide to use it, we''d deploy it > across several thousand hosts. The method described for creating > client certificates described in the documentation - running > "puppetd --server <server> --waitforcert 60 --test" and "puppetca > --sign <client>" - is not practical for our installation. I''ve > tried creating certificates from the server with "puppetca -g > <client>", but on the client ''puppetd'' complains about the > certificate on start-up, and actually fails to run. What''s the > proper way to pre-generate client certificates from the server?Did you copy the client certificate to the client after generating it? (You''ll need to copy the cert and both private and public keys to the appropriate places on the client, in /etc/puppet/ssl.) If so, then the client should be fine with that cert. -- I have lost friends, some by death... others through sheer inability to cross the street. -- Virginia Woolf --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On Wed, Oct 18, 2006 at 02:58:37PM -0500, Luke Kanies wrote:> David Simas wrote: > > I testing Puppet 0.19.3. If we decide to use it, we''d deploy it > > across several thousand hosts. The method described for creating > > client certificates described in the documentation - running > > "puppetd --server <server> --waitforcert 60 --test" and "puppetca > > --sign <client>" - is not practical for our installation. I''ve > > tried creating certificates from the server with "puppetca -g > > <client>", but on the client ''puppetd'' complains about the > > certificate on start-up, and actually fails to run. What''s the > > proper way to pre-generate client certificates from the server? > > Did you copy the client certificate to the client after generating it? > (You''ll need to copy the cert and both private and public keys to the > appropriate places on the client, in /etc/puppet/ssl.)No, I didn''t.> > If so, then the client should be fine with that cert. >Hmmm ... It''d be nice if ''puppet'' could do that itself. But I guess this is a chicken-and-egg sort of situation. DGS
David Simas wrote:> On Wed, Oct 18, 2006 at 02:58:37PM -0500, Luke Kanies wrote: >> Did you copy the client certificate to the client after generating it? >> (You''ll need to copy the cert and both private and public keys to the >> appropriate places on the client, in /etc/puppet/ssl.) > > No, I didn''t.That''d do it.>> If so, then the client should be fine with that cert. >> > > Hmmm ... It''d be nice if ''puppet'' could do that itself. But I guess > this is a chicken-and-egg sort of situation.Exactly. Someone, somewhere has to initiate the trust relationship. Normally the Puppet client trusts the server for the initial connection, but since you''ve said you don''t want to do that, you either have to replace that initial trust or do it manually during the host build process. It should be pretty straightforward to create and copy the certs during client installation. What is it about waitforcert that isn''t acceptable to you? Is there some way I could fix it so it worked? -- I have lost friends, some by death... others through sheer inability to cross the street. -- Virginia Woolf --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On Wed, Oct 18, 2006 at 03:09:48PM -0500, Luke Kanies wrote:> > > > Hmmm ... It''d be nice if ''puppet'' could do that itself. But I guess > > this is a chicken-and-egg sort of situation. > > Exactly. Someone, somewhere has to initiate the trust relationship. > > Normally the Puppet client trusts the server for the initial connection, > but since you''ve said you don''t want to do that, you either have to > replace that initial trust or do it manually during the host build process. > > It should be pretty straightforward to create and copy the certs during > client installation. > > What is it about waitforcert that isn''t acceptable to you? Is there > some way I could fix it so it worked?It may work, but I need to figure out a way to use it. We will frequently re-install hosts here. I suppose that copying over certificates from the puppet master could be made part of xcat/kickstart configuration used for installations. (OK, the real problem is that I''m working in a very bureacratic organization. Host installations are in someone else''s territory. If I''m to get them to install ''puppet'', it will have to done with minimal changes to their current working methods. Getting people to change things around here is like pulling teeth without anesthesia.) DGS>
On Wed, 2006-10-18 at 13:05 -0700, David Simas wrote:> On Wed, Oct 18, 2006 at 02:58:37PM -0500, Luke Kanies wrote: > > David Simas wrote: > > > I testing Puppet 0.19.3. If we decide to use it, we''d deploy it > > > across several thousand hosts. The method described for creating > > > client certificates described in the documentation - running > > > "puppetd --server <server> --waitforcert 60 --test" and "puppetca > > > --sign <client>" - is not practical for our installation. I''ve > > > tried creating certificates from the server with "puppetca -g > > > <client>", but on the client ''puppetd'' complains about the > > > certificate on start-up, and actually fails to run. What''s the > > > proper way to pre-generate client certificates from the server? > > > > Did you copy the client certificate to the client after generating it? > > (You''ll need to copy the cert and both private and public keys to the > > appropriate places on the client, in /etc/puppet/ssl.) > > No, I didn''t. > > > > > If so, then the client should be fine with that cert. > > > > Hmmm ... It''d be nice if ''puppet'' could do that itself. But I guess > this is a chicken-and-egg sort of situation.You can, but not using puppetmaster (if you have shared storage, you could use that) See http://watzmann.net/blog/index.php?title=using_pregenerated_certs_with_puppet&more=1&c=1&tb=1&pb=1 David
Just to throw this one out there, You could use ''autosign'' on your puppetmaster. While its probably not the best idea in the world, you can restrict it to particular hosts and really, shouldn''t your puppetmaster be tucked away in some secure part of your network anyhow? More info at: http://reductivelabs.com/projects/puppet/documentation/security -r''
On Wed, Oct 18, 2006 at 03:21:02PM -0700, RijilV wrote:> Just to throw this one out there, > > You could use ''autosign'' on your puppetmaster. While its probably not > the best idea in the world, you can restrict it to particular hosts > and really, shouldn''t your puppetmaster be tucked away in some secure > part of your network anyhow? > > More info at: > http://reductivelabs.com/projects/puppet/documentation/securityThis doesn''t seem to work. With [ca] autosign = /etc/puppet/autosign.conf in ''/etc/puppet/puppetd.conf'' (Puppet 0.20.0) and the FQDN of the client in /etc/puppet/autosign.conf'', running "puppetd --server kadee --test --waitforcert 5" on the client yields err: No certificate; running with reduced functionality. info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/nicole.spimageworks.com.pem info: Creating a new certificate request for nicole.spimageworks.com info: Requesting certificate warning: peer certificate won''t be verified in this SSL session. err: Could not request certificate: Certificate retrieval failed: Permission denied - /var/lib/puppet/ssl/ca/inventory.txt DGS>
On Wed, Oct 18, 2006 at 05:16:37PM -0700, David Simas wrote:> On Wed, Oct 18, 2006 at 03:21:02PM -0700, RijilV wrote: > > Just to throw this one out there, > > > > You could use ''autosign'' on your puppetmaster. While its probably not > > the best idea in the world, you can restrict it to particular hosts > > and really, shouldn''t your puppetmaster be tucked away in some secure > > part of your network anyhow? > > > > More info at: > > http://reductivelabs.com/projects/puppet/documentation/security > > This doesn''t seem to work. With > > [ca] > autosign = /etc/puppet/autosign.conf > > in ''/etc/puppet/puppetd.conf'' (Puppet 0.20.0) and the FQDN of theI suspect that you''ll have to put that autosign line in puppetmasterd.conf instead. Although, that''s the default location for the autosign config file, so puppetmaster should be picking it up OK... - Matt
Matthew Palmer wrote:> > I suspect that you''ll have to put that autosign line in puppetmasterd.conf > instead. Although, that''s the default location for the autosign config > file, so puppetmaster should be picking it up OK...Correct on both counts; creating the autosign.conf file should be sufficient for enabling autosign by default. -- Love is a snowmobile racing across the tundra and then suddenly it flips over, pinning you underneath. At night, the ice weasels come. --Matt Groening --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On Mon, Oct 23, 2006 at 04:10:27PM -0500, Luke Kanies wrote:> Matthew Palmer wrote: > > > > I suspect that you''ll have to put that autosign line in puppetmasterd.conf > > instead. Although, that''s the default location for the autosign config > > file, so puppetmaster should be picking it up OK... > > Correct on both counts; creating the autosign.conf file should be > sufficient for enabling autosign by default.This still doesn''t work. I''ve created ''/etc/puppet/puppetmasterd.conf'': kadee:45% cat /etc/puppet/puppetmasterd.conf [puppetmaster] # Whether to enable autosign. Valid values are true (which # autosigns any key request, and is a very bad idea), false (which # never autosigns any key request), and the path to a file, which # uses that configuration file to determine which keys to sign. # The default value is ''$confdir/autosign.conf''. autosign = /etc/puppet/autosign.conf ''/etc/puppet/puppetca.conf'': kadee:46% cat /etc/puppet/puppetca.conf [ca] # Whether to enable autosign. Valid values are true (which # autosigns any key request, and is a very bad idea), false (which # never autosigns any key request), and the path to a file, which # uses that configuration file to determine which keys to sign. # The default value is ''$confdir/autosign.conf''. autosign = /etc/puppet/autosign.conf ''/etc/puppet/autosign.conf'': kadee:47% cat /etc/puppet/autosign.conf chipotle.spimageworks.com chipotle and re-started ''puppetmasterd''. But from the erstwhile client: chipotle:50% sudo puppetd --server kadee -o -t -w 30 err: No certificate; running with reduced functionality. info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/chipotle.spimageworks.com.pem info: Creating a new certificate request for chipotle.spimageworks.com info: Requesting certificate warning: peer certificate won''t be verified in this SSL session. err: Could not request certificate: Certificate retrieval failed: Uncaught exception undefined method `set_backtrace='' for #<XMLRPC::FaultException: XMLRPC::FaultException> in method puppetca.getcert DGS> >
David Simas wrote:> chipotle:50% sudo puppetd --server kadee -o -t -w 30 > err: No certificate; running with reduced functionality. > info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/chipotle.spimageworks.com.pem > info: Creating a new certificate request for chipotle.spimageworks.com > info: Requesting certificate > warning: peer certificate won''t be verified in this SSL session. > err: Could not request certificate: Certificate retrieval failed: Uncaught exception undefined method `set_backtrace='' for #<XMLRPC::FaultException: XMLRPC::FaultException> in method puppetca.getcertThis is clearly a bug in the system. You''re getting an xmlrpc exception, and then Puppet is trying to do something stupid with the exception. I expect that running that with --trace won''t make any difference, but can you try for me and see if you get a stack trace? Do you get any errors on the server-side? -- If I want your opinion, I''ll read your entrails. --Doug Shewfelt --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On Tue, Oct 24, 2006 at 02:49:12PM -0500, Luke Kanies wrote:> David Simas wrote: > > chipotle:50% sudo puppetd --server kadee -o -t -w 30 > > err: No certificate; running with reduced functionality. > > info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/chipotle.spimageworks.com.pem > > info: Creating a new certificate request for chipotle.spimageworks.com > > info: Requesting certificate > > warning: peer certificate won''t be verified in this SSL session. > > err: Could not request certificate: Certificate retrieval failed: Uncaught exception undefined method `set_backtrace='' for #<XMLRPC::FaultException: XMLRPC::FaultException> in method puppetca.getcert > > This is clearly a bug in the system. You''re getting an xmlrpc > exception, and then Puppet is trying to do something stupid with the > exception. > > I expect that running that with --trace won''t make any difference, but > can you try for me and see if you get a stack trace?chipotle:55% sudo puppetd --server kadee -o -t -w 30 --trace err: No certificate; running with reduced functionality. info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/chipotle.spimageworks.com.pem info: Creating a new certificate request for chipotle.spimageworks.com info: Requesting certificate warning: peer certificate won''t be verified in this SSL session. /usr/lib/site_ruby/1.8/puppet/networkclient.rb:77:in `getcert'' /usr/lib/site_ruby/1.8/puppet/networkclient.rb:63:in `getcert'' /usr/lib/site_ruby/1.8/puppet/client/proxy.rb:15:in `send'' /usr/lib/site_ruby/1.8/puppet/client/proxy.rb:15:in `getcert'' /usr/lib/site_ruby/1.8/puppet/client/proxy.rb:13:in `getcert'' /usr/lib/site_ruby/1.8/puppet/daemon.rb:206:in `requestcert'' /usr/sbin/puppetd:339 err: Could not request certificate: Certificate retrieval failed: Uncaught exception undefined method `set_backtrace='' for #<XMLRPC::FaultException: XMLRPC::FaultException> in method puppetca.getcert> > Do you get any errors on the server-side?No error messages from ''puppetmasterd''. DGS> > -- > If I want your opinion, I''ll read your entrails. > --Doug Shewfelt > --------------------------------------------------------------------- > Luke Kanies | http://reductivelabs.com | http://madstop.com > > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >
David Simas wrote:> > chipotle:55% sudo puppetd --server kadee -o -t -w 30 --trace > err: No certificate; running with reduced functionality. > info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/chipotle.spimageworks.com.pem > info: Creating a new certificate request for chipotle.spimageworks.com > info: Requesting certificate > warning: peer certificate won''t be verified in this SSL session. > /usr/lib/site_ruby/1.8/puppet/networkclient.rb:77:in `getcert'' > /usr/lib/site_ruby/1.8/puppet/networkclient.rb:63:in `getcert'' > /usr/lib/site_ruby/1.8/puppet/client/proxy.rb:15:in `send'' > /usr/lib/site_ruby/1.8/puppet/client/proxy.rb:15:in `getcert'' > /usr/lib/site_ruby/1.8/puppet/client/proxy.rb:13:in `getcert'' > /usr/lib/site_ruby/1.8/puppet/daemon.rb:206:in `requestcert'' > /usr/sbin/puppetd:339 > err: Could not request certificate: Certificate retrieval failed: Uncaught exception undefined method `set_backtrace='' for #<XMLRPC::FaultException: XMLRPC::FaultException> in method puppetca.getcert >What version is this? That''s not what that file looks like in trunk right now, which is what got released as 0.20, and I''m pretty sure there was nothing like that in 0.19.3. If you''re running against svn, can you update? -- Freedom of speech in Usenet means that when you shout ''Fire!'' in a crowded theatre, half the crowd stands up and shouts, ''Wrong theatre!'' --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On Tue, Oct 24, 2006 at 06:03:10PM -0500, Luke Kanies wrote:> David Simas wrote: > > > > chipotle:55% sudo puppetd --server kadee -o -t -w 30 --trace > > err: No certificate; running with reduced functionality. > > info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/chipotle.spimageworks.com.pem > > info: Creating a new certificate request for chipotle.spimageworks.com > > info: Requesting certificate > > warning: peer certificate won''t be verified in this SSL session. > > /usr/lib/site_ruby/1.8/puppet/networkclient.rb:77:in `getcert'' > > /usr/lib/site_ruby/1.8/puppet/networkclient.rb:63:in `getcert'' > > /usr/lib/site_ruby/1.8/puppet/client/proxy.rb:15:in `send'' > > /usr/lib/site_ruby/1.8/puppet/client/proxy.rb:15:in `getcert'' > > /usr/lib/site_ruby/1.8/puppet/client/proxy.rb:13:in `getcert'' > > /usr/lib/site_ruby/1.8/puppet/daemon.rb:206:in `requestcert'' > > /usr/sbin/puppetd:339 > > err: Could not request certificate: Certificate retrieval failed: Uncaught exception undefined method `set_backtrace='' for #<XMLRPC::FaultException: XMLRPC::FaultException> in method puppetca.getcert > > > > What version is this? That''s not what that file looks like in trunk > right now, which is what got released as 0.20, and I''m pretty sure there > was nothing like that in 0.19.3. If you''re running against svn, can you > update?This is indeed from 0.20.0. Do you want me to check the latest sources out of your subversion repository and try those? DGS> > -- > Freedom of speech in Usenet means that when you shout ''Fire!'' in a > crowded theatre, half the crowd stands up and shouts, ''Wrong theatre!'' > --------------------------------------------------------------------- > Luke Kanies | http://reductivelabs.com | http://madstop.com > > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >
David Simas wrote:> > This is indeed from 0.20.0. Do you want me to check the latest > sources out of your subversion repository and try those?No; I think there''s something very screwy going on. I''ll see if I can track it down a bit further. -- Freedom of speech in Usenet means that when you shout ''Fire!'' in a crowded theatre, half the crowd stands up and shouts, ''Wrong theatre!'' --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
David Simas wrote:> This is indeed from 0.20.0. Do you want me to check the latest > sources out of your subversion repository and try those?I found the problem. Inventorying the certificates seems to have broken autosigning because of a permission problem. This is definitely a bug. I''ll be fixing it in the next release, but I don''t have an exact timeframe on that. It should be relatively soon because there''s still a feature I need to deliver for Stanford and I''d like to get that done this week. Unfortunately, this means that puppetmasterd can''t do any cert signing until this is fixed. -- 2. If 2 + 2 is 4 and 2 x 2 is also 4, what''s the big deal about multiplication anyway? -- from the Dogbert''s New Ruling Class quiz --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
David Simas wrote:> > This is indeed from 0.20.0. Do you want me to check the latest > sources out of your subversion repository and try those?This is now fixed in the ''oscar'' branch, which is where current development is happening. If you choose to run off of that branch, you''ll only need to run the puppetmasterd process from it -- this doesn''t affect the clients at all. I haven''t yet tracked down the exact error you''re getting -- you were getting a server-side error, which was correctly getting propagated to the client, but when the client encountered an error it was failing to correctly pass the error up. -- Never esteem anything as of advantage to you that will make you break your word or lose your self-respect. -- Marcus Aurelius Antoninus --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On Tue, 2006-10-24 at 19:03 -0500, Luke Kanies wrote:> David Simas wrote: > > This is indeed from 0.20.0. Do you want me to check the latest > > sources out of your subversion repository and try those? > > I found the problem. Inventorying the certificates seems to have broken > autosigning because of a permission problem. > > This is definitely a bug. I''ll be fixing it in the next release, but I > don''t have an exact timeframe on that. It should be relatively soon > because there''s still a feature I need to deliver for Stanford and I''d > like to get that done this week.You might try and ''chown puppet:puppet /var/lib/puppet/ssl/ca/inventory.txt'' on the puppet server as a quick workaround - I am using autosign with puppetmaster w/o problem. The key seems to be that I _only_ do autosigning, and do not use puppetca explicitly. David
David Lutterkort wrote:> > You might try and ''chown > puppet:puppet /var/lib/puppet/ssl/ca/inventory.txt'' on the puppet server > as a quick workaround - I am using autosign with puppetmaster w/o > problem. The key seems to be that I _only_ do autosigning, and do not > use puppetca explicitly.I tried this, FTR, and it didn''t seem to work. -- First they came for the hackers. But I never did anything illegal with my computer, so I didn''t speak up. Then they came for the pornographers. But I thought there was too much smut on the Internet anyway, so I didn''t speak up. Then they came for the anonymous remailers. But a lot of nasty stuff gets sent from anon.penet.fi, so I didn''t speak up. Then they came for the encryption users. But I could never figure out how to work PGP anyway, so I didn''t speak up. Then they came for me. And by that time there was no one left to speak up. -- Alara Rogers, Aleph Press --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
Possibly Parallel Threads
- Could not call puppetca.getcert: #<Errno::EHOSTUNREACH: No route to host
- Puppetting the puppetmaster problems
- How to execute an arbitrary script when a puppetclient ask for a manifest?
- error SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
- security of auto-sign?