Puppet users - Oct 2006 - Creating client certificates

I testing Puppet 0.19.3.  If we decide to use it, we''d deploy it 
across several thousand hosts.  The method described for creating 
client certificates described in the documentation - running 
"puppetd --server <server> --waitforcert 60 --test" and
"puppetca
--sign <client>" - is not practical for our installation. 
I''ve
tried creating certificates from the server with "puppetca -g
<client>", but on the client ''puppetd'' complains
about the
certificate on start-up, and actually fails to run.  What''s the
proper way to pre-generate client certificates from the server?

Thanks for any help.

DGS

David Simas wrote:
> I testing Puppet 0.19.3.  If we decide to use it, we''d deploy it 
> across several thousand hosts.  The method described for creating 
> client certificates described in the documentation - running 
> "puppetd --server <server> --waitforcert 60 --test" and
"puppetca
> --sign <client>" - is not practical for our installation. 
I''ve
> tried creating certificates from the server with "puppetca -g
> <client>", but on the client ''puppetd''
complains about the
> certificate on start-up, and actually fails to run.  What''s the
> proper way to pre-generate client certificates from the server?
Did you copy the client certificate to the client after generating it? 
(You''ll need to copy the cert and both private and public keys to the 
appropriate places on the client, in /etc/puppet/ssl.)

If so, then the client should be fine with that cert.

-- 
I have lost friends, some by death... others through sheer inability to
cross the street.     -- Virginia Woolf
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com

On Wed, Oct 18, 2006 at 02:58:37PM -0500, Luke Kanies
wrote:
> David Simas wrote:
> > I testing Puppet 0.19.3.  If we decide to use it, we''d deploy
it
> > across several thousand hosts.  The method described for creating 
> > client certificates described in the documentation - running 
> > "puppetd --server <server> --waitforcert 60 --test"
and "puppetca
> > --sign <client>" - is not practical for our installation. 
I''ve
> > tried creating certificates from the server with "puppetca -g
> > <client>", but on the client ''puppetd''
complains about the
> > certificate on start-up, and actually fails to run.  What''s
the
> > proper way to pre-generate client certificates from the server?
> 
> Did you copy the client certificate to the client after generating it? 
> (You''ll need to copy the cert and both private and public keys to
the
> appropriate places on the client, in /etc/puppet/ssl.)
No, I didn''t.
> 
> If so, then the client should be fine with that cert.
> 
Hmmm ... It''d be nice if ''puppet'' could do that
itself.  But I guess
this is  a chicken-and-egg sort of situation.

DGS

David Simas wrote:
> On Wed, Oct 18, 2006 at 02:58:37PM -0500, Luke Kanies wrote:
>> Did you copy the client certificate to the client after generating it? 
>> (You''ll need to copy the cert and both private and public keys
to the
>> appropriate places on the client, in /etc/puppet/ssl.)
> 
> No, I didn''t.
That''d do it.
>> If so, then the client should be fine with that cert.
>>
> 
> Hmmm ... It''d be nice if ''puppet'' could do that
itself.  But I guess
> this is  a chicken-and-egg sort of situation.
Exactly.  Someone, somewhere has to initiate the trust relationship.

Normally the Puppet client trusts the server for the initial connection, 
but since you''ve said you don''t want to do that, you either
have to
replace that initial trust or do it manually during the host build process.

It should be pretty straightforward to create and copy the certs during 
client installation.

What is it about waitforcert that isn''t acceptable to you?  Is there 
some way I could fix it so it worked?

-- 
I have lost friends, some by death... others through sheer inability to
cross the street.     -- Virginia Woolf
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com

On Wed, Oct 18, 2006 at 03:09:48PM -0500, Luke Kanies
wrote:
> > 
> > Hmmm ... It''d be nice if ''puppet'' could do
that itself.  But I guess
> > this is  a chicken-and-egg sort of situation.
> 
> Exactly.  Someone, somewhere has to initiate the trust relationship.
> 
> Normally the Puppet client trusts the server for the initial connection, 
> but since you''ve said you don''t want to do that, you
either have to
> replace that initial trust or do it manually during the host build process.
> 
> It should be pretty straightforward to create and copy the certs during 
> client installation.
> 
> What is it about waitforcert that isn''t acceptable to you?  Is
there
> some way I could fix it so it worked?
It may work, but I need to figure out a way to use it.  We will 
frequently re-install hosts here.  I suppose that copying over certificates 
from the puppet master could be made part of xcat/kickstart configuration 
used for installations.

(OK, the real problem is that I''m working in a very bureacratic
organization.  Host installations are in someone else''s territory.
If I''m to get them to install ''puppet'', it will have
to done with
minimal changes to their current working methods.  Getting people 
to change things around here is like pulling teeth without
anesthesia.)

DGS

>

On Wed, 2006-10-18 at 13:05 -0700, David Simas wrote:
> On Wed, Oct 18, 2006 at 02:58:37PM -0500, Luke Kanies wrote:
> > David Simas wrote:
> > > I testing Puppet 0.19.3.  If we decide to use it, we''d
deploy it
> > > across several thousand hosts.  The method described for creating
> > > client certificates described in the documentation - running 
> > > "puppetd --server <server> --waitforcert 60
--test" and "puppetca
> > > --sign <client>" - is not practical for our
installation.  I''ve
> > > tried creating certificates from the server with "puppetca
-g
> > > <client>", but on the client
''puppetd'' complains about the
> > > certificate on start-up, and actually fails to run. 
What''s the
> > > proper way to pre-generate client certificates from the server?
> > 
> > Did you copy the client certificate to the client after generating it?
> > (You''ll need to copy the cert and both private and public
keys to the
> > appropriate places on the client, in /etc/puppet/ssl.)
> 
> No, I didn''t.
> 
> > 
> > If so, then the client should be fine with that cert.
> > 
> 
> Hmmm ... It''d be nice if ''puppet'' could do that
itself.  But I guess
> this is  a chicken-and-egg sort of situation.
You can, but not using puppetmaster (if you have shared storage, you
could use that) See
http://watzmann.net/blog/index.php?title=using_pregenerated_certs_with_puppet&more=1&c=1&tb=1&pb=1

David

Just to throw this one out there,

You could use ''autosign'' on your puppetmaster.  While its
probably not
the best idea in the world, you can restrict it to particular hosts
and really, shouldn''t your puppetmaster be tucked away in some secure
part of your network anyhow?

More info at:
http://reductivelabs.com/projects/puppet/documentation/security

-r''

On Wed, Oct 18, 2006 at 03:21:02PM -0700, RijilV wrote:
> Just to throw this one out there,
> 
> You could use ''autosign'' on your puppetmaster.  While its
probably not
> the best idea in the world, you can restrict it to particular hosts
> and really, shouldn''t your puppetmaster be tucked away in some
secure
> part of your network anyhow?
> 
> More info at:
> http://reductivelabs.com/projects/puppet/documentation/security
This doesn''t seem to work.  With

	[ca]
    	    autosign = /etc/puppet/autosign.conf

in ''/etc/puppet/puppetd.conf'' (Puppet 0.20.0) and the FQDN of
the
client in /etc/puppet/autosign.conf'', running "puppetd --server
kadee
--test --waitforcert 5" on the client yields

	err: No certificate; running with reduced functionality.
	info: Creating a new SSL key at
/var/lib/puppet/ssl/private_keys/nicole.spimageworks.com.pem
	info: Creating a new certificate request for nicole.spimageworks.com
	info: Requesting certificate
	warning: peer certificate won''t be verified in this SSL session.
	err: Could not request certificate: Certificate retrieval failed: Permission
denied - /var/lib/puppet/ssl/ca/inventory.txt

DGS

>

On Wed, Oct 18, 2006 at 05:16:37PM -0700, David Simas
wrote:
> On Wed, Oct 18, 2006 at 03:21:02PM -0700, RijilV wrote:
> > Just to throw this one out there,
> > 
> > You could use ''autosign'' on your puppetmaster. 
While its probably not
> > the best idea in the world, you can restrict it to particular hosts
> > and really, shouldn''t your puppetmaster be tucked away in
some secure
> > part of your network anyhow?
> > 
> > More info at:
> > http://reductivelabs.com/projects/puppet/documentation/security
> 
> This doesn''t seem to work.  With
> 
> 	[ca]
>     	    autosign = /etc/puppet/autosign.conf
> 
> in ''/etc/puppet/puppetd.conf'' (Puppet 0.20.0) and the
FQDN of the
I suspect that you''ll have to put that autosign line in
puppetmasterd.conf
instead.  Although, that''s the default location for the autosign config
file, so puppetmaster should be picking it up OK...

- Matt

Matthew Palmer wrote:
> 
> I suspect that you''ll have to put that autosign line in
puppetmasterd.conf
> instead.  Although, that''s the default location for the autosign
config
> file, so puppetmaster should be picking it up OK...
Correct on both counts; creating the autosign.conf file should be 
sufficient for enabling autosign by default.

-- 
Love is a snowmobile racing across the tundra and then suddenly it
flips over, pinning you underneath. At night, the ice weasels come.
               --Matt Groening
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com

On Mon, Oct 23, 2006 at 04:10:27PM -0500, Luke Kanies
wrote:
> Matthew Palmer wrote:
> > 
> > I suspect that you''ll have to put that autosign line in
puppetmasterd.conf
> > instead.  Although, that''s the default location for the
autosign config
> > file, so puppetmaster should be picking it up OK...
> 
> Correct on both counts; creating the autosign.conf file should be 
> sufficient for enabling autosign by default.
This still doesn''t work.  I''ve created
''/etc/puppet/puppetmasterd.conf'':

	kadee:45% cat /etc/puppet/puppetmasterd.conf
	[puppetmaster]
	    # Whether to enable autosign.  Valid values are true (which
	    # autosigns any key request, and is a very bad idea), false (which
	    # never autosigns any key request), and the path to a file, which
	    # uses that configuration file to determine which keys to sign.
	    # The default value is ''$confdir/autosign.conf''.
	    autosign = /etc/puppet/autosign.conf

''/etc/puppet/puppetca.conf'':

	kadee:46% cat /etc/puppet/puppetca.conf      
	[ca]
	    # Whether to enable autosign.  Valid values are true (which
	    # autosigns any key request, and is a very bad idea), false (which
	    # never autosigns any key request), and the path to a file, which
	    # uses that configuration file to determine which keys to sign.
	    # The default value is ''$confdir/autosign.conf''.
	    autosign = /etc/puppet/autosign.conf

''/etc/puppet/autosign.conf'':

	kadee:47% cat /etc/puppet/autosign.conf      
	chipotle.spimageworks.com
	chipotle

and re-started ''puppetmasterd''.  But from the erstwhile
client:

	chipotle:50% sudo puppetd --server kadee -o -t -w 30
	err: No certificate; running with reduced functionality.
	info: Creating a new SSL key at
/var/lib/puppet/ssl/private_keys/chipotle.spimageworks.com.pem
	info: Creating a new certificate request for chipotle.spimageworks.com
	info: Requesting certificate
	warning: peer certificate won''t be verified in this SSL session.
	err: Could not request certificate: Certificate retrieval failed: Uncaught
exception undefined method `set_backtrace='' for
#<XMLRPC::FaultException: XMLRPC::FaultException> in method
puppetca.getcert


DGS
> 
>

David Simas wrote:
> 	chipotle:50% sudo puppetd --server kadee -o -t -w 30
> 	err: No certificate; running with reduced functionality.
> 	info: Creating a new SSL key at
/var/lib/puppet/ssl/private_keys/chipotle.spimageworks.com.pem
> 	info: Creating a new certificate request for chipotle.spimageworks.com
> 	info: Requesting certificate
> 	warning: peer certificate won''t be verified in this SSL session.
> 	err: Could not request certificate: Certificate retrieval failed: Uncaught
exception undefined method `set_backtrace='' for
#<XMLRPC::FaultException: XMLRPC::FaultException> in method
puppetca.getcert
This is clearly a bug in the system.  You''re getting an xmlrpc 
exception, and then Puppet is trying to do something stupid with the 
exception.

I expect that running that with --trace won''t make any difference, but 
can you try for me and see if you get a stack trace?

Do you get any errors on the server-side?

-- 
If I want your opinion, I''ll read your entrails.
              --Doug Shewfelt
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com

On Tue, Oct 24, 2006 at 02:49:12PM -0500, Luke Kanies
wrote:
> David Simas wrote:
> > 	chipotle:50% sudo puppetd --server kadee -o -t -w 30
> > 	err: No certificate; running with reduced functionality.
> > 	info: Creating a new SSL key at
/var/lib/puppet/ssl/private_keys/chipotle.spimageworks.com.pem
> > 	info: Creating a new certificate request for
chipotle.spimageworks.com
> > 	info: Requesting certificate
> > 	warning: peer certificate won''t be verified in this SSL
session.
> > 	err: Could not request certificate: Certificate retrieval failed:
Uncaught exception undefined method `set_backtrace='' for
#<XMLRPC::FaultException: XMLRPC::FaultException> in method
puppetca.getcert
> 
> This is clearly a bug in the system.  You''re getting an xmlrpc 
> exception, and then Puppet is trying to do something stupid with the 
> exception.
> 
> I expect that running that with --trace won''t make any difference,
but
> can you try for me and see if you get a stack trace?
	chipotle:55% sudo puppetd --server kadee -o -t -w 30 --trace
	err: No certificate; running with reduced functionality.
	info: Creating a new SSL key at
/var/lib/puppet/ssl/private_keys/chipotle.spimageworks.com.pem
	info: Creating a new certificate request for chipotle.spimageworks.com
	info: Requesting certificate
	warning: peer certificate won''t be verified in this SSL session.
	/usr/lib/site_ruby/1.8/puppet/networkclient.rb:77:in `getcert''
	/usr/lib/site_ruby/1.8/puppet/networkclient.rb:63:in `getcert''
	/usr/lib/site_ruby/1.8/puppet/client/proxy.rb:15:in `send''
	/usr/lib/site_ruby/1.8/puppet/client/proxy.rb:15:in `getcert''
	/usr/lib/site_ruby/1.8/puppet/client/proxy.rb:13:in `getcert''
	/usr/lib/site_ruby/1.8/puppet/daemon.rb:206:in `requestcert''
	/usr/sbin/puppetd:339
	err: Could not request certificate: Certificate retrieval failed: Uncaught
exception undefined method `set_backtrace='' for
#<XMLRPC::FaultException: XMLRPC::FaultException> in method
puppetca.getcert


> 
> Do you get any errors on the server-side?
No error messages from ''puppetmasterd''.

DGS

> 
> -- 
> If I want your opinion, I''ll read your entrails.
>               --Doug Shewfelt
> ---------------------------------------------------------------------
> Luke Kanies | http://reductivelabs.com | http://madstop.com
> 
> _______________________________________________
> Puppet-users mailing list
> Puppet-users@madstop.com
> https://mail.madstop.com/mailman/listinfo/puppet-users
>

David Simas wrote:
> 
> 	chipotle:55% sudo puppetd --server kadee -o -t -w 30 --trace
> 	err: No certificate; running with reduced functionality.
> 	info: Creating a new SSL key at
/var/lib/puppet/ssl/private_keys/chipotle.spimageworks.com.pem
> 	info: Creating a new certificate request for chipotle.spimageworks.com
> 	info: Requesting certificate
> 	warning: peer certificate won''t be verified in this SSL session.
> 	/usr/lib/site_ruby/1.8/puppet/networkclient.rb:77:in `getcert''
> 	/usr/lib/site_ruby/1.8/puppet/networkclient.rb:63:in `getcert''
> 	/usr/lib/site_ruby/1.8/puppet/client/proxy.rb:15:in `send''
> 	/usr/lib/site_ruby/1.8/puppet/client/proxy.rb:15:in `getcert''
> 	/usr/lib/site_ruby/1.8/puppet/client/proxy.rb:13:in `getcert''
> 	/usr/lib/site_ruby/1.8/puppet/daemon.rb:206:in `requestcert''
> 	/usr/sbin/puppetd:339
> 	err: Could not request certificate: Certificate retrieval failed: Uncaught
exception undefined method `set_backtrace='' for
#<XMLRPC::FaultException: XMLRPC::FaultException> in method
puppetca.getcert
> 
What version is this?  That''s not what that file looks like in trunk 
right now, which is what got released as 0.20, and I''m pretty sure
there
was nothing like that in 0.19.3.  If you''re running against svn, can
you
update?

-- 
Freedom of speech in Usenet means that when you shout ''Fire!''
in a
crowded theatre, half the crowd stands up and shouts, ''Wrong
theatre!''
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com

On Tue, Oct 24, 2006 at 06:03:10PM -0500, Luke Kanies
wrote:
> David Simas wrote:
> > 
> > 	chipotle:55% sudo puppetd --server kadee -o -t -w 30 --trace
> > 	err: No certificate; running with reduced functionality.
> > 	info: Creating a new SSL key at
/var/lib/puppet/ssl/private_keys/chipotle.spimageworks.com.pem
> > 	info: Creating a new certificate request for
chipotle.spimageworks.com
> > 	info: Requesting certificate
> > 	warning: peer certificate won''t be verified in this SSL
session.
> > 	/usr/lib/site_ruby/1.8/puppet/networkclient.rb:77:in
`getcert''
> > 	/usr/lib/site_ruby/1.8/puppet/networkclient.rb:63:in
`getcert''
> > 	/usr/lib/site_ruby/1.8/puppet/client/proxy.rb:15:in `send''
> > 	/usr/lib/site_ruby/1.8/puppet/client/proxy.rb:15:in
`getcert''
> > 	/usr/lib/site_ruby/1.8/puppet/client/proxy.rb:13:in
`getcert''
> > 	/usr/lib/site_ruby/1.8/puppet/daemon.rb:206:in `requestcert''
> > 	/usr/sbin/puppetd:339
> > 	err: Could not request certificate: Certificate retrieval failed:
Uncaught exception undefined method `set_backtrace='' for
#<XMLRPC::FaultException: XMLRPC::FaultException> in method
puppetca.getcert
> > 
> 
> What version is this?  That''s not what that file looks like in
trunk
> right now, which is what got released as 0.20, and I''m pretty sure
there
> was nothing like that in 0.19.3.  If you''re running against svn,
can you
> update?
This is indeed from 0.20.0.  Do you want me to check the latest
sources out of your subversion repository and try those?

DGS
> 
> -- 
> Freedom of speech in Usenet means that when you shout
''Fire!'' in a
> crowded theatre, half the crowd stands up and shouts, ''Wrong
theatre!''
> ---------------------------------------------------------------------
> Luke Kanies | http://reductivelabs.com | http://madstop.com
> 
> _______________________________________________
> Puppet-users mailing list
> Puppet-users@madstop.com
> https://mail.madstop.com/mailman/listinfo/puppet-users
>

David Simas wrote:
> 
> This is indeed from 0.20.0.  Do you want me to check the latest
> sources out of your subversion repository and try those?
No; I think there''s something very screwy going on.

I''ll see if I can track it down a bit further.

-- 
Freedom of speech in Usenet means that when you shout ''Fire!''
in a
crowded theatre, half the crowd stands up and shouts, ''Wrong
theatre!''
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com

David Simas wrote:
> This is indeed from 0.20.0.  Do you want me to check the latest
> sources out of your subversion repository and try those?
I found the problem.  Inventorying the certificates seems to have broken 
autosigning because of a permission problem.

This is definitely a bug.  I''ll be fixing it in the next release, but I
don''t have an exact timeframe on that.  It should be relatively soon 
because there''s still a feature I need to deliver for Stanford and
I''d
like to get that done this week.

Unfortunately, this means that puppetmasterd can''t do any cert signing 
until this is fixed.

-- 
2.  If 2 + 2 is 4 and 2 x 2 is also 4, what''s the big deal
     about multiplication anyway?
                 -- from the Dogbert''s New Ruling Class quiz
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com

David Simas wrote:
> 
> This is indeed from 0.20.0.  Do you want me to check the latest
> sources out of your subversion repository and try those?
This is now fixed in the ''oscar'' branch, which is where
current
development is happening.

If you choose to run off of that branch, you''ll only need to run the 
puppetmasterd process from it -- this doesn''t affect the clients at
all.

I haven''t yet tracked down the exact error you''re getting --
you were
getting a server-side error, which was correctly getting propagated to 
the client, but when the client encountered an error it was failing to 
correctly pass the error up.

-- 
Never esteem anything as of advantage to you that will make you break
your word or lose your self-respect.      -- Marcus Aurelius Antoninus
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com

On Tue, 2006-10-24 at 19:03 -0500, Luke Kanies wrote:
> David Simas wrote:
> > This is indeed from 0.20.0.  Do you want me to check the latest
> > sources out of your subversion repository and try those?
> 
> I found the problem.  Inventorying the certificates seems to have broken 
> autosigning because of a permission problem.
> 
> This is definitely a bug.  I''ll be fixing it in the next release,
but I
> don''t have an exact timeframe on that.  It should be relatively
soon
> because there''s still a feature I need to deliver for Stanford and
I''d
> like to get that done this week.
You might try and ''chown
puppet:puppet /var/lib/puppet/ssl/ca/inventory.txt'' on the puppet
server
as a quick workaround - I am using autosign with puppetmaster w/o
problem. The key seems to be that I _only_ do autosigning, and do not
use puppetca explicitly.

David

David Lutterkort wrote:
> 
> You might try and ''chown
> puppet:puppet /var/lib/puppet/ssl/ca/inventory.txt'' on the puppet
server
> as a quick workaround - I am using autosign with puppetmaster w/o
> problem. The key seems to be that I _only_ do autosigning, and do not
> use puppetca explicitly.
I tried this, FTR, and it didn''t seem to work.

-- 
    First they came for the hackers. But I never did anything
illegal with my computer, so I didn''t speak up.
    Then they came for the pornographers. But I thought there was
too much smut on the Internet anyway, so I didn''t speak up.
    Then they came for the anonymous remailers. But a lot of nasty
stuff gets sent from anon.penet.fi, so I didn''t speak up.
    Then they came for the encryption users. But I could never
figure out how to work PGP anyway, so I didn''t speak up.
    Then they came for me. And by that time there was no one left
to speak up.
                 -- Alara Rogers, Aleph Press
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com