I''m getting certificate errors when I attempt to run puppetd on the puppetmaster. As near as I can tell, this is because I''m using the same puppet.conf for both puppetd and puppetmasterd; but puppetmaster runs as user "puppet" and puppetd runs as user "root", yet both expect the certificates to be readable and chmod 600. I tried telling puppetd to use it''s own directory for certs, but because the host already has a certificate created by puppetmasterd it still fails? Can anybody suggest a workaround? -- -- Perfection is just a word I use occasionally with mustard. --Atom Powers--
On Jul 3, 2007, at 5:34 PM, Atom Powers wrote:> I''m getting certificate errors when I attempt to run puppetd on the > puppetmaster. > As near as I can tell, this is because I''m using the same puppet.conf > for both puppetd and puppetmasterd; but puppetmaster runs as user > "puppet" and puppetd runs as user "root", yet both expect the > certificates to be readable and chmod 600. I tried telling puppetd to > use it''s own directory for certs, but because the host already has a > certificate created by puppetmasterd it still fails? > > Can anybody suggest a workaround?Hmm; I''m not managing the ownership of any of these files, just the modes, so you shouldn''t have any trouble there. That being said, you can override values in the puppetd section; something like this: [puppetd] hostcert = $certdir/$certname.pem {mode = 600,owner=puppet,group=puppet} Of course, you need to figure out what file''s actually causing the conflict. Again, though, this shouldn''t even be possible, unless you''re overriding settings yourself, because Puppet doesn''t manage the ownership of any of those files by default. -- Q. Does Usenet help stamp out ignorance? A. That depends on whether by "stamp out" you mean "eliminate" or "reproduce rapidly in great quantity." -- From the Usenet FAQ --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
I got around this by hacking a couple lines of source and making puppet natively manage the ownership of the files. I changed the ownership to root:$group and the mode to 640. You can then have both processes use the same certs. I believe that the file was certificates.rb but I''m not at the system where I did it at the moment so I can''t provide specifics. Trevor On 7/3/07, Atom Powers <atom.powers@gmail.com> wrote:> I''m getting certificate errors when I attempt to run puppetd on the > puppetmaster. > As near as I can tell, this is because I''m using the same puppet.conf > for both puppetd and puppetmasterd; but puppetmaster runs as user > "puppet" and puppetd runs as user "root", yet both expect the > certificates to be readable and chmod 600. I tried telling puppetd to > use it''s own directory for certs, but because the host already has a > certificate created by puppetmasterd it still fails? > > Can anybody suggest a workaround? > > -- > -- > Perfection is just a word I use occasionally with mustard. > --Atom Powers-- > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >
On Jul 5, 2007, at 11:06 AM, Trevor Vaughan wrote:> I got around this by hacking a couple lines of source and making > puppet natively manage the ownership of the files. > > I changed the ownership to root:$group and the mode to 640. > > You can then have both processes use the same certs. > > I believe that the file was certificates.rb but I''m not at the system > where I did it at the moment so I can''t provide specifics.I''d appreciate it if you could send a diff, so I can see what you had to do. -- Life is like playing a violin in public and learning the instrument as one goes on. -- Samuel Butler --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com