I''d like to begin by admitting that this could be, in all likelihood, a user error. But you have been quite patient with me in the past so here goes... After not having much luck with chained certs, I proceeded to try using a single ca_server with multiple puppetmasters. I added "server = puppetmaster1.<domain>.<tld>" and "ca_server puppet-ca.<domain>.<tld>" to the [puppetd] section of the /etc/puppet/ puppet.conf file on my client. I added "ca = true" to the [main] section of the /etc/puppet/ puppet.conf file on the puppet-ca server. I tried adding "ca = false" to the [main] section of the /etc/puppet/ puppet.conf file on the puppetmaster1 server, but that led to the following error so I changed it back to "ca = true": "[main] No certificate and no CA; cannot get cert" Just to be sure I start with "rm -rf /var/lib/puppet" on all 3 boxes and then I do the following. 1 - Start puppetmasterd on puppetmaster1.<domain>.<tld>: puppetmasterd -v --no-daemonize --debug 2 - Start puppetmasterd on puppet-ca.<domain>.<tld>: puppetmasterd -v --no-daemonize --debug 3 - Run puppetd on the client: puppetd -v -o --no-daemonize --debug That returns this on the client: "info: Creating a new certificate request for client.<domain>.<tld> info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/ client.<domain>.<tld>.pem debug: Calling puppetca.getcert warning: peer certificate won''t be verified in this SSL session notice: No certificates; exiting" And this on the puppet-ca server: "notice: Allowing unauthenticated client client.<domain>.<tld>(xxx.xxx.xxx.xxx) access to puppetca.getcert notice: Host client.<domain>.<tld> has a waiting certificate request" And I get nothing on the puppetmaster1 server (which is probably normal) 4 - I sign on the puppet-ca server: puppetca --sign client.<domain>.<tld> 5 - I rerun puppetd on the client: puppetd -v -o --no-daemonize -- debug That returns this on the client: "notice: Got signed certificate debug: Retrieved facts in 0.07 seconds debug: Retrieving catalog debug: Calling puppetmaster.getconfig err: Could not retrieve catalog: Certificates were not trusted: certificate verify failed" And this on the puppet-ca server: "notice: Allowing unauthenticated client client.<domain>.<tld>(xxx.xxx.xxx.xxx) access to puppetca.getcert info: Retrieving existing certificate for client.<domain>.<tld>" If I run puppetd on the client again then puppetd returns the same error on the client, and nothing new shows up on puppet-ca. There has been absolutely no output on the puppetmaster1 server throughout this entire process. Again, that is probably normal as the key exchange seems to be failing. A couple of other notes: - The time is the same on all three boxes. - I have run a successful openssl verify on the ca and on the client: Client: $ openssl verify -CAfile /var/lib/puppet/ssl/certs/ca.pem /var/lib/ puppet/ssl/certs/client.<domain>.<tld>.pem /var/lib/puppet/ssl/certs/client.<domain>.<tld>.pem: OK CA Server puppet-ca: $ openssl verify -CAfile /var/lib/puppet/ssl/certs/ca.pem /var/lib/ puppet/ssl/ca/signed/client.<domain>.<tld>.pem /var/lib/puppet/ssl/ca/signed/client.<domain>.<tld>.pem: OK I''d like to solve this issue, but what I''m really after is a better idea of how to scale my puppet infrastructure for load, failover and globalization. I have read the "Multiple Certificate Authorities" article (to no success) and the "A Design Question" thread many times, but I can''t find any concrete examples of successful scalability outside of moving to mongrel. Is there a wiki article or message thread that I''m missing or has anybody published a working example? - Thanks! Jeremy Pruitt --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Apr 27, 2008, at 5:47 PM, jpruitt@juniper.net wrote:> Just to be sure I start with "rm -rf /var/lib/puppet" on all 3 boxes > and then I do the following. > 1 - Start puppetmasterd on puppetmaster1.<domain>.<tld>: > puppetmasterd -v --no-daemonize --debug > 2 - Start puppetmasterd on puppet-ca.<domain>.<tld>: puppetmasterd -v > --no-daemonize --debug > 3 - Run puppetd on the client: puppetd -v -o --no-daemonize --debugYou need to generate a certificate for your non-ca servers before trying to start them; they don''t request certificates, at this point (I think?). Try starting the CA server, then puppetd on the non-CA servers, then puppetmasterd on the non-CA servers. Yes, this means that your CA server needs to be a normal server, too; there''s no way around that that doesn''t involve pleasant catch-22s popping up everywhere. -- SELF-EVIDENT, adj. Evident to one''s self and to nobody else. -- Ambrose Bierce --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
First of all, thank you for your reply. :) If I understand you correctly the puppetmasterX servers need to also be puppetd clients of the puppet-ca server. Operating under that assumption I went ahead and used puppetd on puppetmaster1 to connect to the puppet-ca server, signed puppetmaster1 on the puppet-ca server, and then ran puppetd again on puppetmaster1. All of that worked out just fine, but now I am getting the following error when my desktop client tries to connect after it has been successfully signed against the puppet-ca server: err: Could not retrieve catalog: Certificates were not trusted: tlsv1 alert unknown ca The openssl verifications reported "OK" on both the client and the puppet-ca server. In fact, all of the other behavior was almost exactly like my previous post, the error message is just slightly different. I did search around for this error and found a reference in the FAQ about this error being a symptom of a bug in a previous release (0.18.x), but nothing else. Has anybody seen anything like this? Is anybody else using the ca_server option with success? - Thanks again! Jeremy Pruitt On Apr 28, 8:47 am, Luke Kanies <l...@madstop.com> wrote:> On Apr 27, 2008, at 5:47 PM, jpru...@juniper.net wrote: > > > Just to be sure I start with "rm -rf /var/lib/puppet" on all 3 boxes > > and then I do the following. > > 1 - Start puppetmasterd on puppetmaster1.<domain>.<tld>: > > puppetmasterd -v --no-daemonize --debug > > 2 - Start puppetmasterd on puppet-ca.<domain>.<tld>: puppetmasterd -v > > --no-daemonize --debug > > 3 - Run puppetd on the client: puppetd -v -o --no-daemonize --debug > > You need to generate a certificate for your non-ca servers before > trying to start them; they don''t request certificates, at this point > (I think?). > > Try starting the CA server, then puppetd on the non-CA servers, then > puppetmasterd on the non-CA servers. > > Yes, this means that your CA server needs to be a normal server, too; > there''s no way around that that doesn''t involve pleasant catch-22s > popping up everywhere. > > -- > SELF-EVIDENT, adj. Evident to one''s self and to nobody else. > -- Ambrose Bierce > --------------------------------------------------------------------- > Luke Kanies |http://reductivelabs.com|http://madstop.com--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Apr 29, 2008, at 12:43 AM, Jeremy Pruitt wrote:> > First of all, thank you for your reply. :) > > If I understand you correctly the puppetmasterX servers need to also > be puppetd clients of the puppet-ca server. > > Operating under that assumption I went ahead and used puppetd on > puppetmaster1 to connect to the puppet-ca server, signed puppetmaster1 > on the puppet-ca server, and then ran puppetd again on puppetmaster1. > All of that worked out just fine, but now I am getting the following > error when my desktop client tries to connect after it has been > successfully signed against the puppet-ca server: > > err: Could not retrieve catalog: Certificates were not trusted: tlsv1 > alert unknown ca > > The openssl verifications reported "OK" on both the client and the > puppet-ca server. In fact, all of the other behavior was almost > exactly like my previous post, the error message is just slightly > different. > > I did search around for this error and found a reference in the FAQ > about this error being a symptom of a bug in a previous release > (0.18.x), but nothing else. > > Has anybody seen anything like this? Is anybody else using the > ca_server option with success?It seems like you have everything set up correctly, but there''s clearly still some issue. You''re sure that all three hosts are using the same CA certificate, and the non-ca master has no ca directory in its ssl directory, such that it could somehow be using bad data? -- We are here on Earth to do good to others. What the others are here for, I don''t know. -- W. H. Auden --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---