Hello,
I am a puppet newbie, I recently purchased & read "Pulling
Strings",
etc.
I''m trying to install and configure puppetd on new machines built by
my automated host installation system.
I''m getting a fatal error when puppetd starts up after the system
boot, here is the result of puppetd --debug
# puppetd --debug
debug: Creating default schedules
debug: Failed to load library ''shadow'' for feature
''libshadow''
debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/etc/
puppet/ssl]: Autorequiring File[/etc/puppet]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/etc/
puppet/ssl/certs/svn01.clark-communications.com.pem]: Autorequiring
File[/etc/puppet/ssl/certs]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/etc/
puppet/ssl/private_keys]: Autorequiring File[/etc/puppet/ssl]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/var/
puppet/lib]: Autorequiring File[/var/puppet]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/var/
puppet/log]: Autorequiring File[/var/puppet]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/etc/
puppet/ssl/private]: Autorequiring File[/etc/puppet/ssl]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/var/
puppet/plugins]: Autorequiring File[/var/puppet]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/etc/
puppet/ssl/certs]: Autorequiring File[/etc/puppet/ssl]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/etc/
puppet/ssl/private_keys/svn01.clark-communications.com.pem]:
Autorequiring File[/etc/puppet/ssl/private_keys]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/var/
puppet/run]: Autorequiring File[/var/puppet]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/etc/
puppet/ssl/public_keys]: Autorequiring File[/etc/puppet/ssl]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/var/
puppet/facts]: Autorequiring File[/var/puppet]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/var/
puppet/state]: Autorequiring File[/var/puppet]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[puppetd]/File[/etc/
puppet/puppet.conf]: Autorequiring File[/etc/puppet]
debug: Finishing transaction 4441590840 with 0 changes
/usr/local/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:50:in
`add_file'': system lib (OpenSSL::X509::StoreError)
from /usr/local/lib/ruby/site_ruby/1.8/puppet/network/
http_pool.rb:50:in `cert_setup''
from /usr/local/lib/ruby/site_ruby/1.8/puppet/network/
http_pool.rb:100:in `http_instance''
from /usr/local/lib/ruby/site_ruby/1.8/puppet/network/xmlrpc/
client.rb:123:in `initialize''
from /usr/local/lib/ruby/site_ruby/1.8/puppet/network/
client.rb:94:in `new''
from /usr/local/lib/ruby/site_ruby/1.8/puppet/network/
client.rb:94:in `initialize''
from /usr/local/lib/ruby/site_ruby/1.8/puppet/network/client/
master.rb:207:in `initialize''
from /usr/local/bin/puppetd:322:in `new''
from /usr/local/bin/puppetd:322
This client is puppetd version 0.24.4 running on OpenBSD 4.4/amd64,
the only thing in the conf file is 1 line that points puppetd at the
puppetmaster server.
I created the cert and private key on another box, using puppetca
version 0.22.4, (running OpenBSD 4.3/amd64), and this is also the
machine that runs puppetmasterd
My installation system creates /etc/puppet/ssh/private_keys and ./
certs, downloads the pre-generated .pem files, and gives everything
the following permissions:
# ls -lR
total 16
drwxr-xr-x 2 root _puppet 512 Nov 17 15:01 certs
drwxr-x--- 2 root _puppet 512 Nov 17 15:04 private
drwxr-x--- 2 root _puppet 512 Nov 17 15:01 private_keys
drwxr-xr-x 2 root _puppet 512 Nov 17 15:04 public_keys
./certs:
total 4
-rw-r--r-- 1 root _puppet 887 Nov 17 15:01 svn01.clark-
communications.com.pem
./private:
./private_keys:
total 4
-rw------- 1 root _puppet 887 Nov 17 15:01 svn01.clark-
communications.com.pem
./public_keys:
What am I doing wrong?
Any advice appreciated...
Don
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
Don Jackson
2008-Nov-21 22:36 UTC
[Puppet Users] Incomplete documentation regarding master-side client cert generation?
Hello, I previously sent the email below describing a problem I was having with generating the certs on the master, and distributing them to the client right after OS installation. Further research and testing shows that in addition to transferring the private key and the cert to the new client, you also must transfer the cert for the ca. Many thanks to the blog posting at: http://watzmann.net/blog/index.php/2006/08/07/using_pregenerated_certs_with_puppet Which made this more clear. I believe that the following paragraph from the wiki is at best not clear about this, if not downright incomplete: Master-Side Client Certificate Generation It''s possible to generate certificates for clients on the master side, by using puppetca --generate <hostname>; this will also sign the newly generated certificate. You might want to do this if you want to automate the conversion of non-Puppet managed servers to Puppet. You can run a script that copies the generated client keys to the right place on the client, installs Puppet and then runs puppetd to get the client''s configuration. This would allow you to "Puppetize" a server with a single command. When you run puppetca --generate <hostname> three files are generated - $signeddir/hostname.pem,$certdir/ hostname.pem and $privatekeydir/hostname.pem. You need to copy the private key and certificate to the corresponding directories on the client side. The client public key will be extracted from its certificate and put into $publickeydir when puppetd is run. The defaults for these directories should be subdirectories under /etc/ puppet/ssl/ with self-explanatory names, look there to find the generated files. http://www.reductivelabs.com/trac/puppet/wiki/CertificatesAndSecurity I propose that the above paragraph be augmented to include the requirement that the ca.pem be transfered from the master to the client... Best regards, Don Begin forwarded message:> From: Don Jackson > Date: November 17, 2008 3:55:02 PM PST > To: puppet-users@googlegroups.com > Subject: [Puppet Users] startup questions > Reply-To: puppet-users@googlegroups.com > > > Hello, > > I am a puppet newbie, I recently purchased & read "Pulling Strings", > etc. > > I''m trying to install and configure puppetd on new machines built by > my automated host installation system. > > I''m getting a fatal error when puppetd starts up after the system > boot, here is the result of puppetd --debug > > # puppetd --debug > debug: Creating default schedules > debug: Failed to load library ''shadow'' for feature ''libshadow'' > debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/etc/ > puppet/ssl]: Autorequiring File[/etc/puppet] > debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/etc/ > puppet/ssl/certs/svn01.clark-communications.com.pem]: Autorequiring > File[/etc/puppet/ssl/certs] > debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/etc/ > puppet/ssl/private_keys]: Autorequiring File[/etc/puppet/ssl] > debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/var/ > puppet/lib]: Autorequiring File[/var/puppet] > debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/var/ > puppet/log]: Autorequiring File[/var/puppet] > debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/etc/ > puppet/ssl/private]: Autorequiring File[/etc/puppet/ssl] > debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/var/ > puppet/plugins]: Autorequiring File[/var/puppet] > debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/etc/ > puppet/ssl/certs]: Autorequiring File[/etc/puppet/ssl] > debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/etc/ > puppet/ssl/private_keys/svn01.clark-communications.com.pem]: > Autorequiring File[/etc/puppet/ssl/private_keys] > debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/var/ > puppet/run]: Autorequiring File[/var/puppet] > debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/etc/ > puppet/ssl/public_keys]: Autorequiring File[/etc/puppet/ssl] > debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/var/ > puppet/facts]: Autorequiring File[/var/puppet] > debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/var/ > puppet/state]: Autorequiring File[/var/puppet] > debug: /Settings[/etc/puppet/puppet.conf]/Settings[puppetd]/File[/etc/ > puppet/puppet.conf]: Autorequiring File[/etc/puppet] > debug: Finishing transaction 4441590840 with 0 changes > /usr/local/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:50:in > `add_file'': system lib (OpenSSL::X509::StoreError) > from /usr/local/lib/ruby/site_ruby/1.8/puppet/network/ > http_pool.rb:50:in `cert_setup'' > from /usr/local/lib/ruby/site_ruby/1.8/puppet/network/ > http_pool.rb:100:in `http_instance'' > from /usr/local/lib/ruby/site_ruby/1.8/puppet/network/xmlrpc/ > client.rb:123:in `initialize'' > from /usr/local/lib/ruby/site_ruby/1.8/puppet/network/ > client.rb:94:in `new'' > from /usr/local/lib/ruby/site_ruby/1.8/puppet/network/ > client.rb:94:in `initialize'' > from /usr/local/lib/ruby/site_ruby/1.8/puppet/network/client/ > master.rb:207:in `initialize'' > from /usr/local/bin/puppetd:322:in `new'' > from /usr/local/bin/puppetd:322 > > This client is puppetd version 0.24.4 running on OpenBSD 4.4/amd64, > the only thing in the conf file is 1 line that points puppetd at the > puppetmaster server. > > I created the cert and private key on another box, using puppetca > version 0.22.4, (running OpenBSD 4.3/amd64), and this is also the > machine that runs puppetmasterd > > My installation system creates /etc/puppet/ssh/private_keys and ./ > certs, downloads the pre-generated .pem files, and gives everything > the following permissions: > > # ls -lR > total 16 > drwxr-xr-x 2 root _puppet 512 Nov 17 15:01 certs > drwxr-x--- 2 root _puppet 512 Nov 17 15:04 private > drwxr-x--- 2 root _puppet 512 Nov 17 15:01 private_keys > drwxr-xr-x 2 root _puppet 512 Nov 17 15:04 public_keys > > ./certs: > total 4 > -rw-r--r-- 1 root _puppet 887 Nov 17 15:01 svn01.clark- > communications.com.pem > > ./private: > > ./private_keys: > total 4 > -rw------- 1 root _puppet 887 Nov 17 15:01 svn01.clark- > communications.com.pem > > ./public_keys: > > What am I doing wrong? > Any advice appreciated... > > Don > > > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
James Turnbull
2008-Nov-21 22:46 UTC
[Puppet Users] Re: Incomplete documentation regarding master-side client cert generation?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Don Jackson wrote:> I believe that the following paragraph from the wiki is at best not > clear about this, if not downright incomplete: > > Master-Side Client Certificate Generation > It''s possible to generate certificates for clients on the master > side, by using puppetca --generate <hostname>; this will also sign > the newly generated certificate. You might want to do this if you > want to automate the conversion of non-Puppet managed servers to > Puppet. You can run a script that copies the generated client keys > to the right place on the client, installs Puppet and then > runs puppetd to get the client''s configuration. This would allow you > to "Puppetize" a server with a single command. When you run puppetca > --generate <hostname> three files are generated > - $signeddir/hostname.pem,$certdir/hostname.pem and $privatekeydir/hostname.pem. > You need to copy the private key and certificate to the > corresponding directories on the client side. The client public key > will be extracted from its certificate and put > into $publickeydir when puppetd is run. The defaults for these > directories should be subdirectories under /etc/puppet/ssl/ with > self-explanatory names, look there to find the generated files. > > > http://www.reductivelabs.com/trac/puppet/wiki/CertificatesAndSecurity > > I propose that the above paragraph be augmented to include the > requirement that the ca.pem be transfered from the master to the client... >Don The wiki is open. Please feel free to update the section. Regards James Turnbull - -- Author of: * Pulling Strings with Puppet (http://www.amazon.com/gp/product/1590599780/) * Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) * Hardening Linux (http://www.amazon.com/gp/product/1590594444/) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJJzpU9hTGvAxC30ARAjPpAJ4nZoN/pPnbCy9dB4GGd7DL6rl6PgCeOO9b Ut1d5xJA+vezkkVe2+OIaOk=XyCF -----END PGP SIGNATURE----- --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Don Jackson
2008-Nov-22 17:32 UTC
[Puppet Users] Re: Incomplete documentation regarding master-side client cert generation?
OK, I added this info to this paragraph in the wiki. On Nov 21, 2008, at 2:46 PM, James Turnbull wrote:> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Don Jackson wrote: >> I believe that the following paragraph from the wiki is at best not >> clear about this, if not downright incomplete: >> >> Master-Side Client Certificate Generation >> It''s possible to generate certificates for clients on the master >> side, by using puppetca --generate <hostname>; this will also sign >> the newly generated certificate. You might want to do this if you >> want to automate the conversion of non-Puppet managed servers to >> Puppet. You can run a script that copies the generated client keys >> to the right place on the client, installs Puppet and then >> runs puppetd to get the client''s configuration. This would allow >> you >> to "Puppetize" a server with a single command. When you run >> puppetca >> --generate <hostname> three files are generated >> - $signeddir/hostname.pem,$certdir/hostname.pem and >> $privatekeydir/hostname.pem. >> You need to copy the private key and certificate to the >> corresponding directories on the client side. The client public >> key >> will be extracted from its certificate and put >> into $publickeydir when puppetd is run. The defaults for these >> directories should be subdirectories under /etc/puppet/ssl/ with >> self-explanatory names, look there to find the generated files. >> >> >> http://www.reductivelabs.com/trac/puppet/wiki/CertificatesAndSecurity >> >> I propose that the above paragraph be augmented to include the >> requirement that the ca.pem be transfered from the master to the >> client... >> > > Don > > The wiki is open. Please feel free to update the section. > > Regards > > James Turnbull > > - -- > Author of: > * Pulling Strings with Puppet > (http://www.amazon.com/gp/product/1590599780/) > * Pro Nagios 2.0 > (http://www.amazon.com/gp/product/1590596099/) > * Hardening Linux > (http://www.amazon.com/gp/product/1590594444/) > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFJJzpU9hTGvAxC30ARAjPpAJ4nZoN/pPnbCy9dB4GGd7DL6rl6PgCeOO9b > Ut1d5xJA+vezkkVe2+OIaOk> =XyCF > -----END PGP SIGNATURE----- > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---