Trying to manage my certs sanely, upgrading from 0.24.8 -> 0.25.3 I setup one host as the CA and have all my clients point to that. Then I have several puppetmaster''s running on other hosts. Problem is, puppetmasterd seems to be hardcoded to be a cert authority Even if I set the ''ca'' flag to false. It keeps trying to create the ca.pem file and use that, even though I have one and it should use that instead. Is there a reason that the puppetmasterd has to be a CA? How can I get puppetmasterd to use the ca.pem file I provide for it? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 2/1/10 8:10 PM, nicholas wrote:> Trying to manage my certs sanely, upgrading from 0.24.8 -> 0.25.3 > > I setup one host as the CA and have all my clients point to that. > Then I have several puppetmaster''s running on other hosts. > > Problem is, puppetmasterd seems to be hardcoded to be a cert authority > Even if I set the ''ca'' flag to false. > It keeps trying to create the ca.pem file and use that, even though I > have one and it should use that instead. > > Is there a reason that the puppetmasterd has to be a CA? > How can I get puppetmasterd to use the ca.pem file I provide for it? >Are you putting the PEM in the right place? This is what my Puppetmasterd ssl dir looks like: -bash-3.2$ find . . ./certs ./certs/ca.pem ./certs/puppet.domain.com.pem ./crl.pem ./private_keys ./private_keys/puppet.domain.com.pem ./public_keys ./public_keys/puppet.domain.com.pem ./certificate_requests ./private ./ca ./ca/private ./ca/requests ./ca/signed -scott -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Mon, Feb 1, 2010 at 8:53 PM, Scott Smith <scott@ohlol.net> wrote:> On 2/1/10 8:10 PM, nicholas wrote: >> >> Trying to manage my certs sanely, upgrading from 0.24.8 -> 0.25.3 >> >> I setup one host as the CA and have all my clients point to that. >> Then I have several puppetmaster''s running on other hosts. >> >> Problem is, puppetmasterd seems to be hardcoded to be a cert authority >> Even if I set the ''ca'' flag to false. >> It keeps trying to create the ca.pem file and use that, even though I >> have one and it should use that instead.How are you running puppet? Are you using Passenger? I found ca = false didn''t work in the .conf file with Passenger, and I instead had to add --no-ca to the args.>> >> Is there a reason that the puppetmasterd has to be a CA? >> How can I get puppetmasterd to use the ca.pem file I provide for it? >> > > Are you putting the PEM in the right place? This is what my Puppetmasterd > ssl dir looks like: > > -bash-3.2$ find . > . > ./certs > ./certs/ca.pem > ./certs/puppet.domain.com.pem > ./crl.pem > ./private_keys > ./private_keys/puppet.domain.com.pem > ./public_keys > ./public_keys/puppet.domain.com.pem > ./certificate_requests > ./private > ./ca > ./ca/private > ./ca/requests > ./ca/signed > > -scott > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- nigel -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 2/2/10 7:04 AM, Nigel Kersten wrote:> How are you running puppet? Are you using Passenger? > > I found ca = false didn''t work in the .conf file with Passenger, and I > instead had to add --no-ca to the args. >Weird, what version of Passenger are you using? I''ve got 2.2.5 and don''t have to do that. -scott -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Tue, Feb 2, 2010 at 8:03 AM, Scott Smith <scott@ohlol.net> wrote:> On 2/2/10 7:04 AM, Nigel Kersten wrote: >> >> How are you running puppet? Are you using Passenger? >> >> I found ca = false didn''t work in the .conf file with Passenger, and I >> instead had to add --no-ca to the args. >> > > Weird, what version of Passenger are you using? I''ve got 2.2.5 and don''t > have to do that.I had to do it with the earlier versions at least, 2.2.1 I think? I''ll double check again today. I thought ca = false was working until I actually verified that it wasn''t operating as a CA. This is with puppet 0.24.8 btw.> > -scott > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- nigel -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 2/2/10 9:06 AM, Nigel Kersten wrote:> I thought ca = false was working until I actually verified that it > wasn''t operating as a CA. > > This is with puppet 0.24.8 btw. >Ahhh, I''m using 0.25.x -scott -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
So I have 0.25.3
I found this in the code
puppet/ssl/certificate_authority.rb
class Puppet::SSL::CertificateAuthority
....
def self.ca?
return false unless Puppet[:ca]
return false unless Puppet[:name] == "puppetmasterd"
return true
end
....
end
Basically I read this as, if this class is used inside of
puppetmasterd, then turn on the certificate authority.
Always.
Anyone know if that is intended?
On Feb 2, 9:15 am, Scott Smith <sc...@ohlol.net>
wrote:> On 2/2/10 9:06 AM, Nigel Kersten wrote:
>
> > I thought ca = false was working until I actually verified that it
> > wasn''t operating as a CA.
>
> > This is with puppet 0.24.8 btw.
>
> Ahhh, I''m using 0.25.x
>
> -scott
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Atha Kouroussis
2010-Feb-02 21:35 UTC
Re: [Puppet Users] Re: Cannot seem to turn off the CA
Hi, We have several puppetmasters running with ca= false and passenger. They are currently 0.25.3 but were at some point 0.24.8. Basically, once you have setup your ca, in a node intended to be puppetmaster, run the client FIRST with ca_server pointing to your ca. The client generates the certificates and get the ca ceertificate. Then you can run the puppetmaster with ca = false. Our non-ca puppetmasters'' puppet.conf looks like this: # file managed by puppet [main] logdir = /var/log/puppet vardir = /var/lib/puppet ssldir = /var/lib/puppet/ssl rundir = /var/run/puppet factpath = $vardir/lib/facter pluginsync = true manifest = /etc/puppet/manifests/site.pp modulepath = /etc/puppet/modules templatedir = /etc/puppet/templates [puppetmasterd] # CA ca = false ca_server = puppeteer.domain.com syslogfacility = info # Enable Foreman reports reports=log, foreman # for Passenger ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY # Use Foreman node_terminus=exec external_nodes=/etc/puppet/scripts/node.rb [puppetd] server = puppeteer.domain.com report = true Hope this helps. Cheers, Atha On Feb 2, 2010, at 17:14 , nicholas wrote:> So I have 0.25.3 > > I found this in the code > > puppet/ssl/certificate_authority.rb > > class Puppet::SSL::CertificateAuthority > .... > def self.ca? > return false unless Puppet[:ca] > return false unless Puppet[:name] == "puppetmasterd" > return true > end > .... > end > > > Basically I read this as, if this class is used inside of > puppetmasterd, then turn on the certificate authority. > > Always. > > Anyone know if that is intended? > > > > > > On Feb 2, 9:15 am, Scott Smith <sc...@ohlol.net> wrote: >> On 2/2/10 9:06 AM, Nigel Kersten wrote: >> >>> I thought ca = false was working until I actually verified that it >>> wasn''t operating as a CA. >> >>> This is with puppet 0.24.8 btw. >> >> Ahhh, I''m using 0.25.x >> >> -scott > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Feb 2, 2:14 pm, nicholas <nvee...@gmail.com> wrote:> def self.ca? > return false unless Puppet[:ca] > return false unless Puppet[:name] == "puppetmasterd" > return true > end[...]> Basically I read this as, if this class is used inside of > puppetmasterd, then turn on the certificate authority.I believe you''re missing something there: if the host Puppet''s "ca" property is false then that function returns false, regardless of the value of the "name" property (first line of the function body). In other words, we see exactly what one should expect to see in support of the config file variable and command-line option. Of course, much depends on how the (Ruby) class containing that function is used, and on how and when the "ca" Puppet property is set, but I don''t see anything obviously wrong with the particular code presented. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.