Hi Folks, I''m a first time user of puppet and I''m playing around with it using Amazone EC2 instances in order to learn it. The OS is Ubuntu 10.04 server and puppet version is 0.25.4. Right now I''m facing a hard time to make autosign feature work. I''d like to make the master autosign any client from amazon AWS. For that I create an /etc/puppet/autosign.conf file with only one line containing "*.compute-1.internal" and the started the puppetmaster using "sudo puppetmasterd -v --no-daemonize ". The client connects to the server but no signed certificate is delivered. At the serve I got a message saying: info: Could not find certificate for ''domu-12-31-38-04- b0-28.compute-1.internal'' I also tried adding "autosign=true" and "autosign=/etc/puppet/ autosign.conf" under [puppetmasterd] section in /etc/puppet/ puppet.conf, but no luck so far. What am I doing wrong here? One think I was considering is that at some point I might messed up with the server certificate. Not sure. Does a "sudo puppetca --clean -- all" remove the master certificate? Best regards, Cheers, -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Wed, May 12, 2010 at 7:35 PM, Eric <epaschoalick@gmail.com> wrote:> Hi Folks, > > I''m a first time user of puppet and I''m playing around with it using > Amazone EC2 instances in order to learn it. The OS is Ubuntu 10.04 > server and puppet version is 0.25.4. > > Right now I''m facing a hard time to make autosign feature work. I''d > like to make the master autosign any client from amazon AWS. For that > I create an /etc/puppet/autosign.conf file with only one line > containing "*.compute-1.internal" and the started the puppetmaster > using "sudo puppetmasterd -v --no-daemonize ". > > The client connects to the server but no signed certificate is > delivered. At the serve I got a message saying: > > info: Could not find certificate for ''domu-12-31-38-04- > b0-28.compute-1.internal'' > > I also tried adding "autosign=true" and "autosign=/etc/puppet/ > autosign.conf" under [puppetmasterd] section in /etc/puppet/ > puppet.conf, but no luck so far. > > What am I doing wrong here? > > One think I was considering is that at some point I might messed up > with the server certificate. Not sure. Does a "sudo puppetca --clean -- > all" remove the master certificate? >that will remove the masters ssl certs, as well as any client ssl certs if you messed up with the client certs, you sometimes have to wipe them out with rm (on the client) you can also try puppetca --list to see the pending certs to be signed and puppetca --list --all to see all signed and unsigned certs.> > Best regards, > > Cheers, > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi Dan, In the case that I messed up with the master ssl, how could I fix it? Since I have no client signed yet, can I just generate a cert for the master fqdn hostname (ie: puppetca --generate $(uname -f))? "puppetca --list" outputs an empty line while "puppetca --list --all" outputs the master fqdn preceded by "+" sign, like this: root@domU-12-31-39-00-65-47:~# puppetca --list --all + domu-12-31-39-00-65-47.compute-1.internal root@domU-12-31-39-00-65-47:~# puppetca --list root@domU-12-31-39-00-65-47:~# Any hints? thanks for the help. On May 12, 11:56 pm, Dan Bode <d...@puppetlabs.com> wrote:> On Wed, May 12, 2010 at 7:35 PM, Eric <epaschoal...@gmail.com> wrote: > > Hi Folks, > > that will remove the masters ssl certs, as well as any client ssl certs > > if you messed up with the client certs, you sometimes have to wipe them out > with rm (on the client) > > you can also try > > puppetca --list > > to see the pending certs to be signed > > and > > puppetca --list --all > > to see all signed and unsigned certs. > > > > > > > Best regards, > > > Cheers, > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > > . > > For more options, visit this group at > >http://groups.google.com/group/puppet-users?hl=en. > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Wed, May 12, 2010 at 8:18 PM, Eric <epaschoalick@gmail.com> wrote:> Hi Dan, > > In the case that I messed up with the master ssl, how could I fix it? > Since I have no client signed yet, can I just generate a cert for the > master fqdn hostname (ie: puppetca --generate $(uname -f))? >I would just wipe out the ssldir on the server and run: #>puppetmasterd --no-daemonize --verbose This is the easiest way to start over from scratch. this will create new CA and SSL certs for the master.> "puppetca --list" outputs an empty line while "puppetca --list --all" > outputs the master fqdn preceded by "+" sign, like this: > > root@domU-12-31-39-00-65-47:~# puppetca --list --all > + domu-12-31-39-00-65-47.compute-1.internal > root@domU-12-31-39-00-65-47:~# puppetca --list > > root@domU-12-31-39-00-65-47:~# > > Any hints? > > thanks for the help. > > On May 12, 11:56 pm, Dan Bode <d...@puppetlabs.com> wrote: > > On Wed, May 12, 2010 at 7:35 PM, Eric <epaschoal...@gmail.com> wrote: > > > Hi Folks, > > > > that will remove the masters ssl certs, as well as any client ssl certs > > > > if you messed up with the client certs, you sometimes have to wipe them > out > > with rm (on the client) > > > > you can also try > > > > puppetca --list > > > > to see the pending certs to be signed > > > > and > > > > puppetca --list --all > > > > to see all signed and unsigned certs. > > > > > > > > > > > > > Best regards, > > > > > Cheers, > > > > > -- > > > You received this message because you are subscribed to the Google > Groups > > > "Puppet Users" group. > > > To post to this group, send email to puppet-users@googlegroups.com. > > > To unsubscribe from this group, send email to > > > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > <puppet-users%2Bunsubscribe@googlegroups.com<puppet-users%252Bunsubscribe@googlegroups.com> > > > > > . > > > For more options, visit this group at > > >http://groups.google.com/group/puppet-users?hl=en. > > > > -- > > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > > For more options, visit this group athttp:// > groups.google.com/group/puppet-users?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi, On Wed, May 12, 2010 at 07:35:18PM -0700, Eric wrote:> > I''m a first time user of puppet and I''m playing around with it using > Amazone EC2 instances in order to learn it. The OS is Ubuntu 10.04 > server and puppet version is 0.25.4. > > Right now I''m facing a hard time to make autosign feature work.You may wanna have a look at the blog series [1] I wrote about using Ubuntu images in EC2. I''ve outlined an architecture to not use auto signing on the puppetmaster. [1]: http://ubuntumathiaz.wordpress.com/2010/03/25/using-puppet-in-uecec2-automating-the-signing-process/ -- Mathias Gug Ubuntu Developer http://www.ubuntu.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, May 13, 2010 at 6:04 AM, Mathias Gug <mathiaz@ubuntu.com> wrote:> Hi, > > On Wed, May 12, 2010 at 07:35:18PM -0700, Eric wrote: >> >> I''m a first time user of puppet and I''m playing around with it using >> Amazone EC2 instances in order to learn it. The OS is Ubuntu 10.04 >> server and puppet version is 0.25.4. >> >> Right now I''m facing a hard time to make autosign feature work. > > You may wanna have a look at the blog series [1] I wrote about using Ubuntu > images in EC2. I''ve outlined an architecture to not use auto signing on the > puppetmaster. > > [1]: http://ubuntumathiaz.wordpress.com/2010/03/25/using-puppet-in-uecec2-automating-the-signing-process/ >Essentially by making your own specialized alternative autosigner, yes :) We (Mattias, I, others) were all talking about this Monday, our consenus was that we''re going to consider making a way to teach the autosigner to accept the name of an external script (much akin to external_nodes) that could be called to decide whether or not to autosign a certain cert. In any event, if you can''t get basic autosign to work, the above would be no easier -- I would suggest starting with what Dan had said and let us know where you get from there. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Thanks all. I''ve removed the entire ssl dir as suggested and started puppetmaster again but got the following error: ubuntu@domU-12-31-39-00-65-47:~$ sudo rm -rf /var/lib/puppet/ssl ubuntu@domU-12-31-39-00-65-47:~$ sudo puppetmasterd --verbose --no- daemonize info: Creating a new SSL key for ca info: Creating a new SSL certificate request for ca notice: Signed certificate request for ca notice: Rebuilding inventory file info: Creating a new certificate revocation list info: Creating a new SSL key for domu-12-31-39-00-65-47.compute-1.internal info: Creating a new SSL certificate request for domu-12-31-39-00-65-47.compute-1.internal notice: domu-12-31-39-00-65-47.compute-1.internal has a waiting certificate request /usr/lib/ruby/1.8/puppet/ssl/certificate_authority.rb:91:in `autosign_store'': uninitialized constant Puppet::Network::AuthStore (NameError) from /usr/lib/ruby/1.8/puppet/ssl/certificate_authority.rb:67:in `autosign'' from /usr/lib/ruby/1.8/puppet/ssl/certificate_request.rb:48:in `save'' from /usr/lib/ruby/1.8/puppet/ssl/host.rb:147:in `generate_certificate_request'' from /usr/lib/ruby/1.8/puppet/ssl/host.rb:175:in `generate'' from /usr/lib/ruby/1.8/puppet/ssl/host.rb:27:in `init_localhost'' from /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `send'' from /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `cached_value'' from /usr/lib/ruby/1.8/puppet/util/cacher.rb:46:in `localhost'' from /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:93:in `main'' from /usr/lib/ruby/1.8/puppet/application.rb:226:in `send'' from /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command'' from /usr/lib/ruby/1.8/puppet/application.rb:217:in `run'' from /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail'' from /usr/lib/ruby/1.8/puppet/application.rb:217:in `run'' from /usr/sbin/puppetmasterd:66 ubuntu@domU-12-31-39-00-65-47:~$ Thanks for all the help. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hmm.... Does this thread help you? We should fix the error message, also, IMHO. http://markmail.org/message/aydpf243lu6uub5a#query:uninitialized%20constant%20Puppet%3A%3ANetwork%3A%3AAuthStore+page:1+mid:lelvuzkis2xzruyc+state:results --Michael On Thu, May 13, 2010 at 7:15 PM, Eric <epaschoalick@gmail.com> wrote:> Thanks all. > > I''ve removed the entire ssl dir as suggested and started puppetmaster > again but got the following error: > > ubuntu@domU-12-31-39-00-65-47:~$ sudo rm -rf /var/lib/puppet/ssl > ubuntu@domU-12-31-39-00-65-47:~$ sudo puppetmasterd --verbose --no- > daemonize > info: Creating a new SSL key for ca > info: Creating a new SSL certificate request for ca > notice: Signed certificate request for ca > notice: Rebuilding inventory file > info: Creating a new certificate revocation list > info: Creating a new SSL key for > domu-12-31-39-00-65-47.compute-1.internal > info: Creating a new SSL certificate request for > domu-12-31-39-00-65-47.compute-1.internal > notice: domu-12-31-39-00-65-47.compute-1.internal has a waiting > certificate request > /usr/lib/ruby/1.8/puppet/ssl/certificate_authority.rb:91:in > `autosign_store'': uninitialized constant Puppet::Network::AuthStore > (NameError) > from /usr/lib/ruby/1.8/puppet/ssl/certificate_authority.rb:67:in > `autosign'' > from /usr/lib/ruby/1.8/puppet/ssl/certificate_request.rb:48:in `save'' > from /usr/lib/ruby/1.8/puppet/ssl/host.rb:147:in > `generate_certificate_request'' > from /usr/lib/ruby/1.8/puppet/ssl/host.rb:175:in `generate'' > from /usr/lib/ruby/1.8/puppet/ssl/host.rb:27:in `init_localhost'' > from /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `send'' > from /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `cached_value'' > from /usr/lib/ruby/1.8/puppet/util/cacher.rb:46:in `localhost'' > from /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:93:in > `main'' > from /usr/lib/ruby/1.8/puppet/application.rb:226:in `send'' > from /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command'' > from /usr/lib/ruby/1.8/puppet/application.rb:217:in `run'' > from /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail'' > from /usr/lib/ruby/1.8/puppet/application.rb:217:in `run'' > from /usr/sbin/puppetmasterd:66 > ubuntu@domU-12-31-39-00-65-47:~$ > > Thanks for all the help. > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Ok, I may got what went wrong. Since I''m using puppet in a ubuntu distro, I installed it from repositories, which setup everything to run with puppet user, including file permissions. But after installing it, I only run the puppetmaster it with sudo and --no-daemonize to see messages and stuff. My guess that this prevented puppetmaster to properly access CA files, and hence produced the error. From that point on I just make everything worse by playing around with puppetca --clean --all. Could that be it? Anyway, since I''m just playing with it I thrown away the instances and start from scratch. After installing it I just edit the autosign.conf and did not run puppetmasterd by hand, running it as daemon, and everything worked fine. Since my goal is to learn puppet, I would like to ask for some help from you guys with the following questions: * The explanation abaove makes sense? * Since puppetmasterd runs under puppet user account, and everything located in /etc/puppet/* is by default setted for user root, should I change permissions to make it work? Thanks again for all the help. I also did not reply all answers individually, but I have read them all and all referenced documents (I''m doing my homework :)). Thanks all!! Best regards -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 15.05.2010 02:41, Eric wrote:> Ok, I may got what went wrong. Since I''m using puppet in a ubuntu > distro, I installed it from repositories, which setup everything to > run with puppet user, including file permissions. But after installing > it, I only run the puppetmaster it with sudo and --no-daemonize to see > messages and stuff. > > My guess that this prevented puppetmaster to properly access CA > files, and hence produced the error. From that point on I just make > everything worse by playing around with puppetca --clean --all. Could > that be it? > > Anyway, since I''m just playing with it I thrown away the instances and > start from scratch. After installing it I just edit the autosign.conf > and did not run puppetmasterd by hand, running it as daemon, and > everything worked fine. > > Since my goal is to learn puppet, I would like to ask for some help > from you guys with the following questions: > > * The explanation abaove makes sense? > * Since puppetmasterd runs under puppet user account, and everything > located in /etc/puppet/* is by default setted for user root, should I > change permissions to make it work? > > Thanks again for all the help. I also did not reply all answers > individually, but I have read them all and all referenced documents > (I''m doing my homework :)). Thanks all!! > > Best regards > >Puppet requires read access to /etc/puppet and write access /var/lib/puppet (not going into details). * the paths are like that if you installed by package manager (not sure for source or gem how they are) Certificates, are security sensitive data, and are created with owner permissions only (at least the private part). It is recommended that you keep them with owner permissions only, as it a security risk not to, also some software might refuse to use them if they are not like that. So you should always use certificates like that if you don''t want odd problems popping up. Now if certificates/dirs are created under the wrong user puppet won''t have access to them. The odd thing about this is puppet switches to user puppet if it is runned as root. So either there is a bug in puppet, where the certificates are created before changing the user and/or environment or you ran puppet under your own user (I remember having done something like this). As others have stated, in most cases rm -rf /var/lib/puppet would suffice. You may try to run puppetmaster with sudo -u [puppet] -i puppetmasterd. Where [puppet] is the username under which the puppet master should run. Or sudo -i puppetmasterd (to allow puppet to change the user, and to make sure there isn''t any environment variable that could confuse puppet) Silviu -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.