thr3ads.net - Puppet users - [Puppet Users] External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority [Aug 2010]

If this information is useful, please help other people find it:
Share via:

Yushu Yao

2010-Aug-19 18:38 UTC

[Puppet Users] External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority

Hi Experts,

I''m trying to generate my own certificates (all of them, including
certs for
CA, server and client) for puppet to use.

and I''m getting "Could not run: Could not retrieve certificate for
puppetsrv
and not running on a valid certificate authority"

Just wondering what the problem could be?

What I did is:

1. generate a self signed CA cert, and save the files to ca.crt, ca.prk,
ca.puk, ca.pass.
2. generate a keypair, request, then sign with the above CA and save the
files ssldir/public_keys/puppetsrv.pem, ssldir/private_keys/puppetsrv.pem,
ssldir/certificate_requests/puppetsrv.pem, ssldir/certs/puppetsrv.pem
(All certs work fine with openssl verify)
3. Puppet configuration file:
    ca = false
    cakey=$ssldir/ca.prk
    passfile=$ssldir/ca.pass
    cacert=$ssldir/ca.crt
    capub=$ssldir/ca.puk
4. run puppet master:
/usr/sbin/puppetmasterd --no-daemonize --verbose --debug --certname
puppetsrv

Full log (added some breakpoints and printed some tracebacks):
debug: Failed to load library ''selinux'' for feature
''selinux''
debug: Failed to load library ''ldap'' for feature
''ldap''
debug: /File[/opt/cloudcrv/varpuppet/lib]: Autorequiring
File[/opt/cloudcrv/varpuppet]
debug: /File[/opt/cloudcrv/confpuppet/puppet.conf]: Autorequiring
File[/opt/cloudcrv/confpuppet]
debug: /File[/opt/cloudcrv/varpuppet/run/puppetmasterd.pid]: Autorequiring
File[/opt/cloudcrv/varpuppet/run]
debug: /File[/opt/cloudcrv/varpuppet/ssl/certs/puppetsrv.pem]: Autorequiring
File[/opt/cloudcrv/varpuppet/ssl/certs]
debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: Autorequiring
File[/opt/cloudcrv/varpuppet/ssl]
debug: /File[/opt/cloudcrv/varpuppet/rrd]: Autorequiring
File[/opt/cloudcrv/varpuppet]
debug: /File[/opt/cloudcrv/varpuppet/bucket]: Autorequiring
File[/opt/cloudcrv/varpuppet]
debug: /File[/opt/cloudcrv/varpuppet/log]: Autorequiring
File[/opt/cloudcrv/varpuppet]
debug: /File[/opt/cloudcrv/varpuppet/facts]: Autorequiring
File[/opt/cloudcrv/varpuppet]
debug: /File[/opt/cloudcrv/varpuppet/log/masterhttp.log]: Autorequiring
File[/opt/cloudcrv/varpuppet/log]
debug: /File[/opt/cloudcrv/varpuppet/ssl]: Autorequiring
File[/opt/cloudcrv/varpuppet]
debug: /File[/opt/cloudcrv/varpuppet/state]: Autorequiring
File[/opt/cloudcrv/varpuppet]
debug: /File[/opt/cloudcrv/confpuppet/fileserver.conf]: Autorequiring
File[/opt/cloudcrv/confpuppet]
debug: /File[/opt/cloudcrv/varpuppet/ssl/certificate_requests]:
Autorequiring File[/opt/cloudcrv/varpuppet/ssl]
debug: /File[/opt/cloudcrv/confpuppet/auth.conf]: Autorequiring
File[/opt/cloudcrv/confpuppet]
debug: /File[/opt/cloudcrv/confpuppet/manifests]: Autorequiring
File[/opt/cloudcrv/confpuppet]
debug: /File[/opt/cloudcrv/varpuppet/ssl/public_keys/puppetsrv.pem]:
Autorequiring File[/opt/cloudcrv/varpuppet/ssl/public_keys]
debug: /File[/opt/cloudcrv/varpuppet/yaml]: Autorequiring
File[/opt/cloudcrv/varpuppet]
debug: /File[/opt/cloudcrv/varpuppet/reports]: Autorequiring
File[/opt/cloudcrv/varpuppet]
debug: /File[/opt/cloudcrv/varpuppet/ssl/public_keys]: Autorequiring
File[/opt/cloudcrv/varpuppet/ssl]
debug: /File[/opt/cloudcrv/varpuppet/ssl/certs]: Autorequiring
File[/opt/cloudcrv/varpuppet/ssl]
debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: Autorequiring
File[/opt/cloudcrv/varpuppet/ssl]
debug: /File[/opt/cloudcrv/varpuppet/run]: Autorequiring
File[/opt/cloudcrv/varpuppet]
debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: Changing mode
debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: 1 change(s)
debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]/mode: mode changed
''755'' to ''750''
debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: Changing ensure
debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: 1 change(s)
debug: /File[/opt/cloudcrv/varpuppet/ssl/private]/ensure: created
debug: Finishing transaction 70044884792200 with 2 changes
/usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate''
/usr/lib/ruby/1.8/puppet/ssl/host.rb:27:in `init_localhost''
/usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `send''
/usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `cached_value''
/usr/lib/ruby/1.8/puppet/util/cacher.rb:46:in `localhost''
/usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:93:in `main''
/usr/lib/ruby/1.8/puppet/application.rb:226:in `send''
/usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command''
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
/usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail''
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
/usr/sbin/puppetmasterd:66
Puppet::SSL::Certificate
/usr/lib/ruby/1.8/puppet/ssl/host.rb:173
)
(rdb:1) p Certificate.find("puppetsrv")
#<Puppet::SSL::Certificate:0x7f6930ce7d18 @name="puppetsrv",
@content=#<OpenSSL::X509::Certificate
subject=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley National
Laboratory/CN=puppetsrv, issuer=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley
National Laboratory/CN=ca, serial=1, not_before=Thu Aug 19 18:24:23 UTC
2010, not_after=Fri Aug 19 18:24:23 UTC 2011>>
(rdb:1) p Certificate.find("ca")
nil
(rdb:1) c
info: Creating a new SSL key for puppetsrv
/usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate''
/usr/lib/ruby/1.8/puppet/ssl/host.rb:184:in `generate''
/usr/lib/ruby/1.8/puppet/ssl/host.rb:27:in `init_localhost''
/usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `send''
/usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `cached_value''
/usr/lib/ruby/1.8/puppet/util/cacher.rb:46:in `localhost''
/usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:93:in `main''
/usr/lib/ruby/1.8/puppet/application.rb:226:in `send''
/usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command''
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
/usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail''
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
/usr/sbin/puppetmasterd:66
Puppet::SSL::Certificate
/usr/lib/ruby/1.8/puppet/ssl/host.rb:173
)
(rdb:1) p Certificate.find("ca")
nil
(rdb:1) p Certificate.find("puppetsrv")
#<Puppet::SSL::Certificate:0x7f6930cdcb20 @name="puppetsrv",
@content=#<OpenSSL::X509::Certificate
subject=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley National
Laboratory/CN=puppetsrv, issuer=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley
National Laboratory/CN=ca, serial=1, not_before=Thu Aug 19 18:24:23 UTC
2010, not_after=Fri Aug 19 18:24:23 UTC 2011>>
(rdb:1) p key
#<Puppet::SSL::Key:0x7f6930ce5810
@password_file="/opt/cloudcrv/varpuppet/ssl/ca.pass",
@name="puppetsrv",
@content=-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCo7m5/ZO0vz+CjWnLDIkMQZPHh4Cmj4NhaVSSjo0jGzRrVuM1X
UPm87p4mp/WwRbNxm5dY1qheBHk+/gW4xkJm68jDF2WNY+CvMxstBiTHZ3aGW3zk
tNqiwk/ud4U3MDHDapzArgj1KL3/aTnDF0iBADaCcCYkS/kDxxhMjt5z8QIDAQAB
AoGAaiXH0My+LPjWEk7XJb31neuQAXo1MAAscjZl21zScfiXEAwbGu6KvijBv1By
lNx3ML+vjebzzH/LH8XGGqCZP8TupQHao/G+ZjgbnYFjmnujojjD2WwUAa2i4Jd0
T7QkJYus16OOcBUlrvpp89qvjSjv9C6/vKBLYPfzbSxzvkECQQDZ9Ly+zdwe8TYu
OkbLgR8XHDrxzuw2Xw0xxoJ/1msAD6xAAJm9igN8K6J6q3FufFq2c9CWQp9SoGyW
EIuuiFSdAkEAxmsNLmV51u/Fd8AEEALlkItxp6iiuuyXXqBcEDhp6by5cikmKoVv
uYQjfWIK6Q5YUP1fYJDeBUHOGc11oZe6ZQJANtc3rqLJohd7VIJhUc85bW0y/6jb
Eos0HLQgHd5rqeZHpwr/pAtX+SRZi5gbwHsVsBbQAx7cS8QFznR3UQEImQJASd9x
eOSvCCcdDgifepaZgcdo+VL/wzhy4vgxTpiyViO9p5NKcmpbvmZEEFqAVWTR3NV4
vSsyfiKR6WllclRbQQJBALYyByAq9JDCbl0ElYILLvBQwIKjN6/JW4j0W3BjEgF6
Xo6cP0OCW5dzoV6Hrv+wQR1RcwQf2bFxW0bR06qT4Ec-----END RSA PRIVATE
KEY----->(rdb:1) c
CertificateAuthority.ca notice: Starting Puppet server version 0.25.4
/usr/lib/ruby/1.8/puppet/network/http/webrick.rb:101:in `setup_ssl''
/usr/lib/ruby/1.8/puppet/network/http/webrick.rb:31:in `listen''
/usr/lib/ruby/1.8/puppet/network/server.rb:131:in `listen''
/usr/lib/ruby/1.8/puppet/network/server.rb:146:in `start''
/usr/lib/ruby/1.8/puppet/daemon.rb:128:in `start''
/usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:125:in `main''
/usr/lib/ruby/1.8/puppet/application.rb:226:in `send''
/usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command''
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
/usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail''
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
/usr/sbin/puppetmasterd:66
/usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate''
/usr/lib/ruby/1.8/puppet/network/http/webrick.rb:102:in `setup_ssl''
/usr/lib/ruby/1.8/puppet/network/http/webrick.rb:31:in `listen''
/usr/lib/ruby/1.8/puppet/network/server.rb:131:in `listen''
/usr/lib/ruby/1.8/puppet/network/server.rb:146:in `start''
/usr/lib/ruby/1.8/puppet/daemon.rb:128:in `start''
/usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:125:in `main''
/usr/lib/ruby/1.8/puppet/application.rb:226:in `send''
/usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command''
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
/usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail''
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
/usr/sbin/puppetmasterd:66
Puppet::SSL::Certificate
/usr/lib/ruby/1.8/puppet/ssl/host.rb:173
)
(rdb:1) c
Could not run: Could not retrieve certificate for puppetsrv and not running
on a valid certificate authority

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Mohamed Lrhazi

2011-Mar-05 21:53 UTC

head link

Re: [Puppet Users] External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority

I just run into the same issue... I was trying to follow this
procedure: http://bodepd.com/wordpress/?p=7

My goal is to be able to run my nodes against either of two puppetmasters....

My first master starts fine, but the second dies with this same error:

Could not run: Could not retrieve certificate for <puppetmaster-fqdn>
and not running on a valid certificate authority

Is the procedure outdated? Is it supposed to work with puppet 2.6 ?

Thanks,
Mohamed.

On Thu, Aug 19, 2010 at 2:38 PM, Yushu Yao <yao.yushu@gmail.com>
wrote:> Hi Experts,
>
> I''m trying to generate my own certificates (all of them, including
certs for
> CA, server and client) for puppet to use.
>
> and I''m getting "Could not run: Could not retrieve
certificate for puppetsrv
> and not running on a valid certificate authority"
>
> Just wondering what the problem could be?
>
> What I did is:
>
> 1. generate a self signed CA cert, and save the files to ca.crt, ca.prk,
> ca.puk, ca.pass.
> 2. generate a keypair, request, then sign with the above CA and save the
> files ssldir/public_keys/puppetsrv.pem, ssldir/private_keys/puppetsrv.pem,
> ssldir/certificate_requests/puppetsrv.pem, ssldir/certs/puppetsrv.pem
> (All certs work fine with openssl verify)
> 3. Puppet configuration file:
>     ca = false
>     cakey=$ssldir/ca.prk
>     passfile=$ssldir/ca.pass
>     cacert=$ssldir/ca.crt
>     capub=$ssldir/ca.puk
> 4. run puppet master:
> /usr/sbin/puppetmasterd --no-daemonize --verbose --debug --certname
> puppetsrv
>
> Full log (added some breakpoints and printed some tracebacks):
> debug: Failed to load library ''selinux'' for feature
''selinux''
> debug: Failed to load library ''ldap'' for feature
''ldap''
> debug: /File[/opt/cloudcrv/varpuppet/lib]: Autorequiring
> File[/opt/cloudcrv/varpuppet]
> debug: /File[/opt/cloudcrv/confpuppet/puppet.conf]: Autorequiring
> File[/opt/cloudcrv/confpuppet]
> debug: /File[/opt/cloudcrv/varpuppet/run/puppetmasterd.pid]: Autorequiring
> File[/opt/cloudcrv/varpuppet/run]
> debug: /File[/opt/cloudcrv/varpuppet/ssl/certs/puppetsrv.pem]:
Autorequiring
> File[/opt/cloudcrv/varpuppet/ssl/certs]
> debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: Autorequiring
> File[/opt/cloudcrv/varpuppet/ssl]
> debug: /File[/opt/cloudcrv/varpuppet/rrd]: Autorequiring
> File[/opt/cloudcrv/varpuppet]
> debug: /File[/opt/cloudcrv/varpuppet/bucket]: Autorequiring
> File[/opt/cloudcrv/varpuppet]
> debug: /File[/opt/cloudcrv/varpuppet/log]: Autorequiring
> File[/opt/cloudcrv/varpuppet]
> debug: /File[/opt/cloudcrv/varpuppet/facts]: Autorequiring
> File[/opt/cloudcrv/varpuppet]
> debug: /File[/opt/cloudcrv/varpuppet/log/masterhttp.log]: Autorequiring
> File[/opt/cloudcrv/varpuppet/log]
> debug: /File[/opt/cloudcrv/varpuppet/ssl]: Autorequiring
> File[/opt/cloudcrv/varpuppet]
> debug: /File[/opt/cloudcrv/varpuppet/state]: Autorequiring
> File[/opt/cloudcrv/varpuppet]
> debug: /File[/opt/cloudcrv/confpuppet/fileserver.conf]: Autorequiring
> File[/opt/cloudcrv/confpuppet]
> debug: /File[/opt/cloudcrv/varpuppet/ssl/certificate_requests]:
> Autorequiring File[/opt/cloudcrv/varpuppet/ssl]
> debug: /File[/opt/cloudcrv/confpuppet/auth.conf]: Autorequiring
> File[/opt/cloudcrv/confpuppet]
> debug: /File[/opt/cloudcrv/confpuppet/manifests]: Autorequiring
> File[/opt/cloudcrv/confpuppet]
> debug: /File[/opt/cloudcrv/varpuppet/ssl/public_keys/puppetsrv.pem]:
> Autorequiring File[/opt/cloudcrv/varpuppet/ssl/public_keys]
> debug: /File[/opt/cloudcrv/varpuppet/yaml]: Autorequiring
> File[/opt/cloudcrv/varpuppet]
> debug: /File[/opt/cloudcrv/varpuppet/reports]: Autorequiring
> File[/opt/cloudcrv/varpuppet]
> debug: /File[/opt/cloudcrv/varpuppet/ssl/public_keys]: Autorequiring
> File[/opt/cloudcrv/varpuppet/ssl]
> debug: /File[/opt/cloudcrv/varpuppet/ssl/certs]: Autorequiring
> File[/opt/cloudcrv/varpuppet/ssl]
> debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: Autorequiring
> File[/opt/cloudcrv/varpuppet/ssl]
> debug: /File[/opt/cloudcrv/varpuppet/run]: Autorequiring
> File[/opt/cloudcrv/varpuppet]
> debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: Changing mode
> debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: 1 change(s)
> debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]/mode: mode changed
> ''755'' to ''750''
> debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: Changing ensure
> debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: 1 change(s)
> debug: /File[/opt/cloudcrv/varpuppet/ssl/private]/ensure: created
> debug: Finishing transaction 70044884792200 with 2 changes
> /usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate''
> /usr/lib/ruby/1.8/puppet/ssl/host.rb:27:in `init_localhost''
> /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `send''
> /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `cached_value''
> /usr/lib/ruby/1.8/puppet/util/cacher.rb:46:in `localhost''
> /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:93:in `main''
> /usr/lib/ruby/1.8/puppet/application.rb:226:in `send''
> /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command''
> /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail''
> /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> /usr/sbin/puppetmasterd:66
> Puppet::SSL::Certificate
> /usr/lib/ruby/1.8/puppet/ssl/host.rb:173
> )
> (rdb:1) p Certificate.find("puppetsrv")
> #<Puppet::SSL::Certificate:0x7f6930ce7d18 @name="puppetsrv",
> @content=#<OpenSSL::X509::Certificate
> subject=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley National
> Laboratory/CN=puppetsrv, issuer=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley
> National Laboratory/CN=ca, serial=1, not_before=Thu Aug 19 18:24:23 UTC
> 2010, not_after=Fri Aug 19 18:24:23 UTC 2011>>
> (rdb:1) p Certificate.find("ca")
> nil
> (rdb:1) c
> info: Creating a new SSL key for puppetsrv
> /usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate''
> /usr/lib/ruby/1.8/puppet/ssl/host.rb:184:in `generate''
> /usr/lib/ruby/1.8/puppet/ssl/host.rb:27:in `init_localhost''
> /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `send''
> /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `cached_value''
> /usr/lib/ruby/1.8/puppet/util/cacher.rb:46:in `localhost''
> /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:93:in `main''
> /usr/lib/ruby/1.8/puppet/application.rb:226:in `send''
> /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command''
> /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail''
> /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> /usr/sbin/puppetmasterd:66
> Puppet::SSL::Certificate
> /usr/lib/ruby/1.8/puppet/ssl/host.rb:173
> )
> (rdb:1) p Certificate.find("ca")
> nil
> (rdb:1) p Certificate.find("puppetsrv")
> #<Puppet::SSL::Certificate:0x7f6930cdcb20 @name="puppetsrv",
> @content=#<OpenSSL::X509::Certificate
> subject=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley National
> Laboratory/CN=puppetsrv, issuer=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley
> National Laboratory/CN=ca, serial=1, not_before=Thu Aug 19 18:24:23 UTC
> 2010, not_after=Fri Aug 19 18:24:23 UTC 2011>>
> (rdb:1) p key
> #<Puppet::SSL::Key:0x7f6930ce5810
> @password_file="/opt/cloudcrv/varpuppet/ssl/ca.pass",
@name="puppetsrv",
> @content=-----BEGIN RSA PRIVATE KEY-----
> MIICXAIBAAKBgQCo7m5/ZO0vz+CjWnLDIkMQZPHh4Cmj4NhaVSSjo0jGzRrVuM1X
> UPm87p4mp/WwRbNxm5dY1qheBHk+/gW4xkJm68jDF2WNY+CvMxstBiTHZ3aGW3zk
> tNqiwk/ud4U3MDHDapzArgj1KL3/aTnDF0iBADaCcCYkS/kDxxhMjt5z8QIDAQAB
> AoGAaiXH0My+LPjWEk7XJb31neuQAXo1MAAscjZl21zScfiXEAwbGu6KvijBv1By
> lNx3ML+vjebzzH/LH8XGGqCZP8TupQHao/G+ZjgbnYFjmnujojjD2WwUAa2i4Jd0
> T7QkJYus16OOcBUlrvpp89qvjSjv9C6/vKBLYPfzbSxzvkECQQDZ9Ly+zdwe8TYu
> OkbLgR8XHDrxzuw2Xw0xxoJ/1msAD6xAAJm9igN8K6J6q3FufFq2c9CWQp9SoGyW
> EIuuiFSdAkEAxmsNLmV51u/Fd8AEEALlkItxp6iiuuyXXqBcEDhp6by5cikmKoVv
> uYQjfWIK6Q5YUP1fYJDeBUHOGc11oZe6ZQJANtc3rqLJohd7VIJhUc85bW0y/6jb
> Eos0HLQgHd5rqeZHpwr/pAtX+SRZi5gbwHsVsBbQAx7cS8QFznR3UQEImQJASd9x
> eOSvCCcdDgifepaZgcdo+VL/wzhy4vgxTpiyViO9p5NKcmpbvmZEEFqAVWTR3NV4
> vSsyfiKR6WllclRbQQJBALYyByAq9JDCbl0ElYILLvBQwIKjN6/JW4j0W3BjEgF6
> Xo6cP0OCW5dzoV6Hrv+wQR1RcwQf2bFxW0bR06qT4Ec> -----END RSA PRIVATE
KEY-----
>>
> (rdb:1) c
> CertificateAuthority.ca > notice: Starting Puppet server version 0.25.4
> /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:101:in
`setup_ssl''
> /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:31:in `listen''
> /usr/lib/ruby/1.8/puppet/network/server.rb:131:in `listen''
> /usr/lib/ruby/1.8/puppet/network/server.rb:146:in `start''
> /usr/lib/ruby/1.8/puppet/daemon.rb:128:in `start''
> /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:125:in
`main''
> /usr/lib/ruby/1.8/puppet/application.rb:226:in `send''
> /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command''
> /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail''
> /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> /usr/sbin/puppetmasterd:66
> /usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate''
> /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:102:in
`setup_ssl''
> /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:31:in `listen''
> /usr/lib/ruby/1.8/puppet/network/server.rb:131:in `listen''
> /usr/lib/ruby/1.8/puppet/network/server.rb:146:in `start''
> /usr/lib/ruby/1.8/puppet/daemon.rb:128:in `start''
> /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:125:in
`main''
> /usr/lib/ruby/1.8/puppet/application.rb:226:in `send''
> /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command''
> /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail''
> /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> /usr/sbin/puppetmasterd:66
> Puppet::SSL::Certificate
> /usr/lib/ruby/1.8/puppet/ssl/host.rb:173
> )
> (rdb:1) c
> Could not run: Could not retrieve certificate for puppetsrv and not running
> on a valid certificate authority
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Matthew Black

2011-Mar-05 22:25 UTC

head link

Re: [Puppet Users] External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority

That process still works, but you need to have a CA puppet master, a non-CA
puppet master, and one client for that to work. The client needs to be told
where the CA server is though which in that link tells you how to update the
puppet.conf.

I use this process and it works great, there was some tweaking needing for
it to work for 2.6





On Sat, Mar 5, 2011 at 4:53 PM, Mohamed Lrhazi <lrhazi@gmail.com> wrote:
> I just run into the same issue... I was trying to follow this
> procedure: http://bodepd.com/wordpress/?p=7
>
> My goal is to be able to run my nodes against either of two
> puppetmasters....
>
> My first master starts fine, but the second dies with this same error:
>
> Could not run: Could not retrieve certificate for <puppetmaster-fqdn>
> and not running on a valid certificate authority
>
> Is the procedure outdated? Is it supposed to work with puppet 2.6 ?
>
> Thanks,
> Mohamed.
>
> On Thu, Aug 19, 2010 at 2:38 PM, Yushu Yao <yao.yushu@gmail.com>
wrote:
> > Hi Experts,
> >
> > I''m trying to generate my own certificates (all of them,
including certs
> for
> > CA, server and client) for puppet to use.
> >
> > and I''m getting "Could not run: Could not retrieve
certificate for
> puppetsrv
> > and not running on a valid certificate authority"
> >
> > Just wondering what the problem could be?
> >
> > What I did is:
> >
> > 1. generate a self signed CA cert, and save the files to ca.crt,
ca.prk,
> > ca.puk, ca.pass.
> > 2. generate a keypair, request, then sign with the above CA and save
the
> > files ssldir/public_keys/puppetsrv.pem,
> ssldir/private_keys/puppetsrv.pem,
> > ssldir/certificate_requests/puppetsrv.pem, ssldir/certs/puppetsrv.pem
> > (All certs work fine with openssl verify)
> > 3. Puppet configuration file:
> >     ca = false
> >     cakey=$ssldir/ca.prk
> >     passfile=$ssldir/ca.pass
> >     cacert=$ssldir/ca.crt
> >     capub=$ssldir/ca.puk
> > 4. run puppet master:
> > /usr/sbin/puppetmasterd --no-daemonize --verbose --debug --certname
> > puppetsrv
> >
> > Full log (added some breakpoints and printed some tracebacks):
> > debug: Failed to load library ''selinux'' for feature
''selinux''
> > debug: Failed to load library ''ldap'' for feature
''ldap''
> > debug: /File[/opt/cloudcrv/varpuppet/lib]: Autorequiring
> > File[/opt/cloudcrv/varpuppet]
> > debug: /File[/opt/cloudcrv/confpuppet/puppet.conf]: Autorequiring
> > File[/opt/cloudcrv/confpuppet]
> > debug: /File[/opt/cloudcrv/varpuppet/run/puppetmasterd.pid]:
> Autorequiring
> > File[/opt/cloudcrv/varpuppet/run]
> > debug: /File[/opt/cloudcrv/varpuppet/ssl/certs/puppetsrv.pem]:
> Autorequiring
> > File[/opt/cloudcrv/varpuppet/ssl/certs]
> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: Autorequiring
> > File[/opt/cloudcrv/varpuppet/ssl]
> > debug: /File[/opt/cloudcrv/varpuppet/rrd]: Autorequiring
> > File[/opt/cloudcrv/varpuppet]
> > debug: /File[/opt/cloudcrv/varpuppet/bucket]: Autorequiring
> > File[/opt/cloudcrv/varpuppet]
> > debug: /File[/opt/cloudcrv/varpuppet/log]: Autorequiring
> > File[/opt/cloudcrv/varpuppet]
> > debug: /File[/opt/cloudcrv/varpuppet/facts]: Autorequiring
> > File[/opt/cloudcrv/varpuppet]
> > debug: /File[/opt/cloudcrv/varpuppet/log/masterhttp.log]:
Autorequiring
> > File[/opt/cloudcrv/varpuppet/log]
> > debug: /File[/opt/cloudcrv/varpuppet/ssl]: Autorequiring
> > File[/opt/cloudcrv/varpuppet]
> > debug: /File[/opt/cloudcrv/varpuppet/state]: Autorequiring
> > File[/opt/cloudcrv/varpuppet]
> > debug: /File[/opt/cloudcrv/confpuppet/fileserver.conf]: Autorequiring
> > File[/opt/cloudcrv/confpuppet]
> > debug: /File[/opt/cloudcrv/varpuppet/ssl/certificate_requests]:
> > Autorequiring File[/opt/cloudcrv/varpuppet/ssl]
> > debug: /File[/opt/cloudcrv/confpuppet/auth.conf]: Autorequiring
> > File[/opt/cloudcrv/confpuppet]
> > debug: /File[/opt/cloudcrv/confpuppet/manifests]: Autorequiring
> > File[/opt/cloudcrv/confpuppet]
> > debug: /File[/opt/cloudcrv/varpuppet/ssl/public_keys/puppetsrv.pem]:
> > Autorequiring File[/opt/cloudcrv/varpuppet/ssl/public_keys]
> > debug: /File[/opt/cloudcrv/varpuppet/yaml]: Autorequiring
> > File[/opt/cloudcrv/varpuppet]
> > debug: /File[/opt/cloudcrv/varpuppet/reports]: Autorequiring
> > File[/opt/cloudcrv/varpuppet]
> > debug: /File[/opt/cloudcrv/varpuppet/ssl/public_keys]: Autorequiring
> > File[/opt/cloudcrv/varpuppet/ssl]
> > debug: /File[/opt/cloudcrv/varpuppet/ssl/certs]: Autorequiring
> > File[/opt/cloudcrv/varpuppet/ssl]
> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: Autorequiring
> > File[/opt/cloudcrv/varpuppet/ssl]
> > debug: /File[/opt/cloudcrv/varpuppet/run]: Autorequiring
> > File[/opt/cloudcrv/varpuppet]
> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: Changing mode
> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: 1 change(s)
> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]/mode: mode
changed
> > ''755'' to ''750''
> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: Changing ensure
> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: 1 change(s)
> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]/ensure: created
> > debug: Finishing transaction 70044884792200 with 2 changes
> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate''
> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:27:in `init_localhost''
> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `send''
> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `cached_value''
> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:46:in `localhost''
> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:93:in
`main''
> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `send''
> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command''
> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> > /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail''
> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> > /usr/sbin/puppetmasterd:66
> > Puppet::SSL::Certificate
> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:173
> > )
> > (rdb:1) p Certificate.find("puppetsrv")
> > #<Puppet::SSL::Certificate:0x7f6930ce7d18
@name="puppetsrv",
> > @content=#<OpenSSL::X509::Certificate
> > subject=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley National
> > Laboratory/CN=puppetsrv, issuer=/C=US/ST=CA/L=Berkeley/O=Lawrence
> Berkeley
> > National Laboratory/CN=ca, serial=1, not_before=Thu Aug 19 18:24:23
UTC
> > 2010, not_after=Fri Aug 19 18:24:23 UTC 2011>>
> > (rdb:1) p Certificate.find("ca")
> > nil
> > (rdb:1) c
> > info: Creating a new SSL key for puppetsrv
> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate''
> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:184:in `generate''
> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:27:in `init_localhost''
> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `send''
> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `cached_value''
> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:46:in `localhost''
> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:93:in
`main''
> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `send''
> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command''
> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> > /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail''
> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> > /usr/sbin/puppetmasterd:66
> > Puppet::SSL::Certificate
> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:173
> > )
> > (rdb:1) p Certificate.find("ca")
> > nil
> > (rdb:1) p Certificate.find("puppetsrv")
> > #<Puppet::SSL::Certificate:0x7f6930cdcb20
@name="puppetsrv",
> > @content=#<OpenSSL::X509::Certificate
> > subject=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley National
> > Laboratory/CN=puppetsrv, issuer=/C=US/ST=CA/L=Berkeley/O=Lawrence
> Berkeley
> > National Laboratory/CN=ca, serial=1, not_before=Thu Aug 19 18:24:23
UTC
> > 2010, not_after=Fri Aug 19 18:24:23 UTC 2011>>
> > (rdb:1) p key
> > #<Puppet::SSL::Key:0x7f6930ce5810
> > @password_file="/opt/cloudcrv/varpuppet/ssl/ca.pass",
@name="puppetsrv",
> > @content=-----BEGIN RSA PRIVATE KEY-----
> > MIICXAIBAAKBgQCo7m5/ZO0vz+CjWnLDIkMQZPHh4Cmj4NhaVSSjo0jGzRrVuM1X
> > UPm87p4mp/WwRbNxm5dY1qheBHk+/gW4xkJm68jDF2WNY+CvMxstBiTHZ3aGW3zk
> > tNqiwk/ud4U3MDHDapzArgj1KL3/aTnDF0iBADaCcCYkS/kDxxhMjt5z8QIDAQAB
> > AoGAaiXH0My+LPjWEk7XJb31neuQAXo1MAAscjZl21zScfiXEAwbGu6KvijBv1By
> > lNx3ML+vjebzzH/LH8XGGqCZP8TupQHao/G+ZjgbnYFjmnujojjD2WwUAa2i4Jd0
> > T7QkJYus16OOcBUlrvpp89qvjSjv9C6/vKBLYPfzbSxzvkECQQDZ9Ly+zdwe8TYu
> > OkbLgR8XHDrxzuw2Xw0xxoJ/1msAD6xAAJm9igN8K6J6q3FufFq2c9CWQp9SoGyW
> > EIuuiFSdAkEAxmsNLmV51u/Fd8AEEALlkItxp6iiuuyXXqBcEDhp6by5cikmKoVv
> > uYQjfWIK6Q5YUP1fYJDeBUHOGc11oZe6ZQJANtc3rqLJohd7VIJhUc85bW0y/6jb
> > Eos0HLQgHd5rqeZHpwr/pAtX+SRZi5gbwHsVsBbQAx7cS8QFznR3UQEImQJASd9x
> > eOSvCCcdDgifepaZgcdo+VL/wzhy4vgxTpiyViO9p5NKcmpbvmZEEFqAVWTR3NV4
> > vSsyfiKR6WllclRbQQJBALYyByAq9JDCbl0ElYILLvBQwIKjN6/JW4j0W3BjEgF6
> > Xo6cP0OCW5dzoV6Hrv+wQR1RcwQf2bFxW0bR06qT4Ec> > -----END RSA
PRIVATE KEY-----
> >>
> > (rdb:1) c
> > CertificateAuthority.ca > > notice: Starting Puppet server
version 0.25.4
> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:101:in
`setup_ssl''
> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:31:in
`listen''
> > /usr/lib/ruby/1.8/puppet/network/server.rb:131:in `listen''
> > /usr/lib/ruby/1.8/puppet/network/server.rb:146:in `start''
> > /usr/lib/ruby/1.8/puppet/daemon.rb:128:in `start''
> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:125:in
`main''
> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `send''
> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command''
> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> > /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail''
> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> > /usr/sbin/puppetmasterd:66
> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate''
> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:102:in
`setup_ssl''
> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:31:in
`listen''
> > /usr/lib/ruby/1.8/puppet/network/server.rb:131:in `listen''
> > /usr/lib/ruby/1.8/puppet/network/server.rb:146:in `start''
> > /usr/lib/ruby/1.8/puppet/daemon.rb:128:in `start''
> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:125:in
`main''
> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `send''
> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command''
> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> > /usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail''
> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> > /usr/sbin/puppetmasterd:66
> > Puppet::SSL::Certificate
> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:173
> > )
> > (rdb:1) c
> > Could not run: Could not retrieve certificate for puppetsrv and not
> running
> > on a valid certificate authority
> >
> >
> > --
> > You received this message because you are subscribed to the Google
Groups
> > "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> > puppet-users+unsubscribe@googlegroups.com.
> > For more options, visit this group at
> > http://groups.google.com/group/puppet-users?hl=en.
> >
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Mohamed Lrhazi

2011-Mar-05 23:06 UTC

head link

Re: [Puppet Users] External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority

I guess it''s the tweaks fo 2.6" that I must be missing...
Here is my process:

On puppetmaster1:

sudo rm -rf /etc/puppet/ssl /var/lib/puppet/ssl
sudo puppet cert --generate --certdnsnames
puppet.uis.example.com:puppet.example.com:puppet
puppet-prod.uis.example.com
sudo puppet cert --generate --certdnsnames
puppet-test.uis.example.com:puppet-test.example.com:puppet-test
pirates.uis.example.com

Note: these last two commands seem to work, even though they also
print an error:

The first command for example prints this:
notice: Signed certificate request for ca
notice: Rebuilding inventory file
notice: puppet-prod.uis.example.com has a waiting certificate request
notice: Signed certificate request for puppet-prod.uis.example.com
notice: Removing file Puppet::SSL::CertificateRequest
puppet-prod.uis.example.com at
''/var/lib/puppet/ssl/ca/requests/puppet-prod.uis.example.com.pem''
notice: Removing file Puppet::SSL::CertificateRequest
puppet-prod.uis.example.com at
''/var/lib/puppet/ssl/certificate_requests/puppet-prod.uis.example.com.pem''
err: Could not call generate: Could not find certificate request for
puppet-prod.uis.example.com

Why is that?

anyways, continuing, I edit puppet.conf to add:

[master]
    certname=puppet-prod.uis.example.com
    ca=true

Now starting puppet master seems to work fine, no errors.

Now, on puppetmaster2:

sudo rm -rf /etc/puppet/ssl /var/lib/puppet/ssl

copy these thre files from puppetmaster1, to puppetmaster2

/var/lib/puppet/ssl/private_keys/pirates.uis.example.com.pem
/var/lib/puppet/ssl/ca/signed/pirates.uis.example.com.pem
/var/lib/puppet/ssl/ca/ca_crt.pem

I put the certs in /var/lib/puppet/ssl/certs and the key in
/var/lib/puppet/ssl/private_keys

Edit puppet.conf to have:
[master]
    certname=pirates.uis.example.com
    ca=false
    ca_server=puppet-prod.uis.example.com


Now starting the puppet master fails with error:

Could not run: Could not retrieve certificate for
pirates.uis.example.com and not running on a valid certificate
authority

What am I doing wrong?

Thanks,
Mohamed.



On Sat, Mar 5, 2011 at 5:25 PM, Matthew Black <mjblack@gmail.com>
wrote:> That process still works, but you need to have a CA puppet master, a non-CA
> puppet master, and one client for that to work. The client needs to be told
> where the CA server is though which in that link tells you how to update
the
> puppet.conf.
> I use this process and it works great, there was some tweaking needing for
> it to work for 2.6
>
>
>
>
> On Sat, Mar 5, 2011 at 4:53 PM, Mohamed Lrhazi <lrhazi@gmail.com>
wrote:
>>
>> I just run into the same issue... I was trying to follow this
>> procedure: http://bodepd.com/wordpress/?p=7
>>
>> My goal is to be able to run my nodes against either of two
>> puppetmasters....
>>
>> My first master starts fine, but the second dies with this same error:
>>
>> Could not run: Could not retrieve certificate for
<puppetmaster-fqdn>
>> and not running on a valid certificate authority
>>
>> Is the procedure outdated? Is it supposed to work with puppet 2.6 ?
>>
>> Thanks,
>> Mohamed.
>>
>> On Thu, Aug 19, 2010 at 2:38 PM, Yushu Yao <yao.yushu@gmail.com>
wrote:
>> > Hi Experts,
>> >
>> > I''m trying to generate my own certificates (all of them,
including certs
>> > for
>> > CA, server and client) for puppet to use.
>> >
>> > and I''m getting "Could not run: Could not retrieve
certificate for
>> > puppetsrv
>> > and not running on a valid certificate authority"
>> >
>> > Just wondering what the problem could be?
>> >
>> > What I did is:
>> >
>> > 1. generate a self signed CA cert, and save the files to ca.crt,
ca.prk,
>> > ca.puk, ca.pass.
>> > 2. generate a keypair, request, then sign with the above CA and
save the
>> > files ssldir/public_keys/puppetsrv.pem,
>> > ssldir/private_keys/puppetsrv.pem,
>> > ssldir/certificate_requests/puppetsrv.pem,
ssldir/certs/puppetsrv.pem
>> > (All certs work fine with openssl verify)
>> > 3. Puppet configuration file:
>> >     ca = false
>> >     cakey=$ssldir/ca.prk
>> >     passfile=$ssldir/ca.pass
>> >     cacert=$ssldir/ca.crt
>> >     capub=$ssldir/ca.puk
>> > 4. run puppet master:
>> > /usr/sbin/puppetmasterd --no-daemonize --verbose --debug
--certname
>> > puppetsrv
>> >
>> > Full log (added some breakpoints and printed some tracebacks):
>> > debug: Failed to load library ''selinux'' for
feature ''selinux''
>> > debug: Failed to load library ''ldap'' for feature
''ldap''
>> > debug: /File[/opt/cloudcrv/varpuppet/lib]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet]
>> > debug: /File[/opt/cloudcrv/confpuppet/puppet.conf]: Autorequiring
>> > File[/opt/cloudcrv/confpuppet]
>> > debug: /File[/opt/cloudcrv/varpuppet/run/puppetmasterd.pid]:
>> > Autorequiring
>> > File[/opt/cloudcrv/varpuppet/run]
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/certs/puppetsrv.pem]:
>> > Autorequiring
>> > File[/opt/cloudcrv/varpuppet/ssl/certs]
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet/ssl]
>> > debug: /File[/opt/cloudcrv/varpuppet/rrd]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet]
>> > debug: /File[/opt/cloudcrv/varpuppet/bucket]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet]
>> > debug: /File[/opt/cloudcrv/varpuppet/log]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet]
>> > debug: /File[/opt/cloudcrv/varpuppet/facts]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet]
>> > debug: /File[/opt/cloudcrv/varpuppet/log/masterhttp.log]:
Autorequiring
>> > File[/opt/cloudcrv/varpuppet/log]
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet]
>> > debug: /File[/opt/cloudcrv/varpuppet/state]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet]
>> > debug: /File[/opt/cloudcrv/confpuppet/fileserver.conf]:
Autorequiring
>> > File[/opt/cloudcrv/confpuppet]
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/certificate_requests]:
>> > Autorequiring File[/opt/cloudcrv/varpuppet/ssl]
>> > debug: /File[/opt/cloudcrv/confpuppet/auth.conf]: Autorequiring
>> > File[/opt/cloudcrv/confpuppet]
>> > debug: /File[/opt/cloudcrv/confpuppet/manifests]: Autorequiring
>> > File[/opt/cloudcrv/confpuppet]
>> > debug:
/File[/opt/cloudcrv/varpuppet/ssl/public_keys/puppetsrv.pem]:
>> > Autorequiring File[/opt/cloudcrv/varpuppet/ssl/public_keys]
>> > debug: /File[/opt/cloudcrv/varpuppet/yaml]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet]
>> > debug: /File[/opt/cloudcrv/varpuppet/reports]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet]
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/public_keys]:
Autorequiring
>> > File[/opt/cloudcrv/varpuppet/ssl]
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/certs]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet/ssl]
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]:
Autorequiring
>> > File[/opt/cloudcrv/varpuppet/ssl]
>> > debug: /File[/opt/cloudcrv/varpuppet/run]: Autorequiring
>> > File[/opt/cloudcrv/varpuppet]
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: Changing
mode
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: 1
change(s)
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]/mode: mode
>> > changed
>> > ''755'' to ''750''
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: Changing ensure
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: 1 change(s)
>> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]/ensure: created
>> > debug: Finishing transaction 70044884792200 with 2 changes
>> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate''
>> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:27:in
`init_localhost''
>> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `send''
>> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in
`cached_value''
>> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:46:in `localhost''
>> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:93:in
`main''
>> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `send''
>> > /usr/lib/ruby/1.8/puppet/application.rb:226:in
`run_command''
>> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
>> > /usr/lib/ruby/1.8/puppet/application.rb:306:in
`exit_on_fail''
>> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
>> > /usr/sbin/puppetmasterd:66
>> > Puppet::SSL::Certificate
>> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:173
>> > )
>> > (rdb:1) p Certificate.find("puppetsrv")
>> > #<Puppet::SSL::Certificate:0x7f6930ce7d18
@name="puppetsrv",
>> > @content=#<OpenSSL::X509::Certificate
>> > subject=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley National
>> > Laboratory/CN=puppetsrv, issuer=/C=US/ST=CA/L=Berkeley/O=Lawrence
>> > Berkeley
>> > National Laboratory/CN=ca, serial=1, not_before=Thu Aug 19
18:24:23 UTC
>> > 2010, not_after=Fri Aug 19 18:24:23 UTC 2011>>
>> > (rdb:1) p Certificate.find("ca")
>> > nil
>> > (rdb:1) c
>> > info: Creating a new SSL key for puppetsrv
>> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate''
>> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:184:in `generate''
>> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:27:in
`init_localhost''
>> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in `send''
>> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in
`cached_value''
>> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:46:in `localhost''
>> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:93:in
`main''
>> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `send''
>> > /usr/lib/ruby/1.8/puppet/application.rb:226:in
`run_command''
>> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
>> > /usr/lib/ruby/1.8/puppet/application.rb:306:in
`exit_on_fail''
>> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
>> > /usr/sbin/puppetmasterd:66
>> > Puppet::SSL::Certificate
>> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:173
>> > )
>> > (rdb:1) p Certificate.find("ca")
>> > nil
>> > (rdb:1) p Certificate.find("puppetsrv")
>> > #<Puppet::SSL::Certificate:0x7f6930cdcb20
@name="puppetsrv",
>> > @content=#<OpenSSL::X509::Certificate
>> > subject=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley National
>> > Laboratory/CN=puppetsrv, issuer=/C=US/ST=CA/L=Berkeley/O=Lawrence
>> > Berkeley
>> > National Laboratory/CN=ca, serial=1, not_before=Thu Aug 19
18:24:23 UTC
>> > 2010, not_after=Fri Aug 19 18:24:23 UTC 2011>>
>> > (rdb:1) p key
>> > #<Puppet::SSL::Key:0x7f6930ce5810
>> > @password_file="/opt/cloudcrv/varpuppet/ssl/ca.pass",
@name="puppetsrv",
>> > @content=-----BEGIN RSA PRIVATE KEY-----
>> > MIICXAIBAAKBgQCo7m5/ZO0vz+CjWnLDIkMQZPHh4Cmj4NhaVSSjo0jGzRrVuM1X
>> > UPm87p4mp/WwRbNxm5dY1qheBHk+/gW4xkJm68jDF2WNY+CvMxstBiTHZ3aGW3zk
>> > tNqiwk/ud4U3MDHDapzArgj1KL3/aTnDF0iBADaCcCYkS/kDxxhMjt5z8QIDAQAB
>> > AoGAaiXH0My+LPjWEk7XJb31neuQAXo1MAAscjZl21zScfiXEAwbGu6KvijBv1By
>> > lNx3ML+vjebzzH/LH8XGGqCZP8TupQHao/G+ZjgbnYFjmnujojjD2WwUAa2i4Jd0
>> > T7QkJYus16OOcBUlrvpp89qvjSjv9C6/vKBLYPfzbSxzvkECQQDZ9Ly+zdwe8TYu
>> > OkbLgR8XHDrxzuw2Xw0xxoJ/1msAD6xAAJm9igN8K6J6q3FufFq2c9CWQp9SoGyW
>> > EIuuiFSdAkEAxmsNLmV51u/Fd8AEEALlkItxp6iiuuyXXqBcEDhp6by5cikmKoVv
>> > uYQjfWIK6Q5YUP1fYJDeBUHOGc11oZe6ZQJANtc3rqLJohd7VIJhUc85bW0y/6jb
>> > Eos0HLQgHd5rqeZHpwr/pAtX+SRZi5gbwHsVsBbQAx7cS8QFznR3UQEImQJASd9x
>> > eOSvCCcdDgifepaZgcdo+VL/wzhy4vgxTpiyViO9p5NKcmpbvmZEEFqAVWTR3NV4
>> > vSsyfiKR6WllclRbQQJBALYyByAq9JDCbl0ElYILLvBQwIKjN6/JW4j0W3BjEgF6
>> > Xo6cP0OCW5dzoV6Hrv+wQR1RcwQf2bFxW0bR06qT4Ec>> > -----END
RSA PRIVATE KEY-----
>> >>
>> > (rdb:1) c
>> > CertificateAuthority.ca >> > notice: Starting Puppet
server version 0.25.4
>> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:101:in
`setup_ssl''
>> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:31:in
`listen''
>> > /usr/lib/ruby/1.8/puppet/network/server.rb:131:in
`listen''
>> > /usr/lib/ruby/1.8/puppet/network/server.rb:146:in `start''
>> > /usr/lib/ruby/1.8/puppet/daemon.rb:128:in `start''
>> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:125:in
`main''
>> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `send''
>> > /usr/lib/ruby/1.8/puppet/application.rb:226:in
`run_command''
>> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
>> > /usr/lib/ruby/1.8/puppet/application.rb:306:in
`exit_on_fail''
>> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
>> > /usr/sbin/puppetmasterd:66
>> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in `certificate''
>> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:102:in
`setup_ssl''
>> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:31:in
`listen''
>> > /usr/lib/ruby/1.8/puppet/network/server.rb:131:in
`listen''
>> > /usr/lib/ruby/1.8/puppet/network/server.rb:146:in `start''
>> > /usr/lib/ruby/1.8/puppet/daemon.rb:128:in `start''
>> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:125:in
`main''
>> > /usr/lib/ruby/1.8/puppet/application.rb:226:in `send''
>> > /usr/lib/ruby/1.8/puppet/application.rb:226:in
`run_command''
>> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
>> > /usr/lib/ruby/1.8/puppet/application.rb:306:in
`exit_on_fail''
>> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
>> > /usr/sbin/puppetmasterd:66
>> > Puppet::SSL::Certificate
>> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:173
>> > )
>> > (rdb:1) c
>> > Could not run: Could not retrieve certificate for puppetsrv and
not
>> > running
>> > on a valid certificate authority
>> >
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "Puppet Users" group.
>> > To post to this group, send email to
puppet-users@googlegroups.com.
>> > To unsubscribe from this group, send email to
>> > puppet-users+unsubscribe@googlegroups.com.
>> > For more options, visit this group at
>> > http://groups.google.com/group/puppet-users?hl=en.
>> >
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Matthew Black

2011-Mar-05 23:58 UTC

head link

Re: [Puppet Users] External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority

I had to add this to my puppet conf files for the master section.

    ssl_client_header = SSL_CLIENT_S_DN
    ssl_client_verify_header = SSL_CLIENT_VERIFY

The one error you see from generating the cert is fine because its trying to
delete the non-existent CSR, which is because you generated.

On Sat, Mar 5, 2011 at 6:06 PM, Mohamed Lrhazi <lrhazi@gmail.com> wrote:
> I guess it''s the tweaks fo 2.6" that I must be missing...
> Here is my process:
>
> On puppetmaster1:
>
> sudo rm -rf /etc/puppet/ssl /var/lib/puppet/ssl
> sudo puppet cert --generate --certdnsnames
> puppet.uis.example.com:puppet.example.com:puppet
> puppet-prod.uis.example.com
> sudo puppet cert --generate --certdnsnames
> puppet-test.uis.example.com:puppet-test.example.com:puppet-test
> pirates.uis.example.com
>
> Note: these last two commands seem to work, even though they also
> print an error:
>
> The first command for example prints this:
> notice: Signed certificate request for ca
> notice: Rebuilding inventory file
> notice: puppet-prod.uis.example.com has a waiting certificate request
> notice: Signed certificate request for puppet-prod.uis.example.com
> notice: Removing file Puppet::SSL::CertificateRequest
> puppet-prod.uis.example.com at
>
''/var/lib/puppet/ssl/ca/requests/puppet-prod.uis.example.com.pem''
> notice: Removing file Puppet::SSL::CertificateRequest
> puppet-prod.uis.example.com at
>
''/var/lib/puppet/ssl/certificate_requests/puppet-prod.uis.example.com.pem''
> err: Could not call generate: Could not find certificate request for
> puppet-prod.uis.example.com
>
> Why is that?
>
> anyways, continuing, I edit puppet.conf to add:
>
> [master]
>    certname=puppet-prod.uis.example.com
>    ca=true
>
> Now starting puppet master seems to work fine, no errors.
>
> Now, on puppetmaster2:
>
> sudo rm -rf /etc/puppet/ssl /var/lib/puppet/ssl
>
> copy these thre files from puppetmaster1, to puppetmaster2
>
> /var/lib/puppet/ssl/private_keys/pirates.uis.example.com.pem
> /var/lib/puppet/ssl/ca/signed/pirates.uis.example.com.pem
> /var/lib/puppet/ssl/ca/ca_crt.pem
>
> I put the certs in /var/lib/puppet/ssl/certs and the key in
> /var/lib/puppet/ssl/private_keys
>
> Edit puppet.conf to have:
> [master]
>    certname=pirates.uis.example.com
>    ca=false
>    ca_server=puppet-prod.uis.example.com
>
>
> Now starting the puppet master fails with error:
>
> Could not run: Could not retrieve certificate for
> pirates.uis.example.com and not running on a valid certificate
> authority
>
> What am I doing wrong?
>
> Thanks,
> Mohamed.
>
>
>
> On Sat, Mar 5, 2011 at 5:25 PM, Matthew Black <mjblack@gmail.com>
wrote:
> > That process still works, but you need to have a CA puppet master, a
> non-CA
> > puppet master, and one client for that to work. The client needs to be
> told
> > where the CA server is though which in that link tells you how to
update
> the
> > puppet.conf.
> > I use this process and it works great, there was some tweaking needing
> for
> > it to work for 2.6
> >
> >
> >
> >
> > On Sat, Mar 5, 2011 at 4:53 PM, Mohamed Lrhazi
<lrhazi@gmail.com> wrote:
> >>
> >> I just run into the same issue... I was trying to follow this
> >> procedure: http://bodepd.com/wordpress/?p=7
> >>
> >> My goal is to be able to run my nodes against either of two
> >> puppetmasters....
> >>
> >> My first master starts fine, but the second dies with this same
error:
> >>
> >> Could not run: Could not retrieve certificate for
<puppetmaster-fqdn>
> >> and not running on a valid certificate authority
> >>
> >> Is the procedure outdated? Is it supposed to work with puppet 2.6
?
> >>
> >> Thanks,
> >> Mohamed.
> >>
> >> On Thu, Aug 19, 2010 at 2:38 PM, Yushu Yao
<yao.yushu@gmail.com> wrote:
> >> > Hi Experts,
> >> >
> >> > I''m trying to generate my own certificates (all of
them, including
> certs
> >> > for
> >> > CA, server and client) for puppet to use.
> >> >
> >> > and I''m getting "Could not run: Could not
retrieve certificate for
> >> > puppetsrv
> >> > and not running on a valid certificate authority"
> >> >
> >> > Just wondering what the problem could be?
> >> >
> >> > What I did is:
> >> >
> >> > 1. generate a self signed CA cert, and save the files to
ca.crt,
> ca.prk,
> >> > ca.puk, ca.pass.
> >> > 2. generate a keypair, request, then sign with the above CA
and save
> the
> >> > files ssldir/public_keys/puppetsrv.pem,
> >> > ssldir/private_keys/puppetsrv.pem,
> >> > ssldir/certificate_requests/puppetsrv.pem,
ssldir/certs/puppetsrv.pem
> >> > (All certs work fine with openssl verify)
> >> > 3. Puppet configuration file:
> >> >     ca = false
> >> >     cakey=$ssldir/ca.prk
> >> >     passfile=$ssldir/ca.pass
> >> >     cacert=$ssldir/ca.crt
> >> >     capub=$ssldir/ca.puk
> >> > 4. run puppet master:
> >> > /usr/sbin/puppetmasterd --no-daemonize --verbose --debug
--certname
> >> > puppetsrv
> >> >
> >> > Full log (added some breakpoints and printed some
tracebacks):
> >> > debug: Failed to load library ''selinux'' for
feature ''selinux''
> >> > debug: Failed to load library ''ldap'' for
feature ''ldap''
> >> > debug: /File[/opt/cloudcrv/varpuppet/lib]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet]
> >> > debug: /File[/opt/cloudcrv/confpuppet/puppet.conf]:
Autorequiring
> >> > File[/opt/cloudcrv/confpuppet]
> >> > debug: /File[/opt/cloudcrv/varpuppet/run/puppetmasterd.pid]:
> >> > Autorequiring
> >> > File[/opt/cloudcrv/varpuppet/run]
> >> > debug:
/File[/opt/cloudcrv/varpuppet/ssl/certs/puppetsrv.pem]:
> >> > Autorequiring
> >> > File[/opt/cloudcrv/varpuppet/ssl/certs]
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]:
Autorequiring
> >> > File[/opt/cloudcrv/varpuppet/ssl]
> >> > debug: /File[/opt/cloudcrv/varpuppet/rrd]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet]
> >> > debug: /File[/opt/cloudcrv/varpuppet/bucket]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet]
> >> > debug: /File[/opt/cloudcrv/varpuppet/log]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet]
> >> > debug: /File[/opt/cloudcrv/varpuppet/facts]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet]
> >> > debug: /File[/opt/cloudcrv/varpuppet/log/masterhttp.log]:
> Autorequiring
> >> > File[/opt/cloudcrv/varpuppet/log]
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet]
> >> > debug: /File[/opt/cloudcrv/varpuppet/state]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet]
> >> > debug: /File[/opt/cloudcrv/confpuppet/fileserver.conf]:
Autorequiring
> >> > File[/opt/cloudcrv/confpuppet]
> >> > debug:
/File[/opt/cloudcrv/varpuppet/ssl/certificate_requests]:
> >> > Autorequiring File[/opt/cloudcrv/varpuppet/ssl]
> >> > debug: /File[/opt/cloudcrv/confpuppet/auth.conf]:
Autorequiring
> >> > File[/opt/cloudcrv/confpuppet]
> >> > debug: /File[/opt/cloudcrv/confpuppet/manifests]:
Autorequiring
> >> > File[/opt/cloudcrv/confpuppet]
> >> > debug:
/File[/opt/cloudcrv/varpuppet/ssl/public_keys/puppetsrv.pem]:
> >> > Autorequiring File[/opt/cloudcrv/varpuppet/ssl/public_keys]
> >> > debug: /File[/opt/cloudcrv/varpuppet/yaml]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet]
> >> > debug: /File[/opt/cloudcrv/varpuppet/reports]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet]
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/public_keys]:
Autorequiring
> >> > File[/opt/cloudcrv/varpuppet/ssl]
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/certs]:
Autorequiring
> >> > File[/opt/cloudcrv/varpuppet/ssl]
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]:
Autorequiring
> >> > File[/opt/cloudcrv/varpuppet/ssl]
> >> > debug: /File[/opt/cloudcrv/varpuppet/run]: Autorequiring
> >> > File[/opt/cloudcrv/varpuppet]
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]:
Changing mode
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]: 1
change(s)
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private_keys]/mode:
mode
> >> > changed
> >> > ''755'' to ''750''
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: Changing
ensure
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]: 1
change(s)
> >> > debug: /File[/opt/cloudcrv/varpuppet/ssl/private]/ensure:
created
> >> > debug: Finishing transaction 70044884792200 with 2 changes
> >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in
`certificate''
> >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:27:in
`init_localhost''
> >> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in
`send''
> >> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in
`cached_value''
> >> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:46:in
`localhost''
> >> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:93:in
`main''
> >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in
`send''
> >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in
`run_command''
> >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> >> > /usr/lib/ruby/1.8/puppet/application.rb:306:in
`exit_on_fail''
> >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> >> > /usr/sbin/puppetmasterd:66
> >> > Puppet::SSL::Certificate
> >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:173
> >> > )
> >> > (rdb:1) p Certificate.find("puppetsrv")
> >> > #<Puppet::SSL::Certificate:0x7f6930ce7d18
@name="puppetsrv",
> >> > @content=#<OpenSSL::X509::Certificate
> >> > subject=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley National
> >> > Laboratory/CN=puppetsrv,
issuer=/C=US/ST=CA/L=Berkeley/O=Lawrence
> >> > Berkeley
> >> > National Laboratory/CN=ca, serial=1, not_before=Thu Aug 19
18:24:23
> UTC
> >> > 2010, not_after=Fri Aug 19 18:24:23 UTC 2011>>
> >> > (rdb:1) p Certificate.find("ca")
> >> > nil
> >> > (rdb:1) c
> >> > info: Creating a new SSL key for puppetsrv
> >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in
`certificate''
> >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:184:in
`generate''
> >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:27:in
`init_localhost''
> >> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in
`send''
> >> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:106:in
`cached_value''
> >> > /usr/lib/ruby/1.8/puppet/util/cacher.rb:46:in
`localhost''
> >> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:93:in
`main''
> >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in
`send''
> >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in
`run_command''
> >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> >> > /usr/lib/ruby/1.8/puppet/application.rb:306:in
`exit_on_fail''
> >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> >> > /usr/sbin/puppetmasterd:66
> >> > Puppet::SSL::Certificate
> >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:173
> >> > )
> >> > (rdb:1) p Certificate.find("ca")
> >> > nil
> >> > (rdb:1) p Certificate.find("puppetsrv")
> >> > #<Puppet::SSL::Certificate:0x7f6930cdcb20
@name="puppetsrv",
> >> > @content=#<OpenSSL::X509::Certificate
> >> > subject=/C=US/ST=CA/L=Berkeley/O=Lawrence Berkeley National
> >> > Laboratory/CN=puppetsrv,
issuer=/C=US/ST=CA/L=Berkeley/O=Lawrence
> >> > Berkeley
> >> > National Laboratory/CN=ca, serial=1, not_before=Thu Aug 19
18:24:23
> UTC
> >> > 2010, not_after=Fri Aug 19 18:24:23 UTC 2011>>
> >> > (rdb:1) p key
> >> > #<Puppet::SSL::Key:0x7f6930ce5810
> >> >
@password_file="/opt/cloudcrv/varpuppet/ssl/ca.pass",
> @name="puppetsrv",
> >> > @content=-----BEGIN RSA PRIVATE KEY-----
> >> >
MIICXAIBAAKBgQCo7m5/ZO0vz+CjWnLDIkMQZPHh4Cmj4NhaVSSjo0jGzRrVuM1X
> >> >
UPm87p4mp/WwRbNxm5dY1qheBHk+/gW4xkJm68jDF2WNY+CvMxstBiTHZ3aGW3zk
> >> >
tNqiwk/ud4U3MDHDapzArgj1KL3/aTnDF0iBADaCcCYkS/kDxxhMjt5z8QIDAQAB
> >> >
AoGAaiXH0My+LPjWEk7XJb31neuQAXo1MAAscjZl21zScfiXEAwbGu6KvijBv1By
> >> >
lNx3ML+vjebzzH/LH8XGGqCZP8TupQHao/G+ZjgbnYFjmnujojjD2WwUAa2i4Jd0
> >> >
T7QkJYus16OOcBUlrvpp89qvjSjv9C6/vKBLYPfzbSxzvkECQQDZ9Ly+zdwe8TYu
> >> >
OkbLgR8XHDrxzuw2Xw0xxoJ/1msAD6xAAJm9igN8K6J6q3FufFq2c9CWQp9SoGyW
> >> >
EIuuiFSdAkEAxmsNLmV51u/Fd8AEEALlkItxp6iiuuyXXqBcEDhp6by5cikmKoVv
> >> >
uYQjfWIK6Q5YUP1fYJDeBUHOGc11oZe6ZQJANtc3rqLJohd7VIJhUc85bW0y/6jb
> >> >
Eos0HLQgHd5rqeZHpwr/pAtX+SRZi5gbwHsVsBbQAx7cS8QFznR3UQEImQJASd9x
> >> >
eOSvCCcdDgifepaZgcdo+VL/wzhy4vgxTpiyViO9p5NKcmpbvmZEEFqAVWTR3NV4
> >> >
vSsyfiKR6WllclRbQQJBALYyByAq9JDCbl0ElYILLvBQwIKjN6/JW4j0W3BjEgF6
> >> > Xo6cP0OCW5dzoV6Hrv+wQR1RcwQf2bFxW0bR06qT4Ec> >> >
-----END RSA PRIVATE KEY-----
> >> >>
> >> > (rdb:1) c
> >> > CertificateAuthority.ca > >> > notice: Starting
Puppet server version 0.25.4
> >> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:101:in
`setup_ssl''
> >> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:31:in
`listen''
> >> > /usr/lib/ruby/1.8/puppet/network/server.rb:131:in
`listen''
> >> > /usr/lib/ruby/1.8/puppet/network/server.rb:146:in
`start''
> >> > /usr/lib/ruby/1.8/puppet/daemon.rb:128:in `start''
> >> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:125:in
`main''
> >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in
`send''
> >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in
`run_command''
> >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> >> > /usr/lib/ruby/1.8/puppet/application.rb:306:in
`exit_on_fail''
> >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> >> > /usr/sbin/puppetmasterd:66
> >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:157:in
`certificate''
> >> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:102:in
`setup_ssl''
> >> > /usr/lib/ruby/1.8/puppet/network/http/webrick.rb:31:in
`listen''
> >> > /usr/lib/ruby/1.8/puppet/network/server.rb:131:in
`listen''
> >> > /usr/lib/ruby/1.8/puppet/network/server.rb:146:in
`start''
> >> > /usr/lib/ruby/1.8/puppet/daemon.rb:128:in `start''
> >> > /usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:125:in
`main''
> >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in
`send''
> >> > /usr/lib/ruby/1.8/puppet/application.rb:226:in
`run_command''
> >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> >> > /usr/lib/ruby/1.8/puppet/application.rb:306:in
`exit_on_fail''
> >> > /usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
> >> > /usr/sbin/puppetmasterd:66
> >> > Puppet::SSL::Certificate
> >> > /usr/lib/ruby/1.8/puppet/ssl/host.rb:173
> >> > )
> >> > (rdb:1) c
> >> > Could not run: Could not retrieve certificate for puppetsrv
and not
> >> > running
> >> > on a valid certificate authority
> >> >
> >> >
> >> > --
> >> > You received this message because you are subscribed to the
Google
> >> > Groups
> >> > "Puppet Users" group.
> >> > To post to this group, send email to
puppet-users@googlegroups.com.
> >> > To unsubscribe from this group, send email to
> >> > puppet-users+unsubscribe@googlegroups.com.
> >> > For more options, visit this group at
> >> > http://groups.google.com/group/puppet-users?hl=en.
> >> >
> >>
> >> --
> >> You received this message because you are subscribed to the Google
> Groups
> >> "Puppet Users" group.
> >> To post to this group, send email to
puppet-users@googlegroups.com.
> >> To unsubscribe from this group, send email to
> >> puppet-users+unsubscribe@googlegroups.com.
> >> For more options, visit this group at
> >> http://groups.google.com/group/puppet-users?hl=en.
> >>
> >
> > --
> > You received this message because you are subscribed to the Google
Groups
> > "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> > puppet-users+unsubscribe@googlegroups.com.
> > For more options, visit this group at
> > http://groups.google.com/group/puppet-users?hl=en.
> >
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Mohamed Lrhazi

2011-Mar-06 00:24 UTC

head link

Re: [Puppet Users] External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority

On Sat, Mar 5, 2011 at 6:58 PM, Matthew Black <mjblack@gmail.com>
wrote:> had to add this to my puppet conf files for the master section.
>     ssl_client_header = SSL_CLIENT_S_DN
>     ssl_client_verify_header = SSL_CLIENT_VERIFY
I already had those in puppet.conf master section :(

Mohamed.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Mohamed Lrhazi

2011-Mar-06 02:05 UTC

head link

Re: [Puppet Users] External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority

The error says cert does not match key.. but which cert is it talking
about? I only created the puppetmaster2 cert, key and the ca cert.
Do I need to copy over the ca key as well? the ca pass ?

Mohamed.

On Sat, Mar 5, 2011 at 7:24 PM, Mohamed Lrhazi <lrhazi@gmail.com>
wrote:> On Sat, Mar 5, 2011 at 6:58 PM, Matthew Black <mjblack@gmail.com>
wrote:
>> had to add this to my puppet conf files for the master section.
>>     ssl_client_header = SSL_CLIENT_S_DN
>>     ssl_client_verify_header = SSL_CLIENT_VERIFY
>
> I already had those in puppet.conf master section :(
>
> Mohamed.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Mohamed Lrhazi

2011-Mar-06 02:11 UTC

head link

Re: [Puppet Users] External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority

I just noticed the cert and key files have changed after my attempts
to start puppet master..
I recreated them, by copy pasting the contents from puppetmaster1
where I had them generated, and now puppetmaster2 starts!


On Sat, Mar 5, 2011 at 9:05 PM, Mohamed Lrhazi <lrhazi@gmail.com>
wrote:> The error says cert does not match key.. but which cert is it talking
> about? I only created the puppetmaster2 cert, key and the ca cert.
> Do I need to copy over the ca key as well? the ca pass ?
>
> Mohamed.
>
> On Sat, Mar 5, 2011 at 7:24 PM, Mohamed Lrhazi <lrhazi@gmail.com>
wrote:
>> On Sat, Mar 5, 2011 at 6:58 PM, Matthew Black <mjblack@gmail.com>
wrote:
>>> had to add this to my puppet conf files for the master section.
>>>     ssl_client_header = SSL_CLIENT_S_DN
>>>     ssl_client_verify_header = SSL_CLIENT_VERIFY
>>
>> I already had those in puppet.conf master section :(
>>
>> Mohamed.
>>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Reasonably Related Threads

Search for more apparently analagous threads

Puppet users - Aug 2010 - External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority

[Puppet Users] External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority

Re: [Puppet Users] External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority

Re: [Puppet Users] External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority

Re: [Puppet Users] External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority

Re: [Puppet Users] External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority

Re: [Puppet Users] External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority

Re: [Puppet Users] External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority

Re: [Puppet Users] External CA: Could not run: Could not retrieve certificate for puppetsrv and not running on a valid certificate authority

Reasonably Related Threads