denmat
2010-Sep-17 04:11 UTC
[Puppet Users] SSL Chaining puppet 2.6.1 passenger and apache
Hi list,
have an issue which I haven''t been able to find a definitive answer
for after searching list.
I have upgraded from 2.5 to 2.6 and problem I have existed with 2.5 so
this is not related to the new release. (running on F12/Centos5.5).
The puppetmaster works fine with my certificates using the internal
webrick server.
I''ve put apache and passenger in place and I get this difference in
the certificate chain, which I assume is my problem. Can this be
solved without regenerating all the certificates or is there something
I''m missing from my configs (puppet.conf refreshly generated with
puppetd --genconfig)?
## puppetmaster/webrick:
openssl s_client -connect puppet.int.example.com:8140
CONNECTED(00000003)
depth=1 CN = au-mel-master-1.int.example.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=au-mel-master-1.int.example.com
i:/CN=au-mel-master-1.int.example.com
1 s:/CN=au-mel-master-1.int.example.com
i:/CN=au-mel-master-1.int.example.com
## puppet passenger/apache
openssl s_client -connect puppet.int.example.com:8140
CONNECTED(00000003)
depth=1 CN = ca
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=au-mel-master-1.int.example.com
i:/CN=ca
1 s:/CN=ca
i:/CN=ca
I have copy and pasted from the /usr/share/puppet/ext directories the
default configurations making slight changes depending on my setup.
[root@au-mel-master-1 ~]# cat /etc/httpd/conf.d/puppetmasterd.conf
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off
Listen 8140
<VirtualHost *:8140>
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/au-mel-
master-1.int.example.com.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/au-mel-
master-1.int.example.com.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
# CRL checking should be enabled; if you have problems with Apache
complaining about the CRL, disable the next line
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
# The following client headers allow the same configuration to
work with Pound.
# RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
# RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
# RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
RackBaseURI /
<Directory /usr/share/puppet/rack/puppetmasterd/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
# a config.ru, for use with every rack-compatible webserver.
# SSL needs to be handled outside this, though.
# if puppet is not in your RUBYLIB:
# $:.unshift(''/opt/puppet/lib'')
$0 = "master"
# if you want debugging:
# ARGV << "--debug"
ARGV << "--rack"
require ''puppet/application/master''
# we''re usually running inside a Rack::Builder.new {} block,
# therefore we need to call run *here*.
run Puppet::Application[:master].run
The result from the puppetd run on a normally working client is:
sudo puppetd --test --verbose
info: Retrieving plugin
err: /File[/var/lib/puppet/lib]: Failed to generate additional
resources using ''eval_generate'': certificate verify failed
err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of
resource: certificate verify failed Could not retrieve file metadata
for puppet://puppet/plugins: certificate verify failed
info: Loading facts in nfs_home
info: Loading facts in nfs_home
err: Could not retrieve catalog from remote server: certificate verify
failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
puppet.conf:
publickeydir = /etc/puppet/ssl/public_keys
authconfig = /etc/puppet/namespaceauth.conf
httplog = /var/lib/puppet/log/http.log
privatedir = /etc/puppet/ssl/private
libdir = /var/lib/puppet/lib
hostcert = /etc/puppet/ssl/certs/au-mel-
master-1.int.example.com.pem
pluginsource = puppet://puppet/plugins
localcacert = /etc/puppet/ssl/certs/ca.pem
factpath = /var/lib/puppet/lib/facter:/var/lib/puppet/facts
certdir = /etc/puppet/ssl/certs
rundir = /var/lib/puppet/run
requestdir = /etc/puppet/ssl/certificate_requests
passfile = /etc/puppet/ssl/private/password
hostprivkey = /etc/puppet/ssl/private_keys/au-mel-
master-1.int.example.com.pem
hostcrl = /etc/puppet/ssl/crl.pem
factdest = /var/lib/puppet/facts/
logdir = /var/lib/puppet/log
statedir = /var/lib/puppet/state
ssldir = /etc/puppet/ssl
genconfig = false
privatekeydir = /etc/puppet/ssl/private_keys
hostcsr = /etc/puppet/ssl/csr_au-mel-master-1.int.example.com.pem
plugindest = /var/lib/puppet/lib
hostpubkey = /etc/puppet/ssl/public_keys/au-mel-
master-1.int.example.com.pem
factsource = puppet://puppet/facts/
masterhttplog = /var/lib/puppet/log/masterhttp.log
storeconfigs = true
server_datadir = /var/lib/puppet/server_data
rrdinterval = 1800
manifest = /etc/puppet/manifests/site.pp
bucketdir = /var/lib/puppet/bucket
fileserverconfig = /etc/puppet/fileserver.conf
masterlog = /var/lib/puppet/log/puppetmaster.log
rest_authconfig = /etc/puppet/auth.conf
yamldir = /var/lib/puppet/yaml
reportdir = /var/lib/puppet/reports
modulepath = /etc/puppet/modules:/usr/share/puppet/modules
rrddir = /var/lib/puppet/rrd
manifestdir = /etc/puppet/manifests
clientbucketdir = /var/lib/puppet/clientbucket
client_datadir = /var/lib/puppet/client_data
report_server = puppet
graphdir = /var/lib/puppet/state/graphs
ca_port = 8140
puppetdlockfile = /var/lib/puppet/state/puppetdlock
bindaddress = 0.0.0.0
splaylimit = 1800
statefile = /var/lib/puppet/state/state.yaml
classfile = /var/lib/puppet/state/classes.txt
config = /etc/puppet/puppet.conf
report_port = 8140
clientyamldir = /var/lib/puppet/client_yaml
reportserver = puppet
puppetdlog = /var/lib/puppet/log/puppetd.log
ca_server = puppet
pidfile = /var/lib/puppet/run/agent.pid
localconfig = /var/lib/puppet/state/localconfig
tagmap = /etc/puppet/tagmail.conf
csrdir = /etc/puppet/ssl/ca/requests
serial = /etc/puppet/ssl/ca/serial
cacert = /etc/puppet/ssl/ca/ca_crt.pem
cacrl = /etc/puppet/ssl/ca/ca_crl.pem
signeddir = /etc/puppet/ssl/ca/signed
autosign = /etc/puppet/autosign.conf
cert_inventory = /etc/puppet/ssl/ca/inventory.txt
ca_name = au-mel-master-1.int.example.com
cakey = /etc/puppet/ssl/ca/ca_key.pem
caprivatedir = /etc/puppet/ssl/ca/private
capass = /etc/puppet/ssl/ca/private/ca.pass
cadir = /etc/puppet/ssl/ca
capub = /etc/puppet/ssl/ca/ca_pub.pem
dblocation = /var/lib/puppet/state/clientconfigs.sqlite3
dbadapter dbpassword railslog = /var/lib/puppet/log/rails.log
dbmigrate = true
dbport templatedir = /var/lib/puppet/templates
Thanks.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Patrick
2010-Sep-17 05:10 UTC
Re: [Puppet Users] SSL Chaining puppet 2.6.1 passenger and apache
On Sep 16, 2010, at 9:11 PM, denmat wrote:> Hi list, > > have an issue which I haven''t been able to find a definitive answer > for after searching list. > > I have upgraded from 2.5 to 2.6 and problem I have existed with 2.5 so > this is not related to the new release. (running on F12/Centos5.5). > > The puppetmaster works fine with my certificates using the internal > webrick server. > > I''ve put apache and passenger in place and I get this difference in > the certificate chain, which I assume is my problem. Can this be > solved without regenerating all the certificates or is there something > I''m missing from my configs (puppet.conf refreshly generated with > puppetd --genconfig)?Your passenger config is pulling certs from /var/lib/puppet/ssl and webrick is pulling certs from /etc/puppet/ssl so they should be operating differently. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
denmat
2010-Sep-17 05:37 UTC
[Puppet Users] Re: SSL Chaining puppet 2.6.1 passenger and apache
You are correct. Many thanks Patrick. On Sep 17, 3:10 pm, Patrick <kc7...@gmail.com> wrote:> On Sep 16, 2010, at 9:11 PM, denmat wrote: > > > > > Hi list, > > > have an issue which I haven''t been able to find a definitive answer > > for after searching list. > > > I have upgraded from 2.5 to 2.6 and problem I have existed with 2.5 so > > this is not related to the new release. (running on F12/Centos5.5). > > > The puppetmaster works fine with my certificates using the internal > > webrick server. > > > I''ve put apache and passenger in place and I get this difference in > > the certificate chain, which I assume is my problem. Can this be > > solved without regenerating all the certificates or is there something > > I''m missing from my configs (puppet.conf refreshly generated with > > puppetd --genconfig)? > > Your passenger config is pulling certs from /var/lib/puppet/ssl and webrick is pulling certs from /etc/puppet/ssl so they should be operating differently.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Patrick
2010-Sep-17 05:52 UTC
Re: [Puppet Users] Re: SSL Chaining puppet 2.6.1 passenger and apache
On Sep 16, 2010, at 10:37 PM, denmat wrote:> You are correct. Many thanks Patrick.You''re welcome. I''d advise you so trim down your config file right after you get it working. Yours is really unmanageable. Here''s mine: [main] logdir=/var/log/puppet vardir=/var/lib/puppet ssldir=/var/lib/puppet/ssl rundir=/var/run/puppet factpath=$vardir/lib/facter [puppetmasterd] templatedir=$confdir/templates ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY [puppetd] report=true pluginsync=true listen=true> On Sep 17, 3:10 pm, Patrick <kc7...@gmail.com> wrote: >> On Sep 16, 2010, at 9:11 PM, denmat wrote: >> >> >> >>> Hi list, >> >>> have an issue which I haven''t been able to find a definitive answer >>> for after searching list. >> >>> I have upgraded from 2.5 to 2.6 and problem I have existed with 2.5 so >>> this is not related to the new release. (running on F12/Centos5.5). >> >>> The puppetmaster works fine with my certificates using the internal >>> webrick server. >> >>> I''ve put apache and passenger in place and I get this difference in >>> the certificate chain, which I assume is my problem. Can this be >>> solved without regenerating all the certificates or is there something >>> I''m missing from my configs (puppet.conf refreshly generated with >>> puppetd --genconfig)? >> >> Your passenger config is pulling certs from /var/lib/puppet/ssl and webrick is pulling certs from /etc/puppet/ssl so they should be operating differently. > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.