Hi all, till today we had a *.our.doamin in autosign.conf. So any host from our.domain could get a signed certificate if it contacts our master. But we''ve decide to move that "*" to a complet list of hostnames. So, I''ve pasted all the names to autosign file, restarted master (not sure if needed) So far, so good. So, I removed one name from autosign file, clean its cert, and ran puppet on the host, but it''s still able to contact master and get its catalogue when it''s supposed to get any kind of error. So, how is it possible? where am I''m missunderstanding autosign behiavour? # puppetmasterd --genconfig|grep autosign # Whether to enable autosign. Valid values are true (which # autosigns any key request, and is a very bad idea), false (which # never autosigns any key request), and the path to a file, which # The default value is ''$confdir/autosign.conf''. autosign = /etc/puppet/autosign.conf # wc -l /etc/puppet/autosign.conf 660 /etc/puppet/autosign.conf # grep tditaller027.pic.es /etc/puppet/autosign.conf # [root@tditaller027 ~]# puppetd --test --server ser01.pic.es info: Retrieving plugin info: Loading facts in odd_ip info: Loading facts in odd_ip info: Caching catalog for tditaller027.pic.es info: Applying configuration version ''1305815351'' notice: Finished catalog run in 33.76 seconds # rpm -qa|grep puppet puppet-2.6.1-0.6.el5 puppet-server-2.6.1-0.6.el5 same version on client. TIA, Arnau -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On May 19, 2011, at 7:37 AM, Arnau Bria wrote:> Hi all, > > till today we had a *.our.doamin in autosign.conf. So any host from > our.domain could get a signed certificate if it contacts our master. > But we''ve decide to move that "*" to a complet list of hostnames. > > So, I''ve pasted all the names to autosign file, restarted master (not > sure if needed) So far, so good. So, I removed one name from autosign > file, clean its cert, and ran puppet on the host, but it''s still able > to contact master and get its catalogue when it''s supposed to get any > kind of error. > > So, how is it possible? where am I''m missunderstanding autosign > behiavour?1) Are you sure you want this? Sounds like a bad idea. 2) As the documentation you have open shows, you can get the same effect by setting "autosign = true" 3) Try "*.*" instead. I think I remember Puppet won''t work with just an asterisk. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, 19 May 2011 08:03:38 -0700 Patrick Patrick wrote: Hi Patrick, Maybe I haven''t explained myself correctly.> 1) Are you sure you want this? Sounds like a bad idea.I want to restrict puppet service to a list of known hosts. Is this a bad idea? I don''t want all the nodes in our domain to be able to autosign the certifciate.> 2) As the documentation you have open shows, you can get the same > effect by setting "autosign = true"yep, but I don''t want autosign. Iwant to sign certificates as I add client to puppet master-> 3) Try "*.*" instead. I think I remember Puppet won''t work with just > an asterisk.*.my.dmain has woked fine. Thanks for your reply, Cheers, Arnau -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Why not just sign them manually with puppetca --list and if nothing suspicious shows up, puppetca --sign --all? I''m not sure it makes sense to autosign a list of hosts instead of everything from a domain when you can sign things on a host by host basis and sign requests in bulk. -- Nathan Clemons http://www.livemocha.com The worlds largest online language learning community On Thu, May 19, 2011 at 8:12 AM, Arnau Bria <arnaubria@pic.es> wrote:> On Thu, 19 May 2011 08:03:38 -0700 > Patrick Patrick wrote: > > Hi Patrick, > > Maybe I haven''t explained myself correctly. > > > 1) Are you sure you want this? Sounds like a bad idea. > I want to restrict puppet service to a list of known hosts. Is this a > bad idea? I don''t want all the nodes in our domain to be able to > autosign the certifciate. > > > 2) As the documentation you have open shows, you can get the same > > effect by setting "autosign = true" > yep, but I don''t want autosign. Iwant to sign certificates as I add > client to puppet master- > > > 3) Try "*.*" instead. I think I remember Puppet won''t work with just > > an asterisk. > *.my.dmain has woked fine. > > Thanks for your reply, > Cheers, > Arnau > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On May 19, 2011, at 7:37 AM, Arnau Bria wrote:> Hi all, > > till today we had a *.our.doamin in autosign.conf. So any host from > our.domain could get a signed certificate if it contacts our master. > But we''ve decide to move that "*" to a complet list of hostnames. > > So, I''ve pasted all the names to autosign file, restarted master (not > sure if needed) So far, so good. So, I removed one name from autosign > file, clean its cert, and ran puppet on the host, but it''s still able > to contact master and get its catalogue when it''s supposed to get any > kind of error. > > So, how is it possible? where am I''m missunderstanding autosign > behiavour? > > # puppetmasterd --genconfig|grep autosign > # Whether to enable autosign. Valid values are true (which > # autosigns any key request, and is a very bad idea), false (which > # never autosigns any key request), and the path to a file, which > # The default value is ''$confdir/autosign.conf''. > autosign = /etc/puppet/autosign.conf > > # wc -l /etc/puppet/autosign.conf > 660 /etc/puppet/autosign.conf > # grep tditaller027.pic.es /etc/puppet/autosign.conf > # > > [root@tditaller027 ~]# puppetd --test --server ser01.pic.es > info: Retrieving plugin > info: Loading facts in odd_ip > info: Loading facts in odd_ip > info: Caching catalog for tditaller027.pic.es > info: Applying configuration version ''1305815351'' > notice: Finished catalog run in 33.76 seconds > > # rpm -qa|grep puppet > puppet-2.6.1-0.6.el5 > puppet-server-2.6.1-0.6.el5 > > same version on client.Sorry. I ready your whole email backwords. I can only blame being tired. Did you clean using "puppetca --clean hostname" on the server, by using "rm" on the client, or both? Are you using Passenger? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, May 19, 2011 at 2:37 PM, Arnau Bria <arnaubria@pic.es> wrote:> Hi all, > > till today we had a *.our.doamin in autosign.conf. So any host from > our.domain could get a signed certificate if it contacts our master. > But we''ve decide to move that "*" to a complet list of hostnames. > > So, I''ve pasted all the names to autosign file, restarted master (not > sure if needed) So far, so good. So, I removed one name from autosign > file, clean its cert, and ran puppet on the host, but it''s still able > to contact master and get its catalogue when it''s supposed to get any > kind of error. > > So, how is it possible? where am I''m missunderstanding autosign > behiavour? >Here''s a list of things to consider: Is the certificate revoked in the certificate revocation list? The current version of puppet cert --clean will revoke then clean, and I''m not sure the revoke was added in recent versions of puppet. openssl crl -text -noout -in crl.pem Does the client certificate serial number match the CRL? Either review ca/inventory.txt, or perform a puppet cert --print of the certificate # puppet cert -p foo Certificate: Data: Version: 3 (0x2) Serial Number: 16 (0x10) (<- This serial should be revoked in CRL) If you are using apache is it configured to use the CRL? (see passenger docs) SSLCARevocationFile SSLVerifyClient SSLVerifyDepth If you have multiple puppet masters are you distributing the CRL? You can test the certificate with openssl: openssl s_client -host puppet -port 8140 -cert /path/to/ssl/certs/node.domain.com.pem -key /path/to/ssl/private_keys/node.domain.com.pem -CAfile /path/to/ssl/certs/ca.pem Brice have a detailed blog on more troubleshooting steps: http://www.masterzen.fr/2010/11/14/puppet-ssl-explained/ Thanks, Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, 19 May 2011 09:10:22 -0700 Patrick Patrick wrote: Hi,> Sorry. I ready your whole email backwords. I can only blame being > tired.no problem!> Did you clean using "puppetca --clean hostname" on the server, by > using "rm" on the client, or both?clean on the server.> Are you using Passenger?Mongrel.... That was the source of the issue.... I had to restart http/puppetmaster for new autosign to take effect. Now it works fine. I can block/unblock hosts with autosign. Thanks! Cheers, Arnau -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, 19 May 2011 23:46:32 +0000 Nan Liu wrote: thanks Nan, with your help and Patrick''s I''ve understood the problem and solved. Many thanks for you reply! Cheers, Arnau -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.