Sean Carolan
2011-Aug-15 21:10 UTC
[Puppet Users] Corrupted inventory.txt - how to rebuild?
We have an issue where sometimes servers get assigned serial number "0x0000" in the inventory.txt file. This causes major problems including SSL cert errors in the log file. Anyone know how to properly rebuild inventory.txt without tearing everything out and starting from scratch? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nan Liu
2011-Aug-15 22:48 UTC
Re: [Puppet Users] Corrupted inventory.txt - how to rebuild?
On Mon, Aug 15, 2011 at 2:10 PM, Sean Carolan <scarolan@gmail.com> wrote:> We have an issue where sometimes servers get assigned serial number > "0x0000" in the inventory.txt file. This causes major problems > including SSL cert errors in the log file. Anyone know how to > properly rebuild inventory.txt without tearing everything out and > starting from scratch?0x0000 is typically the CA cert, was the inventory.txt file blank when this occurred? If you have all the certificates, you can use puppet cert -pa and extract the serial number, date, and CN info. I''m not sure if there''s an automated way using openssl commands. This might be reasonably close (output should be sorted by serial number): require ''puppet'' require ''openssl'' Dir.glob("#{Puppet[:ssldir]}/ca/signed/*.pem") do |certfile| cert = OpenSSL::X509::Certificate.new(File.read(certfile)) puts ("0x%04x" % cert.serial + " #{cert.not_before.strftime(''%Y-%m-%dT%H:%M:%SUTC'')} #{cert.not_after.strftime(''%Y-%m-%dT%H:%M:%SUTC'')} #{cert.subject}") end Thanks, Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Sean Carolan
2011-Aug-16 14:25 UTC
Re: [Puppet Users] Corrupted inventory.txt - how to rebuild?
> 0x0000 is typically the CA cert, was the inventory.txt file blank when > this occurred? If you have all the certificates, you can use puppet > cert -pa and extract the serial number, date, and CN info. I''m not > sure if there''s an automated way using openssl commands. This might be > reasonably close (output should be sorted by serial number):Here''s the problem as I understand it. We have several puppetmaster servers, due to the large number of clients and networks that need to be supported. We synchronize SSL certs between load balanced hosts using rsync. Somehow or other we occasionally end up getting a host in the inventory.txt file with 0x0000 serial number. Unfortunately this seems to reset the counter and new hosts will end up with duplicate serials to other hosts previously listed in the file. How do you all handle load balancing and certificate management? Is there a way to have a master authority cert server, that all the other nodes turn to for all things SSL? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Luke Bigum
2011-Aug-16 15:12 UTC
[Puppet Users] Re: Corrupted inventory.txt - how to rebuild?
Sean, Previously I''ve set up a cluster of Puppet Masters with one machine acting as the software load balancer (IPVS) as well as the Puppet Certificate Authority. The relevant puppet.conf options are ca_port and ca_server to specify where your CA is. The Puppet Master service on the CA server listened on the ca_port and signed CA requests. The default puppet port 8140 was load balanced to a pool of "slave" Puppet Masters and these masters all NFS mounted the ssl/ca/ directory so they knew about all signed puppet agents. You could then go even further and make your CA server resilient with Pacemaker / Heartbeat or other HA techniques. I didn''t bother to go that far though ;) Hope that helps, -Luke On Aug 16, 3:25 pm, Sean Carolan <scaro...@gmail.com> wrote:> How do you all handle load balancing and certificate management? Is > there a way to have a master authority cert server, that all the other > nodes turn to for all things SSL?-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Luke Bigum
2011-Aug-16 15:13 UTC
[Puppet Users] Re: Corrupted inventory.txt - how to rebuild?
Also I think Nigel posted a load balanced solution using entirely Apache that''s floating around on the list, configs and all. Was a few months ago now if you want to go searching. On Aug 16, 4:12 pm, Luke Bigum <Luke.Bi...@lmax.com> wrote:> Sean, > > Previously I''ve set up a cluster of Puppet Masters with one machine > acting as the software load balancer (IPVS) as well as the Puppet > Certificate Authority. The relevant puppet.conf options are ca_port > and ca_server to specify where your CA is. The Puppet Master service > on the CA server listened on the ca_port and signed CA requests. The > default puppet port 8140 was load balanced to a pool of "slave" Puppet > Masters and these masters all NFS mounted the ssl/ca/ directory so > they knew about all signed puppet agents. You could then go even > further and make your CA server resilient with Pacemaker / Heartbeat > or other HA techniques. I didn''t bother to go that far though ;) > > Hope that helps, > > -Luke > > On Aug 16, 3:25 pm, Sean Carolan <scaro...@gmail.com> wrote: > > > How do you all handle load balancing and certificate management? Is > > there a way to have a master authority cert server, that all the other > > nodes turn to for all things SSL? > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Scott Smith
2011-Aug-17 21:46 UTC
Re: [Puppet Users] Re: Corrupted inventory.txt - how to rebuild?
You guys do realize that it''s not necessary to share node certs with puppetmasters if your CA is separated, right? It''s signed for a reason :) On Aug 16, 2011 8:13 AM, "Luke Bigum" <Luke.Bigum@lmax.com> wrote:> Also I think Nigel posted a load balanced solution using entirely > Apache that''s floating around on the list, configs and all. Was a few > months ago now if you want to go searching. > > On Aug 16, 4:12 pm, Luke Bigum <Luke.Bi...@lmax.com> wrote: >> Sean, >> >> Previously I''ve set up a cluster of Puppet Masters with one machine >> acting as the software load balancer (IPVS) as well as the Puppet >> Certificate Authority. The relevant puppet.conf options are ca_port >> and ca_server to specify where your CA is. The Puppet Master service >> on the CA server listened on the ca_port and signed CA requests. The >> default puppet port 8140 was load balanced to a pool of "slave" Puppet >> Masters and these masters all NFS mounted the ssl/ca/ directory so >> they knew about all signed puppet agents. You could then go even >> further and make your CA server resilient with Pacemaker / Heartbeat >> or other HA techniques. I didn''t bother to go that far though ;) >> >> Hope that helps, >> >> -Luke >> >> On Aug 16, 3:25 pm, Sean Carolan <scaro...@gmail.com> wrote: >> >> > How do you all handle load balancing and certificate management? Is >> > there a way to have a master authority cert server, that all the other >> > nodes turn to for all things SSL? >> >> > > -- > You received this message because you are subscribed to the Google Groups"Puppet Users" group.> To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email topuppet-users+unsubscribe@googlegroups.com.> For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en.>-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.