Hi All Despite several tries I have been unable to setup automatic certificate signing for CloudPack. This is part of typical output: warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session notice: Did not receive certificate warning: peer certificate won''t be verified in this SSL session notice: Did not receive certificate ^CCancelling startup when I run: puppet node install ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com -- login ec2-user --keyfile xxxxx --install-script gems --puppet-version 2.7.3 --debug --certname cloudadmin Although in the master I can see that the certificate is requested by client, I couldnt figure out where and how the automatic signing takes place. I looked into modules/cloud_provisioner/lib/puppet/cloudpack.rb where "install" is handled and thought maybe provisioner pulls cert requests and signs them but I could not find any code or log. Thank you -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Dan Bode
2011-Sep-20 06:34 UTC
Re: [Puppet Users] automatic certificate signing for CloudPack
On Mon, Sep 19, 2011 at 4:56 PM, hamoun <hamoun.gh@gmail.com> wrote:> Hi All > > Despite several tries I have been unable to setup automatic > certificate signing for CloudPack. > This is part of typical output: > > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > notice: Did not receive certificate > warning: peer certificate won''t be verified in this SSL session > notice: Did not receive certificate > ^CCancelling startup > > when I run: > puppet node install ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com -- > login ec2-user --keyfile xxxxx --install-script gems --puppet-version > 2.7.3 --debug --certname cloudadmin > > Although in the master I can see that the certificate is requested by > client, I couldnt figure out where and how the automatic signing takes > place. I looked into modules/cloud_provisioner/lib/puppet/cloudpack.rb > where "install" is handled and thought maybe provisioner pulls cert > requests and signs them but I could not find any code or log. >right now, certificate signing is a step that needs to be performed after the installation script runs. The controller node (or the node from which you invoke puppet node) should be authorized to remotely sign certificates For this, you need to add the following line to the master''s auth.conf path /certificate_status method save auth yes allow #{controller.to_s} you also need to ensure that auth is set to any on the following config sections: # allow access to the master CA path /certificate/ca auth any method find allow * path /certificate/ auth any method find allow * path /certificate_request auth any method find, save allow * Once the controller node has permission to sign certificates, you can run: puppet certificate sign #{agent_certname} --ca-location remote --mode agent the bootstrap action should be able to create nodes in ec2, run install and sign the certs in one action hope this helps -Dan> Thank you > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- "Join us for PuppetConf <http://bit.ly/puppetconfsig>, September 22nd and 23rd in Portland, OR." <http://bit.ly/puppetconfsig> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.