Puppet users - Feb 2012 - Puppet / Passenger SSL Problems with DRBD

I am working on setting up a Puppet configuration where some of the
data is stored on a DRBD volume. The modules and vardir are stored on
the drbd volume. The puppet.conf files point to the drbd volume for
vardir. I created a cert for a VIP puppet-master using the puppetca --
create command

I had everything working on the primary drbd node, but when I fail
over, everything starts up fine, but I get a passenger error about
certs from the client.

		<dt>Error message:</dt>
		<dd>Could not run: Retrieved certificate does not match private key;
please remove certificate from server and regenerate it with the
current key

# SW Versions

puppet 2.6, with Passenger and Apache Http
CentOS 5.6

# puppet.conf

[main]
    # The Puppet log directory.
    # The default value is ''$vardir/log''.
    logdir = /var/log/puppet

    # Where Puppet PID files are kept.
    # The default value is ''$vardir/run''.
    rundir = /var/run/puppet

    # Where SSL certificates are kept.
    # The default value is ''$confdir/ssl''.
    ssldir = /drbd01/puppet/var/lib/puppet/ssl
    vardir = /drbd01/puppet/var/lib/puppet

    modulepath=/drbd01/puppet/modules

[agent]
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion.  Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is ''$confdir/classes.txt''.
    classfile = $vardir/classes.txt

    # Where puppetd caches the local configuration.  An
    # extension indicating the cache format is added automatically.
    # The default value is ''$confdir/localconfig''.
    localconfig = $vardir/localconfig

[master]
    ssl_client_header = SSL_CLIENT_S_DN
    ssl_client_verify_header = SSL_CLIENT_VERIFY



## /etc/http/conf.d/puppetmasterd.conf

PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off


Listen 8140
<VirtualHost *:8140>

    ServerName puppetmaster.foo.bar
    LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/
passenger-2.2.11/ext/apache2/mod_passenger.so
    PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-2.2.11
    PassengerRuby /usr/bin/ruby

    CustomLog "/var/log/httpd/puppet_access_log" common
    ErrorLog  "/var/log/httpd/puppet_error_log"

    SSLEngine on
    SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
    SSLCertificateFile      /drbd01/puppet/var/lib/puppet/ssl/certs/
puppetmaster.foo.bar.pem
    SSLCertificateKeyFile   /drbd01/puppet/var/lib/puppet/ssl/
private_keys/puppetmaster.foo.bar.pem
    SSLCertificateChainFile /drbd01/puppet/var/lib/puppet/ssl/ca/
ca_crt.pem
    SSLCACertificateFile    /drbd01/puppet/var/lib/puppet/ssl/ca/
ca_crt.pem
    # CRL checking should be enabled; if you have problems with Apache
complaining about the CRL, disable the nex
t line
#    SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
    SSLVerifyClient optional
    SSLVerifyDepth  1
    SSLOptions +StdEnvVars

    # The following client headers allow the same configuration to
work with Pound.
    RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

    RackAutoDetect On
    DocumentRoot /drbd01/puppet/rack/puppetmasterd/public/
    <Directory /drbd01/puppet/rack/puppetmasterd/>
        Options None
        Options -Multiviews
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

For posterity''s sake I''ve resolved this. What looks to have
happened
is the certs were signed and the puppet master used its host name,
rather than the VIP/Hostname pair that would fail between the nodes. I
had to recreate the ca, and certs. Then on the hosts had to clear out
all their certs and ca data and have then recreate. Things seem to
work from there fine.

On Feb 6, 11:20 am, Len <lrsm...@gmail.com> wrote:
> I am working on setting up a Puppet configuration where some of the
> data is stored on a DRBD volume. The modules and vardir are stored on
> the drbd volume. The puppet.conf files point to the drbd volume for
> vardir. I created a cert for a VIP puppet-master using the puppetca --
> create command
>
> I had everything working on the primary drbd node, but when I fail
> over, everything starts up fine, but I get a passenger error about
> certs from the client.
>
>                 <dt>Error message:</dt>
>                 <dd>Could not run: Retrieved certificate does not
match private key;
> please remove certificate from server and regenerate it with the
> current key
>
> # SW Versions
>
> puppet 2.6, with Passenger and Apache Http
> CentOS 5.6
>
> # puppet.conf
>
> [main]
>     # The Puppet log directory.
>     # The default value is ''$vardir/log''.
>     logdir = /var/log/puppet
>
>     # Where Puppet PID files are kept.
>     # The default value is ''$vardir/run''.
>     rundir = /var/run/puppet
>
>     # Where SSL certificates are kept.
>     # The default value is ''$confdir/ssl''.
>     ssldir = /drbd01/puppet/var/lib/puppet/ssl
>     vardir = /drbd01/puppet/var/lib/puppet
>
>     modulepath=/drbd01/puppet/modules
>
> [agent]
>     # The file in which puppetd stores a list of the classes
>     # associated with the retrieved configuratiion.  Can be loaded in
>     # the separate ``puppet`` executable using the ``--loadclasses``
>     # option.
>     # The default value is ''$confdir/classes.txt''.
>     classfile = $vardir/classes.txt
>
>     # Where puppetd caches the local configuration.  An
>     # extension indicating the cache format is added automatically.
>     # The default value is ''$confdir/localconfig''.
>     localconfig = $vardir/localconfig
>
> [master]
>     ssl_client_header = SSL_CLIENT_S_DN
>     ssl_client_verify_header = SSL_CLIENT_VERIFY
>
> ## /etc/http/conf.d/puppetmasterd.conf
>
> PassengerHighPerformance on
> PassengerMaxPoolSize 12
> PassengerPoolIdleTime 1500
> # PassengerMaxRequests 1000
> PassengerStatThrottleRate 120
> RackAutoDetect Off
> RailsAutoDetect Off
>
> Listen 8140
> <VirtualHost *:8140>
>
>     ServerName puppetmaster.foo.bar
>     LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/
> passenger-2.2.11/ext/apache2/mod_passenger.so
>     PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-2.2.11
>     PassengerRuby /usr/bin/ruby
>
>     CustomLog "/var/log/httpd/puppet_access_log" common
>     ErrorLog  "/var/log/httpd/puppet_error_log"
>
>     SSLEngine on
>     SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
>     SSLCertificateFile      /drbd01/puppet/var/lib/puppet/ssl/certs/
> puppetmaster.foo.bar.pem
>     SSLCertificateKeyFile   /drbd01/puppet/var/lib/puppet/ssl/
> private_keys/puppetmaster.foo.bar.pem
>     SSLCertificateChainFile /drbd01/puppet/var/lib/puppet/ssl/ca/
> ca_crt.pem
>     SSLCACertificateFile    /drbd01/puppet/var/lib/puppet/ssl/ca/
> ca_crt.pem
>     # CRL checking should be enabled; if you have problems with Apache
> complaining about the CRL, disable the nex
> t line
> #    SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
>     SSLVerifyClient optional
>     SSLVerifyDepth  1
>     SSLOptions +StdEnvVars
>
>     # The following client headers allow the same configuration to
> work with Pound.
>     RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
>     RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
>     RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
>
>     RackAutoDetect On
>     DocumentRoot /drbd01/puppet/rack/puppetmasterd/public/
>     <Directory /drbd01/puppet/rack/puppetmasterd/>
>         Options None
>         Options -Multiviews
>         AllowOverride None
>         Order allow,deny
>         allow from all
>     </Directory>
> </VirtualHost>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.