Rich Rauenzahn
2012-Feb-27 21:10 UTC
[Puppet Users] Using puppet cert generate on a client -- why doesn''t this work?
I''m running a two headed puppetmaster and have disabled crl''s.
Let''s
call them the primary and the secondary. The primary and secondary
both use the primary as their master. The secondary only is used when
the primary isn''t responding (I wrap the puppetd call in cron with a
short shell script)
I''m managing these ca files on the masters, pushing them with puppet
itself...
$ grep file\ { certs.pp
file { "/var/lib/puppet/ssl/ca/ca_crt.pem":
file { "/var/lib/puppet/ssl/ca/ca_key.pem":
file { "/var/lib/puppet/ssl/ca/private/ca.pass":
file { "/var/lib/puppet/ssl/certs/ca.pem":
file { "/var/lib/puppet/ssl/ca/ca_crl.pem": (ensures absent, we
don''t need them in our environment.)
Then, in order to generate the ssl certs for the webservice, I generate this:
# If this isn''t working, try puppet cert clean $::fqdn first
exec {"/usr/bin/puppet cert --generate --certdnsnames $aliases
$::fqdn":
creates => ["/var/lib/puppet/ssl/certs/${::fqdn}.pem",
"/var/lib/puppet/ssl/private_keys/${::fqdn}.pem",
"/var/lib/puppet/ssl/public_keys/${::fqdn}.pem",
"/var/lib/puppet/ssl/ca/signed/${::fqdn}.pem",
],
user => root,
notify => Service[''httpd''],
}
I create these manually so I can pass the --certdnsnames $aliases for
the puppetmaster DNS cname.
This seems to work fine for the primary. But when the secondary tries
to run against the primary, it fails with
err: /File[/var/lib/puppet/lib]: Failed to generate additional
resources using ''eval_generate: certificate verify failed
err: /File[/var/lib/puppet/lib]: Could not evaluate: certificate
verify failed Could not retrieve file metadata for
puppet://<primary>/plugins: certificate verify failed
I would think that the certs would be good because I generate them
with the exact same CA''s as the primary. If I remove the certs and go
through a normal signing process, it works. It is only when I use
puppet cert --generate on the secondary do the certs fail.
I''m almost considering running puppet cert --generate with --ssldir to
point it someplace else to generate certs with cnames ONLY for the web
server (apache), and then have another set of certs in the normal
place generated for client/master signing.
But it is bothering me that I don''t understand what is going on. How
does signing work?
My impression is that the client connects to the SSL port on the
master, verifies that the SSL keys are good (validates against
/var/lib/puppet/ssl/certs/ca.pem for authenticity and verifies it has
the right hostname signed (or aliased)).
What happens next? Does the client present a cert also signed by the
CA to prove it is allowed to perform queries?
What''s the cleanest way around this?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Felix Frank
2012-Mar-20 13:00 UTC
Re: [Puppet Users] Using puppet cert generate on a client -- why doesn''t this work?
Hi, i cannot really get my head around your scheme, but it strikes me as potentially very dangerous. You expect puppet to handle the very certificates that are the basis for puppet operation? I get a vague sense of a chicken-egg problem. I think that all your certification needs should be handled manually, or if you need automation, done with something outside puppet. Cheers, Felix On 02/27/2012 10:10 PM, Rich Rauenzahn wrote:> I''m running a two headed puppetmaster and have disabled crl''s. Let''s > call them the primary and the secondary. The primary and secondary > both use the primary as their master. The secondary only is used when > the primary isn''t responding (I wrap the puppetd call in cron with a > short shell script) > > I''m managing these ca files on the masters, pushing them with puppet itself... > > $ grep file\ { certs.pp > file { "/var/lib/puppet/ssl/ca/ca_crt.pem": > file { "/var/lib/puppet/ssl/ca/ca_key.pem": > file { "/var/lib/puppet/ssl/ca/private/ca.pass": > file { "/var/lib/puppet/ssl/certs/ca.pem": > file { "/var/lib/puppet/ssl/ca/ca_crl.pem": (ensures absent, we > don''t need them in our environment.) > > Then, in order to generate the ssl certs for the webservice, I generate this: > > # If this isn''t working, try puppet cert clean $::fqdn first > exec {"/usr/bin/puppet cert --generate --certdnsnames $aliases $::fqdn": > creates => ["/var/lib/puppet/ssl/certs/${::fqdn}.pem", > "/var/lib/puppet/ssl/private_keys/${::fqdn}.pem", > "/var/lib/puppet/ssl/public_keys/${::fqdn}.pem", > "/var/lib/puppet/ssl/ca/signed/${::fqdn}.pem", > ], > user => root, > notify => Service[''httpd''], > } > > I create these manually so I can pass the --certdnsnames $aliases for > the puppetmaster DNS cname. > > This seems to work fine for the primary. But when the secondary tries > to run against the primary, it fails with > > err: /File[/var/lib/puppet/lib]: Failed to generate additional > resources using ''eval_generate: certificate verify failed > err: /File[/var/lib/puppet/lib]: Could not evaluate: certificate > verify failed Could not retrieve file metadata for > puppet://<primary>/plugins: certificate verify failed > > I would think that the certs would be good because I generate them > with the exact same CA''s as the primary. If I remove the certs and go > through a normal signing process, it works. It is only when I use > puppet cert --generate on the secondary do the certs fail. > > I''m almost considering running puppet cert --generate with --ssldir to > point it someplace else to generate certs with cnames ONLY for the web > server (apache), and then have another set of certs in the normal > place generated for client/master signing. > > But it is bothering me that I don''t understand what is going on. How > does signing work? > > My impression is that the client connects to the SSL port on the > master, verifies that the SSL keys are good (validates against > /var/lib/puppet/ssl/certs/ca.pem for authenticity and verifies it has > the right hostname signed (or aliased)). > > What happens next? Does the client present a cert also signed by the > CA to prove it is allowed to perform queries? > > What''s the cleanest way around this? >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.