vioilly
2013-Mar-07 08:55 UTC
[Puppet Users] using puppet dashboard as an ENC when using puppet dashboard and SSL
I would like to use the puppet-dashboard as an ENC. I am running the dashboard with SSL and passenger. I have edited the /usr/share/puppet-dashboard/bin/external_node script with the correct dashboard URL. I have editing the config in puppet.conf to use the external_node etc.. however when using SSL, I am getting the following errors when running /usr/bin/env PUPPET_DASHBOARD_URL=https://puppet /usr/share/puppet-dashboard/bin/external_node puppet-node-1.example.com : /usr/lib/ruby/1.8/net/http.rb:586:in `connect'': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError) When I update the external_node script''s SSL directives, and use the certs that were generated by the rake tool (dashboard.cert.pem etc), I can run the following command on the puppet master / ca server and puppet-dashboard. /usr/bin/env PUPPET_DASHBOARD_URL=https://puppet /usr/share/puppet-dashboard/bin/external_node puppet But if I use a different node, I get the SSL error. It appears to me that if I use the certs generated by the rake tool, only the puppet master a/ca server and the puppet dashboard work. All other nodes in the environment return an SSL error, maybe because they are unaware of the certs generated by the rake tool. What certs should I be using in the following external_node section? CA_PATH CERT_PATH PKEY_PATH -Oli -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
vioilly
2013-Mar-07 11:27 UTC
[Puppet Users] Re: using puppet dashboard as an ENC when using puppet dashboard and SSL
I got this working in the end. The main areas were - the external_node needs to be on all puppet masters and the puppet dashboard server. The cert locations should be the ones that are created by the rake tools when enabling https on dashboard. You can see these in the settings.yml file on the dashboard server. Make sure in the DASHBOARD_URL you are using the common-name in the cert created by the rake tool, in most cases dashboard. You may need to set up a c-name for dashboard or an A-record if you so desire. Make sure the working external_node script is copied to all puppet master servers and is the same. The location I used was /usr/share/puppet-dashboard/bin/external_node. Make sure the URL is https:// dashboard or the cn of the dashboard cert. Otherwise you will get an SSL name does not match certname error The puppet.conf file on each master has 2 lines to enable the ENC. This is as follows: node_terminus = exec external_nodes = /usr/bin/env PUPPET_DASHBOARDURL=https:// dashboard/usr/share/puppet-dashboard/bin/external_node See the dashboard name - that is the same as the CN name in the dashboard cert. Make sure you restart httpd on each puppet master. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.