Puppet users - Aug 2013 - puppetmaster foreman and puppetdb with an external ca

Hi everyone,

I am attempting to use FreeIPA as the external CA for my puppet environment.
I can get puppetmaster running under pasenger using certs stored in an
nss db and puppet to work with standard pem encoded x509s issued from
FreeIPA.
I also got the Foreman working with those certs but i am having some
issues getting puppet to get node data out of Foreman.
It gives me this error when i try to query a node

Error retrieving node puppet.webgatetec.com: Net::HTTPForbidden

I haven''t started investigating that so that may be a simple fix.
The main problem is getting puppetdb working.
I have puppetdb 1.4 installed on Fedora 19 and it uses the new method
of using pem certs instead of keystore which i thought would make this
easier but I was wrong.
I have it setup with the puppetmaster and ca certs.
The certificates I have are setup with CN=puppet_fqdn
subjectAltName=puppetmaster/$puppet_fqdn  subjectAltName=$puppet_fqdn

PuppetBD starts up but crashes after while with this error in the log file.

2013-08-19 10:49:08,195 DEBUG [main] [puppetlabs.ssl] Loaded PEM
object of type ''class
org.bouncycastle.jcajce.provider.asymmetric.x509.X509CertificateObject''
from ''/etc/ipa/ca.crt''
2013-08-19 10:49:08,201 DEBUG [main] [puppetlabs.ssl] Loaded PEM
object of type ''class
org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey''
from ''/etc/puppetdb/ssl/private.pem''
2013-08-19 10:49:08,221 ERROR [main] [puppetlabs.utils] Uncaught exception
java.lang.IllegalArgumentException: No matching field found:
getPrivate for class
org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey
        at clojure.lang.Reflector.getInstanceField(Reflector.java:271)
        at clojure.lang.Reflector.invokeNoArgInstanceMember(Reflector.java:300)
        at com.puppetlabs.ssl$pem__GT_private_key.invoke(ssl.clj:58)
        at com.puppetlabs.ssl$assoc_private_key_file_BANG_.invoke(ssl.clj:132)
        at
com.puppetlabs.puppetdb.cli.services$configure_web_server_ssl_from_pems.invoke(services.clj:240)
        at
com.puppetlabs.puppetdb.cli.services$configure_web_server.invoke(services.clj:260)
        at
com.puppetlabs.puppetdb.cli.services$parse_config_BANG_.invoke(services.clj:374)
        at com.puppetlabs.puppetdb.cli.services$_main.doInvoke(services.clj:403)
        at clojure.lang.RestFn.invoke(RestFn.java:421)
        at clojure.lang.Var.invoke(Var.java:419)
        at clojure.lang.AFn.applyToHelper(AFn.java:163)
        at clojure.lang.Var.applyTo(Var.java:532)
        at clojure.core$apply.invoke(core.clj:617)
        at com.puppetlabs.puppetdb.core$_main.doInvoke(core.clj:79)
        at clojure.lang.RestFn.applyTo(RestFn.java:137)
        at com.puppetlabs.puppetdb.core.main(Unknown Source)

I am unsure which field it is trying to find in the cert so I have no
idea how to fix it.
Can someone please point me in the right direction?

Thanks in advance.
Pete.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

On Aug 18, 2013, at 7:06 PM, Pete Brown <rendhalver@gmail.com> wrote:
> Hi everyone,
> 
> I am attempting to use FreeIPA as the external CA for my puppet
environment.
> I can get puppetmaster running under pasenger using certs stored in an
> nss db and puppet to work with standard pem encoded x509s issued from
> FreeIPA.
> I also got the Foreman working with those certs but i am having some
> issues getting puppet to get node data out of Foreman.
> It gives me this error when i try to query a node
> 
> Error retrieving node puppet.webgatetec.com: Net::HTTPForbidden
> 
> I haven''t started investigating that so that may be a simple fix.
> The main problem is getting puppetdb working.
> I have puppetdb 1.4 installed on Fedora 19 and it uses the new method
> of using pem certs instead of keystore which i thought would make this
> easier but I was wrong.
> I have it setup with the puppetmaster and ca certs.
> The certificates I have are setup with CN=puppet_fqdn
> subjectAltName=puppetmaster/$puppet_fqdn  subjectAltName=$puppet_fqdn
> 
> PuppetBD starts up but crashes after while with this error in the log file.
> 
> 2013-08-19 10:49:08,195 DEBUG [main] [puppetlabs.ssl] Loaded PEM
> object of type ''class
>
org.bouncycastle.jcajce.provider.asymmetric.x509.X509CertificateObject''
> from ''/etc/ipa/ca.crt''
> 2013-08-19 10:49:08,201 DEBUG [main] [puppetlabs.ssl] Loaded PEM
> object of type ''class
>
org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey''
> from ''/etc/puppetdb/ssl/private.pem''
> 2013-08-19 10:49:08,221 ERROR [main] [puppetlabs.utils] Uncaught exception
> java.lang.IllegalArgumentException: No matching field found:
> getPrivate for class
> org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey
>        at clojure.lang.Reflector.getInstanceField(Reflector.java:271)
>        at
clojure.lang.Reflector.invokeNoArgInstanceMember(Reflector.java:300)
>        at com.puppetlabs.ssl$pem__GT_private_key.invoke(ssl.clj:58)
>        at
com.puppetlabs.ssl$assoc_private_key_file_BANG_.invoke(ssl.clj:132)
>        at
com.puppetlabs.puppetdb.cli.services$configure_web_server_ssl_from_pems.invoke(services.clj:240)
>        at
com.puppetlabs.puppetdb.cli.services$configure_web_server.invoke(services.clj:260)
>        at
com.puppetlabs.puppetdb.cli.services$parse_config_BANG_.invoke(services.clj:374)
>        at
com.puppetlabs.puppetdb.cli.services$_main.doInvoke(services.clj:403)
>        at clojure.lang.RestFn.invoke(RestFn.java:421)
>        at clojure.lang.Var.invoke(Var.java:419)
>        at clojure.lang.AFn.applyToHelper(AFn.java:163)
>        at clojure.lang.Var.applyTo(Var.java:532)
>        at clojure.core$apply.invoke(core.clj:617)
>        at com.puppetlabs.puppetdb.core$_main.doInvoke(core.clj:79)
>        at clojure.lang.RestFn.applyTo(RestFn.java:137)
>        at com.puppetlabs.puppetdb.core.main(Unknown Source)
> 
> I am unsure which field it is trying to find in the cert so I have no
> idea how to fix it.
> Can someone please point me in the right direction?
Thanks for the stacktrace...that should help us triangulate the issue.
Unfortunately, with Puppetconf all this week, nearly all the people within
Puppet Labs who can look at this will be out.

Can you file an issue against PuppetDB for this? What would be even better is if
you could attach some sample .pem files that exhibit the issue. Then we can load
those up on our end to see where things are going wrong.

Cheers,
deepak
> 
> Thanks in advance.
> Pete.
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-users+unsubscribe@googlegroups.com.
> To post to this group, send email to puppet-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users.
> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Ahh.
I need to get it working before the end of the week so I think I will
switch it to self generated certs and try to get the FreeIPA certs
working later.

I will submit a bug after I get this new environment setup.



On 19 August 2013 11:23, Deepak Giridharagopal <deepak@puppetlabs.com>
wrote:
> On Aug 18, 2013, at 7:06 PM, Pete Brown <rendhalver@gmail.com> wrote:
>
>> Hi everyone,
>>
>> I am attempting to use FreeIPA as the external CA for my puppet
environment.
>> I can get puppetmaster running under pasenger using certs stored in an
>> nss db and puppet to work with standard pem encoded x509s issued from
>> FreeIPA.
>> I also got the Foreman working with those certs but i am having some
>> issues getting puppet to get node data out of Foreman.
>> It gives me this error when i try to query a node
>>
>> Error retrieving node puppet.webgatetec.com: Net::HTTPForbidden
>>
>> I haven''t started investigating that so that may be a simple
fix.
>> The main problem is getting puppetdb working.
>> I have puppetdb 1.4 installed on Fedora 19 and it uses the new method
>> of using pem certs instead of keystore which i thought would make this
>> easier but I was wrong.
>> I have it setup with the puppetmaster and ca certs.
>> The certificates I have are setup with CN=puppet_fqdn
>> subjectAltName=puppetmaster/$puppet_fqdn  subjectAltName=$puppet_fqdn
>>
>> PuppetBD starts up but crashes after while with this error in the log
file.
>>
>> 2013-08-19 10:49:08,195 DEBUG [main] [puppetlabs.ssl] Loaded PEM
>> object of type ''class
>>
org.bouncycastle.jcajce.provider.asymmetric.x509.X509CertificateObject''
>> from ''/etc/ipa/ca.crt''
>> 2013-08-19 10:49:08,201 DEBUG [main] [puppetlabs.ssl] Loaded PEM
>> object of type ''class
>>
org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey''
>> from ''/etc/puppetdb/ssl/private.pem''
>> 2013-08-19 10:49:08,221 ERROR [main] [puppetlabs.utils] Uncaught
exception
>> java.lang.IllegalArgumentException: No matching field found:
>> getPrivate for class
>> org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey
>>        at clojure.lang.Reflector.getInstanceField(Reflector.java:271)
>>        at
clojure.lang.Reflector.invokeNoArgInstanceMember(Reflector.java:300)
>>        at com.puppetlabs.ssl$pem__GT_private_key.invoke(ssl.clj:58)
>>        at
com.puppetlabs.ssl$assoc_private_key_file_BANG_.invoke(ssl.clj:132)
>>        at
com.puppetlabs.puppetdb.cli.services$configure_web_server_ssl_from_pems.invoke(services.clj:240)
>>        at
com.puppetlabs.puppetdb.cli.services$configure_web_server.invoke(services.clj:260)
>>        at
com.puppetlabs.puppetdb.cli.services$parse_config_BANG_.invoke(services.clj:374)
>>        at
com.puppetlabs.puppetdb.cli.services$_main.doInvoke(services.clj:403)
>>        at clojure.lang.RestFn.invoke(RestFn.java:421)
>>        at clojure.lang.Var.invoke(Var.java:419)
>>        at clojure.lang.AFn.applyToHelper(AFn.java:163)
>>        at clojure.lang.Var.applyTo(Var.java:532)
>>        at clojure.core$apply.invoke(core.clj:617)
>>        at com.puppetlabs.puppetdb.core$_main.doInvoke(core.clj:79)
>>        at clojure.lang.RestFn.applyTo(RestFn.java:137)
>>        at com.puppetlabs.puppetdb.core.main(Unknown Source)
>>
>> I am unsure which field it is trying to find in the cert so I have no
>> idea how to fix it.
>> Can someone please point me in the right direction?
>
> Thanks for the stacktrace...that should help us triangulate the issue.
Unfortunately, with Puppetconf all this week, nearly all the people within
Puppet Labs who can look at this will be out.
>
> Can you file an issue against PuppetDB for this? What would be even better
is if you could attach some sample .pem files that exhibit the issue. Then we
can load those up on our end to see where things are going wrong.
>
> Cheers,
> deepak
>
>>
>> Thanks in advance.
>> Pete.
>>
>> --
>> You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send
an email to puppet-users+unsubscribe@googlegroups.com.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> Visit this group at http://groups.google.com/group/puppet-users.
>> For more options, visit https://groups.google.com/groups/opt_out.
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-users+unsubscribe@googlegroups.com.
> To post to this group, send email to puppet-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users.
> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

On Sun, Aug 18, 2013 at 10:48 PM, Pete Brown <rendhalver@gmail.com> wrote:
> Ahh.
> I need to get it working before the end of the week so I think I will
> switch it to self generated certs and try to get the FreeIPA certs
> working later.
>
> I will submit a bug after I get this new environment setup.
>
I believe the following pull request should resolve the exception you
posted earlier:

https://github.com/puppetlabs/puppetdb/pull/708

deepak

>
>
>
> On 19 August 2013 11:23, Deepak Giridharagopal
<deepak@puppetlabs.com>
> wrote:
> > On Aug 18, 2013, at 7:06 PM, Pete Brown <rendhalver@gmail.com>
wrote:
> >
> >> Hi everyone,
> >>
> >> I am attempting to use FreeIPA as the external CA for my puppet
> environment.
> >> I can get puppetmaster running under pasenger using certs stored
in an
> >> nss db and puppet to work with standard pem encoded x509s issued
from
> >> FreeIPA.
> >> I also got the Foreman working with those certs but i am having
some
> >> issues getting puppet to get node data out of Foreman.
> >> It gives me this error when i try to query a node
> >>
> >> Error retrieving node puppet.webgatetec.com: Net::HTTPForbidden
> >>
> >> I haven''t started investigating that so that may be a
simple fix.
> >> The main problem is getting puppetdb working.
> >> I have puppetdb 1.4 installed on Fedora 19 and it uses the new
method
> >> of using pem certs instead of keystore which i thought would make
this
> >> easier but I was wrong.
> >> I have it setup with the puppetmaster and ca certs.
> >> The certificates I have are setup with CN=puppet_fqdn
> >> subjectAltName=puppetmaster/$puppet_fqdn 
subjectAltName=$puppet_fqdn
> >>
> >> PuppetBD starts up but crashes after while with this error in the
log
> file.
> >>
> >> 2013-08-19 10:49:08,195 DEBUG [main] [puppetlabs.ssl] Loaded PEM
> >> object of type ''class
> >>
org.bouncycastle.jcajce.provider.asymmetric.x509.X509CertificateObject''
> >> from ''/etc/ipa/ca.crt''
> >> 2013-08-19 10:49:08,201 DEBUG [main] [puppetlabs.ssl] Loaded PEM
> >> object of type ''class
> >>
org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey''
> >> from ''/etc/puppetdb/ssl/private.pem''
> >> 2013-08-19 10:49:08,221 ERROR [main] [puppetlabs.utils] Uncaught
> exception
> >> java.lang.IllegalArgumentException: No matching field found:
> >> getPrivate for class
> >> org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey
> >>        at
clojure.lang.Reflector.getInstanceField(Reflector.java:271)
> >>        at
> clojure.lang.Reflector.invokeNoArgInstanceMember(Reflector.java:300)
> >>        at
com.puppetlabs.ssl$pem__GT_private_key.invoke(ssl.clj:58)
> >>        at
> com.puppetlabs.ssl$assoc_private_key_file_BANG_.invoke(ssl.clj:132)
> >>        at
>
com.puppetlabs.puppetdb.cli.services$configure_web_server_ssl_from_pems.invoke(services.clj:240)
> >>        at
>
com.puppetlabs.puppetdb.cli.services$configure_web_server.invoke(services.clj:260)
> >>        at
>
com.puppetlabs.puppetdb.cli.services$parse_config_BANG_.invoke(services.clj:374)
> >>        at
> com.puppetlabs.puppetdb.cli.services$_main.doInvoke(services.clj:403)
> >>        at clojure.lang.RestFn.invoke(RestFn.java:421)
> >>        at clojure.lang.Var.invoke(Var.java:419)
> >>        at clojure.lang.AFn.applyToHelper(AFn.java:163)
> >>        at clojure.lang.Var.applyTo(Var.java:532)
> >>        at clojure.core$apply.invoke(core.clj:617)
> >>        at com.puppetlabs.puppetdb.core$_main.doInvoke(core.clj:79)
> >>        at clojure.lang.RestFn.applyTo(RestFn.java:137)
> >>        at com.puppetlabs.puppetdb.core.main(Unknown Source)
> >>
> >> I am unsure which field it is trying to find in the cert so I have
no
> >> idea how to fix it.
> >> Can someone please point me in the right direction?
> >
> > Thanks for the stacktrace...that should help us triangulate the issue.
> Unfortunately, with Puppetconf all this week, nearly all the people within
> Puppet Labs who can look at this will be out.
> >
> > Can you file an issue against PuppetDB for this? What would be even
> better is if you could attach some sample .pem files that exhibit the
> issue. Then we can load those up on our end to see where things are going
> wrong.
> >
> > Cheers,
> > deepak
> >
> >>
> >> Thanks in advance.
> >> Pete.
> >>
> >> --
> >> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> >> To unsubscribe from this group and stop receiving emails from it,
send
> an email to puppet-users+unsubscribe@googlegroups.com.
> >> To post to this group, send email to
puppet-users@googlegroups.com.
> >> Visit this group at http://groups.google.com/group/puppet-users.
> >> For more options, visit https://groups.google.com/groups/opt_out.
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users+unsubscribe@googlegroups.com.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > Visit this group at http://groups.google.com/group/puppet-users.
> > For more options, visit https://groups.google.com/groups/opt_out.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscribe@googlegroups.com.
> To post to this group, send email to puppet-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.