[Puppet Users] Incomplete documentation regarding master-side client cert generation?

Don Jackson Fri, 21 Nov 2008 14:37:19 -0800

Hello,

I previously sent the email below describing a problem I was having  
with generating the certs on the master, and distributing them to the  
client right after OS installation.


Further research and testing shows that in addition to transferring  
the private key and the cert to the new client, you also must transfer  
the cert for the ca.

Many thanks to the blog posting at:

        
http://watzmann.net/blog/index.php/2006/08/07/using_pregenerated_certs_with_puppet

Which made this more clear.

I believe that the following paragraph from the wiki is at best not  
clear about this, if not downright incomplete:

Master-Side Client Certificate Generation
It's possible to generate certificates for clients on the master side,  
by using puppetca --generate <hostname>; this will also sign the newly  
generated certificate. You might want to do this if you want to  
automate the conversion of non-Puppet managed servers to Puppet. You  
can run a script that copies the generated client keys to the right  
place on the client, installs Puppet and then runs puppetd to get the  
client's configuration. This would allow you to "Puppetize" a server  
with a single command. When you run puppetca --generate <hostname>  
three files are generated - $signeddir/hostname.pem,$certdir/ 
hostname.pem and $privatekeydir/hostname.pem. You need to copy the  
private key and certificate to the corresponding directories on the  
client side. The client public key will be extracted from its  
certificate and put into $publickeydir when puppetd is run. The  
defaults for these directories should be subdirectories under /etc/ 
puppet/ssl/ with self-explanatory names, look there to find the  
generated files.
        http://www.reductivelabs.com/trac/puppet/wiki/CertificatesAndSecurity
I propose that the above paragraph be augmented to include the  
requirement that the ca.pem be transfered from the master to the  
client...

Best regards,

Don


Begin forwarded message:

> From: Don Jackson
> Date: November 17, 2008 3:55:02 PM PST
> To: puppet-users@googlegroups.com
> Subject: [Puppet Users] startup questions
> Reply-To: puppet-users@googlegroups.com
>
>
> Hello,
>
> I am a puppet newbie, I recently purchased & read "Pulling Strings",
> etc.
>
> I'm trying to install and configure puppetd on new machines built by
> my automated host installation system.
>
> I'm getting a fatal error when puppetd starts up after the system
> boot, here is the result of puppetd --debug
>
> # puppetd --debug
> debug: Creating default schedules
> debug: Failed to load library 'shadow' for feature 'libshadow'
> debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/etc/
> puppet/ssl]: Autorequiring File[/etc/puppet]
> debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/etc/
> puppet/ssl/certs/svn01.clark-communications.com.pem]: Autorequiring
> File[/etc/puppet/ssl/certs]
> debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/etc/
> puppet/ssl/private_keys]: Autorequiring File[/etc/puppet/ssl]
> debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/var/
> puppet/lib]: Autorequiring File[/var/puppet]
> debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/var/
> puppet/log]: Autorequiring File[/var/puppet]
> debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/etc/
> puppet/ssl/private]: Autorequiring File[/etc/puppet/ssl]
> debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/var/
> puppet/plugins]: Autorequiring File[/var/puppet]
> debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/etc/
> puppet/ssl/certs]: Autorequiring File[/etc/puppet/ssl]
> debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/etc/
> puppet/ssl/private_keys/svn01.clark-communications.com.pem]:
> Autorequiring File[/etc/puppet/ssl/private_keys]
> debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/var/
> puppet/run]: Autorequiring File[/var/puppet]
> debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/etc/
> puppet/ssl/public_keys]: Autorequiring File[/etc/puppet/ssl]
> debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/var/
> puppet/facts]: Autorequiring File[/var/puppet]
> debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/var/
> puppet/state]: Autorequiring File[/var/puppet]
> debug: /Settings[/etc/puppet/puppet.conf]/Settings[puppetd]/File[/etc/
> puppet/puppet.conf]: Autorequiring File[/etc/puppet]
> debug: Finishing transaction 4441590840 with 0 changes
> /usr/local/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:50:in
> `add_file': system lib (OpenSSL::X509::StoreError)
>         from /usr/local/lib/ruby/site_ruby/1.8/puppet/network/
> http_pool.rb:50:in `cert_setup'
>         from /usr/local/lib/ruby/site_ruby/1.8/puppet/network/
> http_pool.rb:100:in `http_instance'
>         from /usr/local/lib/ruby/site_ruby/1.8/puppet/network/xmlrpc/
> client.rb:123:in `initialize'
>         from /usr/local/lib/ruby/site_ruby/1.8/puppet/network/
> client.rb:94:in `new'
>         from /usr/local/lib/ruby/site_ruby/1.8/puppet/network/
> client.rb:94:in `initialize'
>         from /usr/local/lib/ruby/site_ruby/1.8/puppet/network/client/
> master.rb:207:in `initialize'
>         from /usr/local/bin/puppetd:322:in `new'
>         from /usr/local/bin/puppetd:322
>
> This client is puppetd version 0.24.4 running on OpenBSD 4.4/amd64,
> the only thing in the conf file is 1 line that points puppetd at the
> puppetmaster server.
>
> I created the cert and private key on another box, using puppetca
> version 0.22.4, (running OpenBSD 4.3/amd64), and this is also the
> machine that runs puppetmasterd
>
> My installation system creates /etc/puppet/ssh/private_keys and ./
> certs, downloads the pre-generated .pem files, and gives everything
> the following permissions:
>
> # ls -lR
> total 16
> drwxr-xr-x  2 root  _puppet  512 Nov 17 15:01 certs
> drwxr-x---  2 root  _puppet  512 Nov 17 15:04 private
> drwxr-x---  2 root  _puppet  512 Nov 17 15:01 private_keys
> drwxr-xr-x  2 root  _puppet  512 Nov 17 15:04 public_keys
>
> ./certs:
> total 4
> -rw-r--r--  1 root  _puppet  887 Nov 17 15:01 svn01.clark-
> communications.com.pem
>
> ./private:
>
> ./private_keys:
> total 4
> -rw-------  1 root  _puppet  887 Nov 17 15:01 svn01.clark-
> communications.com.pem
>
> ./public_keys:
>
> What am I doing wrong?
> Any advice appreciated...
>
> Don
>
>
>
>
> >


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

[Puppet Users] Incomplete documentation regarding master-side client cert generation?

Reply via email to